Play interactive tour

Edit tour

Windows Analysis Report dngqoAXyDd.exe

Overview

General Information

Sample Name:	dngqoAXyDd.exe
Analysis ID:	516930
MD5:	0afbb383c5cea9f11202d572141bb0f4
SHA1:	148266112b25087f10ac1124ea32630e48fb0bd9
SHA256:	6a910ec8055b3844e3dd14c7af08a68110abc9395a88ab9199e69ed07be27210
Tags:	exetop147TrickBot
Infos:
Most interesting Screenshot:

Detection

TrickBot

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Trickbot

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Tries to detect virtualization through RDTSC time measurements

Found potential dummy code loops (likely to delay analysis)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Program does not show much activity (idle)

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

dngqoAXyDd.exe (PID: 4872 cmdline: "C:\Users\user\Desktop\dngqoAXyDd.exe" MD5: 0AFBB383C5CEA9F11202D572141BB0F4)

wermgr.exe (PID: 5784 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)

cmd.exe (PID: 6396 cmdline: C:\Windows\system32\cmd.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp

Malware Configuration Extractor: Trickbot {"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}

Multi AV Scanner detection for submitted file

Show sources

Source: dngqoAXyDd.exe

ReversingLabs: Detection: 28%

Source: dngqoAXyDd.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: dngqoAXyDd.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe

Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18DFA20
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18D4060
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	1_2_00000239A18D9460
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18C4470
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov ebx, edx	1_2_00000239A18C4470
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec ecx	1_2_00000239A18DFBA0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18DFBA0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then cmp dword ptr [eax], ecx	1_2_00000239A18CA3B0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18C2BC0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc ebp	1_2_00000239A18C5BE0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp-07h]	1_2_00000239A18DE3F0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18CE320
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov byte ptr [esp+ecx+70h], cl	1_2_00000239A18E5F60
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18E5EC0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	1_2_00000239A18C6EF0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18D0A00
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18DB520
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	1_2_00000239A18D4D50
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	1_2_00000239A18E3990

Source: dngqoAXyDd.exe, 00000000.00000002.374383373.0000000000BCA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: dngqoAXyDd.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: dngqoAXyDd.exe, 00000000.00000000.349339594.0000000000210000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
Source: dngqoAXyDd.exe	Binary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe

Source: dngqoAXyDd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dngqoAXyDd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dngqoAXyDd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dngqoAXyDd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001A911C	0_2_001A911C
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0019C201	0_2_0019C201
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001A82BD	0_2_001A82BD
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001A941B	0_2_001A941B
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0019C5D3	0_2_0019C5D3
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001A16DE	0_2_001A16DE
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001A880E	0_2_001A880E
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0018C950	0_2_0018C950
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0019C9BB	0_2_0019C9BB
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0019B9CE	0_2_0019B9CE
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001ABBF1	0_2_001ABBF1
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_00195C19	0_2_00195C19
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001A4D22	0_2_001A4D22
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001A7D6E	0_2_001A7D6E
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001A9E7F	0_2_001A9E7F
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0019BE63	0_2_0019BE63
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_001A8EA1	0_2_001A8EA1
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_00B33168	0_2_00B33168
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18C2F30	1_2_00000239A18C2F30
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18CC750	1_2_00000239A18CC750
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D4260	1_2_00000239A18D4260
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18E4CF0	1_2_00000239A18E4CF0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18C1030	1_2_00000239A18C1030
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18DE47D	1_2_00000239A18DE47D
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D73A0	1_2_00000239A18D73A0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18C3BB0	1_2_00000239A18C3BB0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18E33D0	1_2_00000239A18E33D0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18DE3F0	1_2_00000239A18DE3F0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D17F0	1_2_00000239A18D17F0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D740C	1_2_00000239A18D740C
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18C4730	1_2_00000239A18C4730
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18C7340	1_2_00000239A18C7340
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18E5F60	1_2_00000239A18E5F60
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D7760	1_2_00000239A18D7760
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D1EA0	1_2_00000239A18D1EA0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18E52C0	1_2_00000239A18E52C0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D5AC0	1_2_00000239A18D5AC0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D7EE0	1_2_00000239A18D7EE0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18CF700	1_2_00000239A18CF700
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18E4B10	1_2_00000239A18E4B10
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D9A80	1_2_00000239A18D9A80
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18CFE8E	1_2_00000239A18CFE8E
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D51A0	1_2_00000239A18D51A0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18E45D0	1_2_00000239A18E45D0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D35D0	1_2_00000239A18D35D0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18C79D0	1_2_00000239A18C79D0
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18D0A00	1_2_00000239A18D0A00
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18DB920	1_2_00000239A18DB920
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18DED70	1_2_00000239A18DED70

Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: String function: 001975F5 appears 32 times
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: String function: 001943E0 appears 58 times

Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18CC750 NtQuerySystemInformation,DuplicateHandle,FindCloseChangeNotification,RtlDeleteBoundaryDescriptor,		1_2_00000239A18CC750
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18DC550 NtDelayExecution,		1_2_00000239A18DC550

Source: C:\Windows\System32\wermgr.exe

Process Stats: CPU usage > 98%

Source: dngqoAXyDd.exe

ReversingLabs: Detection: 28%

Source: dngqoAXyDd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dngqoAXyDd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dngqoAXyDd.exe "C:\Users\user\Desktop\dngqoAXyDd.exe"
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior

Source: dngqoAXyDd.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\wermgr.exe

Code function: 1_2_00000239A18CF3C0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,

1_2_00000239A18CF3C0

Source: C:\Windows\System32\wermgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{1E3DF0E8-5598-5F45-953F-FB33A6DDAB0E}

Source: C:\Users\user\Desktop\dngqoAXyDd.exe

Code function: 0_2_00181E80 GetDC,KiUserCallbackDispatcher,GetSystemMetrics,FindResourceA,FindResourceA,FindResourceA,FindResourceA,FindResourceA,VirtualAlloc,SizeofResource,LoadResource,_memmove,SHGetFolderPathA,

0_2_00181E80

Source: C:\Windows\System32\wermgr.exe

System information queried: HandleInformation

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@5/0@0/0

Source: dngqoAXyDd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dngqoAXyDd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dngqoAXyDd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dngqoAXyDd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dngqoAXyDd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dngqoAXyDd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dngqoAXyDd.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: dngqoAXyDd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe

Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_00190093 pushad ; ret	0_2_00190094
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0018D0DF push ecx; ret	0_2_0018D0F2
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_00194425 push ecx; ret	0_2_00194438
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0019CEE1 push 510019C7h; retf	0_2_0019CEEF
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_00B50390 push dword ptr [edx+14h]; ret	0_2_00B5049D
Source: C:\Windows\System32\wermgr.exe	Code function: 1_2_00000239A18DDF22 push esp; iretd	1_2_00000239A18DDF25

Source: C:\Users\user\Desktop\dngqoAXyDd.exe

Code function: 0_2_0019DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary,

0_2_0019DD3C

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\System32\wermgr.exe

RDTSC instruction interceptor: First address: 00000239A18DADA0 second address: 00000239A18DADA0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [000209CAh] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b mov ebp, eax 0x0000002d dec eax 0x0000002e mov ebx, esi 0x00000030 dec eax 0x00000031 xor ebx, FFFFFF00h 0x00000037 dec eax 0x00000038 and ebx, esi 0x0000003a call 00007FD4D503444Bh 0x0000003f rdtsc

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\System32\wermgr.exe

Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed

Source: C:\Users\user\Desktop\dngqoAXyDd.exe TID: 204

Thread sleep count: 140 > 30

Jump to behavior

Source: C:\Windows\System32\wermgr.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\wermgr.exe

Code function: GetAdaptersInfo,RtlDeleteBoundaryDescriptor,

1_2_00000239A18DFA20

Source: C:\Windows\System32\wermgr.exe

Code function: 1_2_00000239A18DADA0 rdtsc

1_2_00000239A18DADA0

Source: wermgr.exe, 00000001.00000002.620774308.00000239A1AE0000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Windows\System32\wermgr.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\dngqoAXyDd.exe

Code function: 0_2_0019293C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0019293C

Source: C:\Users\user\Desktop\dngqoAXyDd.exe

Code function: 0_2_0019DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary,

0_2_0019DD3C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\wermgr.exe

Code function: 1_2_00000239A18DADA0 rdtsc

1_2_00000239A18DADA0

Source: C:\Windows\System32\wermgr.exe

Code function: 1_2_00000239A18DA280 LdrLoadDll,

1_2_00000239A18DA280

Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0019676A SetUnhandledExceptionFilter,	0_2_0019676A
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0019293C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0019293C
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: 0_2_0018CFF8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0018CFF8

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Memory written: C:\Windows\System32\wermgr.exe base: 239A18C0000			Jump to behavior
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Memory written: C:\Windows\System32\wermgr.exe base: 7FF7AE922860			Jump to behavior

Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe			Jump to behavior

Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wermgr.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_0019A134
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: EnumSystemLocalesA,	0_2_0019A1F6
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0019A220
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0019A287
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_0019A2C3
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_001995B5
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_001A7650
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_001986AD
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_001A772A
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: GetLocaleInfoA,	0_2_00191742
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_001998D3
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_001A7918
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00198929
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_0018FAA9
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00199D6C
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00199E61
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00199F08
Source: C:\Users\user\Desktop\dngqoAXyDd.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00199F63

Source: C:\Users\user\Desktop\dngqoAXyDd.exe

Code function: 0_2_00197022 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00197022

Stealing of Sensitive Information:

Yara detected Trickbot

Show sources

Source: Yara match

File source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Trickbot

Show sources

Source: Yara match

File source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API11	Path Interception	Access Token Manipulation1	Disable or Modify Tools1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion111	LSASS Memory	Security Software Discovery221	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Access Token Manipulation1	Security Account Manager	Virtualization/Sandbox Evasion111	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Information Discovery123	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dngqoAXyDd.exe	29%	ReversingLabs	Win32.Trojan.Trickpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	516930
Start date:	06.11.2021
Start time:	15:02:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dngqoAXyDd.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@5/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.1% (good quality ratio 16.9%) Quality average: 83.1% Quality standard deviation: 28.2%
HCA Information:	Successful, ratio: 67% Number of executed functions: 19 Number of non-executed functions: 57
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, dual-a-0001.dc-msedge.net, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/516930/sample/dngqoAXyDd.exe

Simulations

Behavior and APIs

Time	Type	Description
15:04:04	API Interceptor	1x Sleep call for process: dngqoAXyDd.exe modified
15:04:04	API Interceptor	1x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.167416806599989
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dngqoAXyDd.exe
File size:	652800
MD5:	0afbb383c5cea9f11202d572141bb0f4
SHA1:	148266112b25087f10ac1124ea32630e48fb0bd9
SHA256:	6a910ec8055b3844e3dd14c7af08a68110abc9395a88ab9199e69ed07be27210
SHA512:	702447b6e1313224d4c8084f716d8d838090c7bd9fb3558c6ab4553ce3676bb5fe1c2ebde61e4ed8b7bb6d3d7f1dfd11c434e5e0f9b7baa2511a12fd1c501880
SSDEEP:	12288:AjX3XdmePk2BSPkno2voTFa24aZZTUQxIpTLY0E5pM:2HXgASPMNvoTFFjT8tLYNH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u.......b.....&.....\|...r...u...#.....'.G.......t...u...t.......t...Richu...................PE..L....(.a...........

File Icon


Icon Hash:	0000000000000000

Static PE Info

General
Entrypoint:	0x40cfee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x618528F1 [Fri Nov 5 12:52:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2a49715e49b2891839bf716e121ca434

Entrypoint Preview

Instruction
call 00007FD4D5055364h
jmp 00007FD4D504B1BEh
cmp ecx, dword ptr [00443AD4h]
jne 00007FD4D504B334h
rep ret
jmp 00007FD4D50553EBh
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00443AD4h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00443AD4h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00443AD4h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48000	0x50	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0x59689	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa3000	0x1db0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b0a0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3ea50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4826c	0x21c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x382bb	0x38400	False	0.395729166667	data	5.67953550398	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3a000	0x8082	0x8200	False	0.237379807692	data	3.46352247423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x43000	0x4598	0x2000	False	0.2734375	data	3.48353069957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x48000	0xc7b	0xe00	False	0.318080357143	data	4.19163051635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x49000	0x59689	0x59800	False	0.644514883031	data	6.09524824059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa3000	0x25c6	0x2600	False	0.625616776316	data	5.79339854832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x906e0	0x2e8	data
RT_ICON	0x909c8	0x1e8	data
RT_ICON	0x90bb0	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x90cd8	0x6c8	data
RT_ICON	0x913a0	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x91908	0x988	data
RT_ICON	0x92290	0xca8	data
RT_ICON	0x92f38	0xf0	data
RT_ICON	0x93028	0xd0	data
RT_ICON	0x930f8	0xb0	GLS_BINARY_LSB_FIRST
RT_ICON	0x931a8	0x368	GLS_BINARY_LSB_FIRST
RT_MESSAGETABLE	0x49518	0x471c6	data
RT_GROUP_ICON	0x93510	0xa0	data
RT_VERSION	0x935b0	0x270	data	English	United States
RT_MANIFEST	0x49510	0x2	Little-endian UTF-16 Unicode text, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	MultiByteToWideChar, lstrlenA, LoadResource, SizeofResource, VirtualAlloc, FindResourceA, SetStdHandle, WriteConsoleW, LoadLibraryW, FreeLibrary, SetConsoleCtrlHandler, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, EncodePointer, DecodePointer, Sleep, InterlockedExchange, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InterlockedCompareExchange, GetLastError, HeapAlloc, RtlUnwind, RaiseException, HeapFree, GetCommandLineA, HeapSetInformation, GetStartupInfoW, LCMapStringW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetCurrentThread, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, HeapDestroy, IsProcessorFeaturePresent, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, FatalAppExitA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, SetFilePointer, CloseHandle, HeapSize, GetLocaleInfoW, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeW, HeapReAlloc, CreateFileW
USER32.dll	GetSystemMetrics, GetDC
SHELL32.dll	SHGetFolderPathA

Version Infos

Description	Data
InternalName	correct.dll
FileVersion	1.85.0.158
CompanyName	ol3 corp.
ProductName	ol3
ProductVersion	1.8.80.158
FileDescription	rne topd netikoe
OriginalFilename	correct.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: dngqoAXyDd.exe PID: 4872 Parent PID: 912

General

Start time:	15:03:52
Start date:	06/11/2021
Path:	C:\Users\user\Desktop\dngqoAXyDd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dngqoAXyDd.exe"
Imagebase:	0x180000
File size:	652800 bytes
MD5 hash:	0AFBB383C5CEA9F11202D572141BB0F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: wermgr.exe PID: 5784 Parent PID: 4872

General

Start time:	15:03:58
Start date:	06/11/2021
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wermgr.exe
Imagebase:	0x7ff7ae910000
File size:	209312 bytes
MD5 hash:	FF214585BF10206E21EA8EBA202FACFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6396 Parent PID: 4872

General

Start time:	15:04:00
Start date:	06/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe
Imagebase:	0x7ff7180e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: dngqoAXyDd.exe PID: 4872 Parent PID: 912 dngqoAXyDd.exeCOMMON

Executed Functions

Function 00B33168, Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1008sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(-00000100,0000001D), ref: 00B33170
TerminateProcess.KERNELBASE(?,00000000), ref: 00B33179
CloseHandle.KERNEL32(?), ref: 00B3318A
CloseHandle.KERNEL32(?), ref: 00B3318D

Strings

T$, xrefs: 00B33E22

Memory Dump Source

Source File: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, Offset: 00B31000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$ProcessSleepTerminate
String ID: T$
API String ID: 2417299260-2735566462
Opcode ID: 9a69ce2a941b77be21f8e93da1a6e2bac14d7a7e3145ac47f1857e3d63ae43a9
Instruction ID: e62a41ad6d5fe5d6a9cb3467df7776d6a4c0deda8fc7a9858e93d2dcde449a4e
Opcode Fuzzy Hash: 9a69ce2a941b77be21f8e93da1a6e2bac14d7a7e3145ac47f1857e3d63ae43a9
Instruction Fuzzy Hash: 8982C6756083008FDB28CF28C886B6A77E1EB88710F34499EF956DB3A0D775DA44DB46

Uniqueness

Uniqueness Score: -1.00%

Function 00181E80, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 132
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00181E80(void* __ecx, void* __edi, void* __esi, void* __eflags, struct HINSTANCE__* _a4) {
				struct HRSRC__* _v8;
				struct HDC__* _v12;
				void* _v16;
				char _v44;
				char _v72;
				int _v76;
				intOrPtr _v80;
				char _v84;
				void* _v88;
				void* _v92;
				int _t42;
				void* _t55;
				long _t64;
				void* _t72;
				void* _t91;
				void* _t97;
				void* _t99;

				_t99 = __eflags;
				_t72 = __ecx;
				_v12 = GetDC(0);
				L00181311(_t72, 0x1c5088, 0x1bb339);
				L00181311(_t72, 0x1c5088, " ---------------------------------------------------\n"); // executed
				L00181311(_t72, 0x1c5088, " Input a number: ");
				L001812D5(0x1c5140, _t99,  &_v84);
				_t42 = GetSystemMetrics(0); // executed
				_v80 = _t42;
				_v76 = GetSystemMetrics(1);
				L001810AA( &_v72, _t99);
				L001810AA( &_v44, _t99); // executed
				L001812A8( &_v44); // executed
				_v16 = 0;
				_v88 = 0;
				_v8 = 0;
				_v8 = FindResourceA(_a4, "a", "s");
				_v8 = FindResourceA(_a4, "a", 0x17);
				_v8 = FindResourceA(_a4, "c", 0xb);
				_v8 = FindResourceA(_a4, "x", "e");
				_v8 = FindResourceA(_a4, 0x65, 0xb);
				L00181398(__edi, __esi, _t99, "d");
				L001812A8(_a4); // executed
				_t55 = VirtualAlloc(0, 0x69fb0, 0x1000, 0x40); // executed
				_v88 = _t55;
				L00181398(__edi, __esi, _t99, "f");
				L00181398(__edi, __esi, _t99, "VirtualAlloc");
				_t97 = _t91 + 0x24;
				_v92 = 0;
				while(_v92 < 0x3eddc) {
					_t64 = SizeofResource(_a4, _v8);
					E0018BF90(_v88 + 0x1000, LoadResource(_a4, _v8) + 0x1cb, _t64 - 0x1cb);
					_t97 = _t97 + 0xc;
					_v92 = _v92 + 1;
				}
				_v16 = _v88 + 0x1000;
				__eflags = _v88 + 0x1000;
				L001813C0(_v88 + 0x1000, _v88 + 0x1000, 0x68fb0);
				_v16();
				__imp__SHGetFolderPathA(0, 0x28, 0, 0, 0);
				L0018136B( &_v44, __eflags);
				return L0018136B( &_v72, __eflags);
			}

0x00181e80
0x00181e80
0x00181e8e
0x00181e9b
0x00181ead
0x00181ebf
0x00181ed0
0x00181ed7
0x00181edd
0x00181ee8
0x00181eee
0x00181ef6
0x00181efb
0x00181f00
0x00181f07
0x00181f0e
0x00181f29
0x00181f3d
0x00181f51
0x00181f68
0x00181f79
0x00181f81
0x00181f89
0x00181f9c
0x00181fa2
0x00181faa
0x00181fb7
0x00181fbc
0x00181fbf
0x00181fd1
0x00181fe2
0x0018200c
0x00182011
0x00181fce
0x00181fce
0x0018201e
0x00182029
0x00182030
0x00182038
0x00182045
0x0018204e
0x0018205e

APIs

GetDC.USER32(00000000), ref: 00181E88
KiUserCallbackDispatcher.NTDLL ref: 00181ED7
GetSystemMetrics.USER32 ref: 00181EE2
FindResourceA.KERNEL32(?,001BB438,001BB434), ref: 00181F23
FindResourceA.KERNEL32(?,001BB43C,00000017), ref: 00181F37
FindResourceA.KERNEL32(?,001BB440,0000000B), ref: 00181F4B
FindResourceA.KERNEL32(?,001BB448,001BB444), ref: 00181F62
FindResourceA.KERNEL32(?,00000065,0000000B), ref: 00181F73
VirtualAlloc.KERNELBASE(00000000,00069FB0,00001000,00000040), ref: 00181F9C
SizeofResource.KERNEL32(?,00000000), ref: 00181FE2
LoadResource.KERNEL32(?,00000000,-000001CB), ref: 00181FF6
_memmove.LIBCMT ref: 0018200C
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,00000000), ref: 00182045

Strings

Input a number: , xrefs: 00181EB5
VirtualAlloc, xrefs: 00181FB2
---------------------------------------------------, xrefs: 00181EA3

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Find$AllocCallbackDispatcherFolderLoadMetricsPathSizeofSystemUserVirtual_memmove
String ID: ---------------------------------------------------$ Input a number: $VirtualAlloc
API String ID: 3195317214-776164127
Opcode ID: f46667a9e5e8d53499cefe0b2acbe704c957f615122cf22f5f6880bc5d08e6a4
Instruction ID: e73739b990d154a10854204939f338e5c739f761045a8daccb16339028048588
Opcode Fuzzy Hash: f46667a9e5e8d53499cefe0b2acbe704c957f615122cf22f5f6880bc5d08e6a4
Instruction Fuzzy Hash: EF416DB6A44608BFDB00EFA0CC8AFED7B74BF14701F144014F906AA686EBB4A6458F51

Uniqueness

Uniqueness Score: -1.00%

Function 001896DA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E001896DA(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr* _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				void* _t64;
				char* _t67;
				intOrPtr* _t72;
				intOrPtr _t83;
				intOrPtr* _t90;
				void* _t91;
				void* _t92;

				_push(0x2c);
				E0018D070(0x1b5dd6, __ebx, __edi, __esi);
				_t70 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				if(_t70 != 0xffffffff) {
					_t46 =  *((intOrPtr*)(__ecx + 0x24));
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x24))));
					_t87 = 0;
					__eflags = _t72;
					if(_t72 == 0) {
						L7:
						__eflags =  *((intOrPtr*)(_t90 + 0x54)) - _t87;
						if( *((intOrPtr*)(_t90 + 0x54)) != _t87) {
							E00188D6F(_t90);
							__eflags =  *((intOrPtr*)(_t90 + 0x44)) - _t87;
							if(__eflags != 0) {
								 *((char*)(_t91 - 0x30)) = _t70;
								 *((intOrPtr*)(_t91 - 0x18)) = 0xf;
								 *((intOrPtr*)(_t91 - 0x1c)) = _t87;
								 *((char*)(_t91 - 0x2c)) = 0;
								L001812AD(_t91 - 0x2c, 8, _t87);
								 *((intOrPtr*)(_t91 - 4)) = _t87;
								while(1) {
									__eflags =  *((intOrPtr*)(_t91 - 0x18)) - 0x10;
									_t49 =  *((intOrPtr*)(_t91 - 0x2c));
									if( *((intOrPtr*)(_t91 - 0x18)) >= 0x10) {
										_t83 =  *((intOrPtr*)(_t91 - 0x2c));
									} else {
										_t49 = _t91 - 0x2c;
										_t83 = _t49;
									}
									_t87 =  *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x44))));
									_t70 = _t91 - 0x34;
									_t55 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x44)))) + 0x14))(_t90 + 0x4c, _t91 - 0x30, _t91 - 0x2f, _t91 - 0x38, _t83, _t49 +  *((intOrPtr*)(_t91 - 0x1c)), _t91 - 0x34);
									__eflags = _t55;
									if(_t55 < 0) {
										break;
									}
									__eflags = _t55 - 1;
									if(_t55 > 1) {
										__eflags = _t55 - 3;
										if(__eflags != 0) {
											break;
										}
										_t59 = E00188F2B(__eflags,  *((intOrPtr*)(_t91 - 0x30)),  *((intOrPtr*)(_t90 + 0x54)));
										__eflags = _t59;
										if(_t59 != 0) {
											L32:
											_t90 =  *((intOrPtr*)(_t91 + 8));
											L31:
											L00181389(_t91 - 0x2c, 1, 0);
											L2:
											return E0018D0F3(_t70, _t87, _t90);
										}
										break;
									}
									__eflags =  *((intOrPtr*)(_t91 - 0x18)) - 0x10;
									_t60 =  *((intOrPtr*)(_t91 - 0x2c));
									if( *((intOrPtr*)(_t91 - 0x18)) < 0x10) {
										_t60 = _t91 - 0x2c;
									}
									_t87 =  *((intOrPtr*)(_t91 - 0x34)) - _t60;
									__eflags = _t87;
									if(_t87 == 0) {
										L23:
										 *((char*)(_t90 + 0x49)) = 1;
										__eflags =  *((intOrPtr*)(_t91 - 0x38)) - _t91 - 0x30;
										if( *((intOrPtr*)(_t91 - 0x38)) != _t91 - 0x30) {
											goto L32;
										}
										__eflags = _t87;
										if(_t87 != 0) {
											continue;
										}
										__eflags =  *((intOrPtr*)(_t91 - 0x1c)) - 0x20;
										if( *((intOrPtr*)(_t91 - 0x1c)) >= 0x20) {
											break;
										}
										L001813E8(_t91 - 0x2c, 8, _t87);
										continue;
									} else {
										__eflags =  *((intOrPtr*)(_t91 - 0x18)) - 0x10;
										_t63 =  *((intOrPtr*)(_t91 - 0x2c));
										if(__eflags < 0) {
											_t63 = _t91 - 0x2c;
										}
										_push( *((intOrPtr*)(_t90 + 0x54)));
										_push(_t87);
										_push(1);
										_push(_t63);
										_t64 = E0018DCBA(_t70, _t83, _t87, _t90, __eflags);
										_t92 = _t92 + 0x10;
										__eflags = _t87 - _t64;
										if(_t87 != _t64) {
											break;
										}
										goto L23;
									}
								}
								__eflags = _t90;
								goto L31;
							}
							_t46 = E00188F2B(__eflags, _t70,  *((intOrPtr*)(_t90 + 0x54))); // executed
							__eflags = _t46;
							if(_t46 == 0) {
								goto L8;
							}
							L6:
							goto L2;
						}
						L8:
						goto L2;
					}
					_t46 =  *((intOrPtr*)(__ecx + 0x34));
					__eflags = _t72 -  *_t46 + _t72;
					if(_t72 >=  *_t46 + _t72) {
						goto L7;
					}
					 *_t46 =  *_t46 - 1;
					__eflags =  *_t46;
					_t90 =  *((intOrPtr*)(__ecx + 0x24));
					_t67 =  *_t90;
					 *_t90 = _t67 + 1;
					 *_t67 = _t70;
					goto L6;
				}
				goto L2;
			}

0x001896da
0x001896e1
0x001896e6
0x001896e9
0x001896ee
0x001896fa
0x001896fd
0x001896ff
0x00189701
0x00189703
0x00189722
0x00189722
0x00189725
0x0018972e
0x00189733
0x00189736
0x0018974f
0x00189752
0x00189759
0x0018975c
0x00189760
0x00189765
0x00189768
0x00189768
0x0018976c
0x0018976f
0x001897fc
0x00189775
0x00189775
0x00189778
0x00189778
0x00189780
0x00189782
0x00189798
0x0018979b
0x0018979d
0x00000000
0x00000000
0x0018979f
0x001897a2
0x00189804
0x00189807
0x00000000
0x00000000
0x0018980f
0x00189816
0x00189818
0x00189830
0x00189830
0x0018981d
0x00189824
0x001896f2
0x001896f7
0x001896f7
0x00000000
0x00189818
0x001897a4
0x001897a8
0x001897ab
0x001897ad
0x001897ad
0x001897b3
0x001897b3
0x001897b5
0x001897d6
0x001897d9
0x001897dd
0x001897e0
0x00000000
0x00000000
0x001897e2
0x001897e4
0x00000000
0x00000000
0x001897e6
0x001897ea
0x00000000
0x00000000
0x001897f2
0x00000000
0x001897b7
0x001897b7
0x001897bb
0x001897be
0x001897c0
0x001897c0
0x001897c3
0x001897c6
0x001897c7
0x001897c9
0x001897ca
0x001897cf
0x001897d2
0x001897d4
0x00000000
0x00000000
0x00000000
0x001897d4
0x001897b5
0x0018981a
0x00000000
0x0018981a
0x0018973c
0x00189743
0x00189745
0x00000000
0x00000000
0x0018971e
0x00000000
0x0018971e
0x00189727
0x00000000
0x00189727
0x00189705
0x0018970c
0x0018970e
0x00000000
0x00000000
0x00189710
0x00189710
0x00189712
0x00189715
0x0018971a
0x0018971c
0x00000000
0x0018971c
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 001896E1
_Fputc.LIBCPMT ref: 0018973C
_Fputc.LIBCPMT ref: 0018980F

Strings

, xrefs: 001897E6

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: Fputc$H_prolog3_
String ID:
API String ID: 2569218679-3916222277
Opcode ID: c6640693d21181456df8f8fb0ce1f0962fd6b9dbd9d9da6a1df820ea63153a71
Instruction ID: 88f2203c7e45c1af238e259944e1bdcbf0b9eaa2b52c8766313310c910f04b37
Opcode Fuzzy Hash: c6640693d21181456df8f8fb0ce1f0962fd6b9dbd9d9da6a1df820ea63153a71
Instruction Fuzzy Hash: 5341A231910609DFCF25EFA8C8809FEB7B5FF5A710F28451AE552A7281EB71AA44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00181900, Relevance: 4.5, APIs: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00181900(void* __edi, void* __esi, void* __eflags, char* _a4) {
				intOrPtr _v8;
				int _v12;
				short* _v16;
				short* _t21;

				L00181203(0x1bb340);
				_v12 = MultiByteToWideChar(0, 0, _a4, 0xffffffff, 0, 0);
				_t26 = _v12;
				_t5 = _t26 + 2; // 0x1819f2
				_v8 = _v12 + _t5;
				_t21 = E0018B772(_v12 + _t5, __edi, __esi, _v8); // executed
				_v16 = _t21;
				if(_v16 != 0) {
					L0018104B(_v8, _v16, _v8);
					_v12 = MultiByteToWideChar(0, 0, _a4, 0xffffffff, _v16, _v12);
				}
				return _v16;
			}

0x0018190b
0x00181927
0x0018192a
0x0018192d
0x00181931
0x00181938
0x00181940
0x00181947
0x00181951
0x00181971
0x00181971
0x0018197a

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00181921
_malloc.LIBCMT ref: 00181938

Part of subcall function 0018B772: __FF_MSGBANNER.LIBCMT ref: 0018B78B
Part of subcall function 0018B772: __NMSG_WRITE.LIBCMT ref: 0018B792
Part of subcall function 0018B772: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0018FF53,?,00000001,?,?,00197671,00000018,001C1A68,0000000C,00197701), ref: 0018B7B7

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 0018196B

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeap_malloc
String ID:
API String ID: 1306061670-0
Opcode ID: ea8d30873eef7e30645df34f31289a928ab2b94ba1d0dd121e4bc7b36beed14b
Instruction ID: 4726d5a53d749e9d66d4f25a5761f568ce553d53713fe84bc3ea5f016168613f
Opcode Fuzzy Hash: ea8d30873eef7e30645df34f31289a928ab2b94ba1d0dd121e4bc7b36beed14b
Instruction Fuzzy Hash: CB012DB5E04208BFDB10EF94CC86F9DBBB9AB49714F208254F914A72C0D670AA41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00188C0F, Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00188C0F(intOrPtr* __ecx, intOrPtr __edx, signed char* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t32;
				intOrPtr _t42;
				intOrPtr _t48;
				intOrPtr* _t51;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t64;

				_t48 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t32 = 0;
				_t51 = __ecx;
				_v12 = 0;
				_v8 = 0;
				_t57 = _a12;
				if(_t57 >= 0 && (_t57 > 0 || _a8 > 0)) {
					while(1) {
						_t46 =  *((intOrPtr*)(_t51 + 0x24));
						if( *( *((intOrPtr*)(_t51 + 0x24))) != _t32) {
							_t32 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x34))));
						}
						asm("cdq");
						_t42 = _t48;
						_t54 = _t32;
						_t60 = _t42;
						if(_t60 < 0 || _t60 <= 0 && _t54 == 0) {
							goto L15;
						}
						_t62 = _a12 - _t42;
						if(_t62 <= 0 && (_t62 < 0 || _a8 < _t54)) {
							_t54 = _a8;
						}
						E0018BF90( *_t46, _a4, _t54);
						_a4 =  &(_a4[_t54]);
						_t56 = _t56 + 0xc;
						_v12 = _v12 + _t54;
						asm("adc [ebp-0x4], ebx");
						_a8 = _a8 - _t54;
						asm("sbb [ebp+0x10], ebx");
						 *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x34)))) =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x34)))) - _t54;
						 *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x24)))) =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x24)))) + _t54;
						L17:
						_t64 = _a12;
						if(_t64 > 0 || _t64 >= 0 && _a8 > 0) {
							_t32 = 0;
							continue;
						}
						L20:
						goto L21;
						L15:
						_t48 =  *_t51;
						_push( *_a4 & 0x000000ff);
						if( *((intOrPtr*)(_t48 + 0xc))() != 0xffffffff) {
							_a4 =  &(_a4[1]);
							_v12 = _v12 + 1;
							asm("adc dword [ebp-0x4], 0x0");
							_a8 = _a8 + 0xffffffff;
							asm("adc dword [ebp+0x10], 0xffffffff");
							goto L17;
						}
						goto L20;
					}
				}
				L21:
				return _v12;
			}

0x00188c0f
0x00188c14
0x00188c15
0x00188c16
0x00188c19
0x00188c1b
0x00188c1e
0x00188c21
0x00188c24
0x00188c3b
0x00188c3b
0x00188c40
0x00188c45
0x00188c45
0x00188c47
0x00188c48
0x00188c4a
0x00188c4c
0x00188c4e
0x00000000
0x00000000
0x00188c56
0x00188c59
0x00188c62
0x00188c65
0x00188c6e
0x00188c73
0x00188c79
0x00188c7c
0x00188c7f
0x00188c82
0x00188c85
0x00188c88
0x00188c8d
0x00188cb7
0x00188cb7
0x00188cbb
0x00188c39
0x00000000
0x00188c39
0x00188ccd
0x00000000
0x00188c91
0x00188c97
0x00188c99
0x00188ca2
0x00188ca4
0x00188ca7
0x00188cab
0x00188caf
0x00188cb3
0x00000000
0x00188cb3
0x00000000
0x00188ca2
0x00188c3b
0x00188ccf
0x00188cd7

APIs

_memmove.LIBCMT ref: 00188C6E

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9031df5662a4e1a2a05f92be2ffe91cff6c6c348067d1629e8729184da2cbee8
Instruction ID: 5c7f72b191a6a7830247a4f5c8ac7e1fff3de5783ec76c04d559174d3d488aaa
Opcode Fuzzy Hash: 9031df5662a4e1a2a05f92be2ffe91cff6c6c348067d1629e8729184da2cbee8
Instruction Fuzzy Hash: 8E317831902209EFCB10DF28C8845DDB7B1FF09364F54826AE8248B295EB709F50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019D266, Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0019D266(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x1c5a70, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x1c5a78;
					if( *0x1c5a78 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00193158(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E001912E2(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x0019d26b
0x0019d270
0x0019d28d
0x0019d292
0x0019d294
0x0019d296
0x0019d298
0x0019d298
0x0019d298
0x00000000
0x0019d2a0
0x0019d2a9
0x0019d2af
0x0019d2b1
0x00000000
0x00000000
0x0019d2e5
0x0019d2e7
0x00000000
0x0019d2b3
0x0019d2b3
0x0019d2ba
0x0019d2d8
0x0019d2db
0x0019d2dd
0x0019d2df
0x0019d2df
0x0019d2bc
0x0019d2bd
0x0019d2c3
0x0019d2c5
0x0019d299
0x0019d299
0x0019d29b
0x0019d29e
0x00000000
0x00000000
0x00000000
0x00000000
0x0019d2c7
0x0019d2c7
0x0019d2ca
0x0019d2cc
0x0019d2ce
0x0019d2ce
0x0019d2d4
0x0019d2d4
0x0019d2c5
0x00000000
0x0019d272
0x0019d276
0x0019d279
0x0019d27c
0x00000000
0x0019d27e
0x0019d283
0x0019d28c
0x0019d28c
0x0019d27c
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0018FF9D,?,?,00000000,00000000,00000000,?,001925A1,00000001,00000214,?,0018B596), ref: 0019D2A9

Part of subcall function 001912E2: __getptd_noexit.LIBCMT ref: 001912E2

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 05908bc043b2ec4b93ba9d974a24d127fafc1ca91e4db2e8c76fbf0be4ab17f2
Instruction ID: 025a96dbc6789d6ca56498157685b171b52089a75e71d0c2c4ea62b95e56b6f4
Opcode Fuzzy Hash: 05908bc043b2ec4b93ba9d974a24d127fafc1ca91e4db2e8c76fbf0be4ab17f2
Instruction Fuzzy Hash: 3E01DF312012169BEF289FA6EC48F6A3794BB913A0F11462AE816CB690CB30EC40C750

Uniqueness

Uniqueness Score: -1.00%

Function 00192402, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,0019DFA2,001C5448,00000314,00000000,?,?,?,?,?,00193019,001C5448,Microsoft Visual C++ Runtime Library,00012010), ref: 00192404

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 891dff7b09eadeec42ab758bd144fc9f1e93b5a2c5578cf429119cbd5cc258e3
Instruction ID: 9e13fb0424b3861b261535dd49ba104179f8feb21b23785b3f37cd1181c76dd4
Opcode Fuzzy Hash: 891dff7b09eadeec42ab758bd144fc9f1e93b5a2c5578cf429119cbd5cc258e3
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00199D6C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00199D6C(void* __edi, char* __esi) {
				short _v8;
				void* _t24;

				_t24 = __edi;
				if(__esi == 0 ||  *__esi == 0 || E001935D0(__esi, ?str?) == 0) {
					if(GetLocaleInfoW( *(_t24 + 0x1c), 0x20001004,  &_v8, 2) != 0) {
						if(_v8 != 0) {
							goto L5;
						} else {
							return GetACP();
						}
					} else {
						goto L8;
					}
				} else {
					if(E001935D0(__esi, ?str?) != 0) {
						_v8 = E001A78A4(__esi);
						goto L5;
					} else {
						if(GetLocaleInfoW( *(__edi + 0x1c), 0x2000000b,  &_v8, 2) == 0) {
							L8:
							return 0;
						} else {
							L5:
							return _v8;
						}
					}
				}
			}

0x00199d6c
0x00199d74
0x00199ddc
0x00199de6
0x00000000
0x00199de8
0x00199def
0x00199def
0x00000000
0x00000000
0x00000000
0x00199d8c
0x00199d9b
0x00199dc1
0x00000000
0x00199d9d
0x00199db3
0x00199dde
0x00199de1
0x00199db5
0x00199db5
0x00199db9
0x00199db9
0x00199db3
0x00199d9b

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,0019A3D5,?,0018E91A,?,000000BC,?,00000001,00000000,00000000), ref: 00199DAB
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,0019A3D5,?,0018E91A,?,000000BC,?,00000001,00000000,00000000), ref: 00199DD4
GetACP.KERNEL32(?,?,0019A3D5,?,0018E91A,?,000000BC,?,00000001,00000000), ref: 00199DE8

Strings

OCP, xrefs: 00199D8C
ACP, xrefs: 00199D7B

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f6da682391182fb9bfe7eb9c18263c738f89f25c3f273e8e7db8fec7f237a119
Instruction ID: 35bb8024dd87e9eaabe18834b5863249a705095c34f9e5eceaa1fdb2157d15a4
Opcode Fuzzy Hash: f6da682391182fb9bfe7eb9c18263c738f89f25c3f273e8e7db8fec7f237a119
Instruction Fuzzy Hash: FB018F31A0465ABAEF259BA9AC8AF9A76E8AF21758F200058F501E54C0FB60DA81D654

Uniqueness

Uniqueness Score: -1.00%

Function 0018CFF8, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0018CFF8(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x1c3ad4; // 0x384a8d02
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1c5ca0 = _t6;
				 *0x1c5c9c = _t22;
				 *0x1c5c98 = _t25;
				 *0x1c5c94 = _t21;
				 *0x1c5c90 = _t27;
				 *0x1c5c8c = _t26;
				 *0x1c5cb8 = ss;
				 *0x1c5cac = cs;
				 *0x1c5c88 = ds;
				 *0x1c5c84 = es;
				 *0x1c5c80 = fs;
				 *0x1c5c7c = gs;
				asm("pushfd");
				_pop( *0x1c5cb0);
				 *0x1c5ca4 =  *_t31;
				 *0x1c5ca8 = _v0;
				 *0x1c5cb4 =  &_a4;
				 *0x1c5bf0 = 0x10001;
				_t11 =  *0x1c5ca8; // 0x0
				 *0x1c5ba4 = _t11;
				 *0x1c5b98 = 0xc0000409;
				 *0x1c5b9c = 1;
				_t12 =  *0x1c3ad4; // 0x384a8d02
				_v812 = _t12;
				_t13 =  *0x1c3ad8; // 0xc7b572fd
				_v808 = _t13;
				 *0x1c5be8 = IsDebuggerPresent();
				_push(1);
				E0019DD25(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1bd310);
				if( *0x1c5be8 == 0) {
					_push(1);
					E0019DD25(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0018cff8
0x0018cff8
0x0018cff8
0x0018cff8
0x0018cff8
0x0018cff8
0x0018cff8
0x0018cffe
0x0018d000
0x0018d000
0x001970c8
0x001970cd
0x001970d3
0x001970d9
0x001970df
0x001970e5
0x001970eb
0x001970f2
0x001970f9
0x00197100
0x00197107
0x0019710e
0x00197115
0x00197116
0x0019711f
0x00197127
0x0019712f
0x0019713a
0x00197144
0x00197149
0x0019714e
0x00197158
0x00197162
0x00197167
0x0019716d
0x00197172
0x0019717e
0x00197183
0x00197185
0x0019718d
0x00197198
0x001971a5
0x001971a7
0x001971a9
0x001971ae
0x001971c2

APIs

IsDebuggerPresent.KERNEL32 ref: 00197178
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0019718D
UnhandledExceptionFilter.KERNEL32(001BD310), ref: 00197198
GetCurrentProcess.KERNEL32(C0000409), ref: 001971B4
TerminateProcess.KERNEL32(00000000), ref: 001971BB

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: aea0e58cb6da984ed799abad88b310666cfadd10f8c4eef754e84f1204e222fa
Instruction ID: 3efc0a74ca29c36841935c8de04eaac0f80322ea881d55c9d1afb1092249432e
Opcode Fuzzy Hash: aea0e58cb6da984ed799abad88b310666cfadd10f8c4eef754e84f1204e222fa
Instruction Fuzzy Hash: 6121CEB4510B449FD700DF28F88AE483FBAFB18710F505019E40887AA1EBB4E9C1CF09

Uniqueness

Uniqueness Score: -1.00%

Function 0019A1F6, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0019A1F6(void* __eax, void* __ebx, void* __edi, void* __esi) {
				int _t16;

				 *((intOrPtr*)(__ebx - 0x2708fc18)) =  *((intOrPtr*)(__ebx - 0x2708fc18)) + 1;
				asm("sbb eax, eax");
				 *((intOrPtr*)(__esi + 0x14)) = __eax + 0xe9;
				_t16 = EnumSystemLocalesA(E00199E61, 1);
				if(( *(__esi + 8) & 0x00000004) == 0) {
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t16;
				}
				return _t16;
			}

0x0019a1fb
0x0019a202
0x0019a20c
0x0019a20f
0x0019a219
0x0019a21b
0x00000000
0x0019a21b
0x0019a21f

APIs

EnumSystemLocalesA.KERNEL32(Function_00019E61,00000001), ref: 0019A20F

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: ba940b5597adde7d8024731bf4a64e85f77fb575f489d959260384eede1a207d
Instruction ID: 05242a38e87b8d07b529d4521d14995cae662d770d95a16be226c2268255d341
Opcode Fuzzy Hash: ba940b5597adde7d8024731bf4a64e85f77fb575f489d959260384eede1a207d
Instruction Fuzzy Hash: 39D05E70A507419BDB204F349A497B1BBE0FF10F16F60694DCD92444D1D7B4B4C98740

Uniqueness

Uniqueness Score: -1.00%

Function 0019676A, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0019676A() {

				SetUnhandledExceptionFilter(E00196728);
				return 0;
			}

0x0019676f
0x00196777

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00016728), ref: 0019676F

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: daa75c00eb2c442c39f372dee223a6fe3708f6d529c497417f991ff9663a527b
Instruction ID: ba7a5ae66877a4f514d26b078212e7c734154d0a83d80187fcfd88d1dd3af265
Opcode Fuzzy Hash: daa75c00eb2c442c39f372dee223a6fe3708f6d529c497417f991ff9663a527b
Instruction Fuzzy Hash: 909002A0651140468B4417B45D499063DD06B9CA4678124546001C4555DF55C0449521

Uniqueness

Uniqueness Score: -1.00%

Function 0018C950, Relevance: 1.3, Strings: 1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0018C950(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x0018c950
0x0018c957
0x0018c9ac
0x0018c9ac
0x0018c959
0x0018c959
0x0018c95f
0x0018c969
0x0018c981
0x0018c981
0x0018c984
0x0018c998
0x0018c998
0x0018c99b
0x00000000
0x0018c99d
0x0018c99d
0x0018c99d
0x0018c99f
0x0018c9a4
0x00000000
0x00000000
0x0018c9a6
0x0018c9a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0018c9a9
0x00000000
0x0018c99d
0x0018c986
0x0018c993
0x0018c9b2
0x0018c9b4
0x0018c9c2
0x0018c9cb
0x00000000
0x0018c9cd
0x0018c9d0
0x0018c9d2
0x0018c9fc
0x0018c9d4
0x0018c9d4
0x0018c9d6
0x0018c9f6
0x0018c9d8
0x0018c9db
0x0018c9dd
0x0018c9f0
0x0018c9df
0x0018c9e1
0x00000000
0x0018c9e3
0x00000000
0x0018c9e3
0x0018c9e1
0x0018c9dd
0x0018c9d6
0x0018c9d2
0x00000000
0x0018c9ad
0x0018c9ad
0x0018c9ad
0x00000000
0x0018c997
0x0018c96b
0x0018c96b
0x0018c96b
0x0018c96d
0x0018c972
0x00000000
0x00000000
0x0018c974
0x0018c977
0x00000000
0x0018c979
0x0018c97f
0x00000000
0x00000000
0x00000000
0x00000000
0x0018c97f
0x00000000
0x0018c977
0x0018c9e6
0x0018c9ea
0x0018c9ea
0x0018c969
0x00000000

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0018C986

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-4256519037
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 56580bbf7c7cfcc31f8a4273c56a14dd25ead33244d82ee99169ea9f3949734f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: F71108B7A0014243DA14A62ED4B45B6E795EBD532C72D43EAD0818B758D332AB459FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019B9CE, Relevance: .5, Instructions: 489
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0019B9CE(signed char* _a4, signed char* _a8, signed int _a12) {
				signed int _t984;
				void* _t986;
				signed int _t988;
				void* _t989;
				void* _t991;
				void* _t993;
				void* _t994;
				void* _t996;
				void* _t998;
				void* _t1001;
				void* _t1003;
				void* _t1005;
				signed char* _t1006;
				void* _t1007;
				signed int _t1108;
				signed char* _t1111;
				signed char* _t1112;
				signed char* _t1113;
				signed char* _t1114;
				void* _t1134;
				signed int _t1135;
				void* _t1136;
				signed char* _t1137;
				signed char* _t1138;
				signed char* _t1139;
				void* _t1149;
				void* _t1151;
				void* _t1153;
				void* _t1156;
				void* _t1158;
				void* _t1160;
				void* _t1163;
				void* _t1165;
				void* _t1167;
				void* _t1170;
				void* _t1172;
				void* _t1174;
				void* _t1177;
				void* _t1179;
				void* _t1181;
				void* _t1184;
				void* _t1186;
				void* _t1188;
				void* _t1191;
				void* _t1193;
				void* _t1195;
				void* _t1198;
				void* _t1200;
				void* _t1202;

				_t1135 = _a12;
				_t984 = _t1135;
				if(_t984 == 0) {
					return 0;
				}
				_t986 = _t984 - 1;
				if(_t986 == 0) {
					_t988 =  *_a4 & 0x000000ff;
					_t1108 =  *_a8 & 0x000000ff;
					L426:
					_t989 = _t988 - _t1108;
					if(_t989 == 0) {
						L438:
						return _t989;
					}
					_t958 = (0 | _t989 > 0x00000000) - 1; // -1
					return (_t989 > 0) + _t958;
				}
				_t991 = _t986 - 1;
				if(_t991 == 0) {
					_t1111 = _a4;
					_t1137 = _a8;
					_t993 = ( *_t1111 & 0x000000ff) - ( *_t1137 & 0x000000ff);
					if(_t993 == 0) {
						L435:
						_t988 = _t1111[1] & 0x000000ff;
						_t1108 = _t1137[1] & 0x000000ff;
						goto L426;
					}
					_t978 = (0 | _t993 > 0x00000000) - 1; // -1
					_t989 = (_t993 > 0) + _t978;
					if(_t989 != 0) {
						goto L438;
					}
					goto L435;
				}
				_t994 = _t991 - 1;
				if(_t994 == 0) {
					_t1112 = _a4;
					_t1138 = _a8;
					_t996 = ( *_t1112 & 0x000000ff) - ( *_t1138 & 0x000000ff);
					if(_t996 == 0) {
						L430:
						_t998 = (_t1112[1] & 0x000000ff) - (_t1138[1] & 0x000000ff);
						if(_t998 == 0) {
							L432:
							_t988 = _t1112[2] & 0x000000ff;
							_t1108 = _t1138[2] & 0x000000ff;
							goto L426;
						}
						_t970 = (0 | _t998 > 0x00000000) - 1; // -1
						_t989 = (_t998 > 0) + _t970;
						if(_t989 != 0) {
							goto L438;
						}
						goto L432;
					}
					_t964 = (0 | _t996 > 0x00000000) - 1; // -1
					_t989 = (_t996 > 0) + _t964;
					if(_t989 != 0) {
						goto L438;
					}
					goto L430;
				}
				if(_t994 == 1) {
					_t1113 = _a4;
					_t1139 = _a8;
					_t1001 = ( *_t1113 & 0x000000ff) - ( *_t1139 & 0x000000ff);
					if(_t1001 == 0) {
						L421:
						_t1003 = (_t1113[1] & 0x000000ff) - (_t1139[1] & 0x000000ff);
						if(_t1003 == 0) {
							L423:
							_t1005 = (_t1113[2] & 0x000000ff) - (_t1139[2] & 0x000000ff);
							if(_t1005 == 0) {
								L425:
								_t988 = _t1113[3] & 0x000000ff;
								_t1108 = _t1139[3] & 0x000000ff;
								goto L426;
							}
							_t952 = (0 | _t1005 > 0x00000000) - 1; // -1
							_t989 = (_t1005 > 0) + _t952;
							if(_t989 != 0) {
								goto L438;
							}
							goto L425;
						}
						_t946 = (0 | _t1003 > 0x00000000) - 1; // -1
						_t989 = (_t1003 > 0) + _t946;
						if(_t989 != 0) {
							goto L438;
						}
						goto L423;
					}
					_t940 = (0 | _t1001 > 0x00000000) - 1; // -1
					_t989 = (_t1001 > 0) + _t940;
					if(_t989 != 0) {
						goto L438;
					}
					goto L421;
				} else {
					_t1114 = _a8;
					_t1006 = _a4;
					_t1134 = 0x20;
					while(_t1135 >= _t1134) {
						if( *_t1006 ==  *_t1114) {
							_t1136 = 0;
							L16:
							if(_t1136 != 0) {
								L98:
								_t1007 = _t1136;
								L178:
								return _t1007;
							}
							if(_t1006[4] == _t1114[4]) {
								_t1136 = 0;
								L27:
								if(_t1136 != 0) {
									goto L98;
								}
								if(_t1006[8] == _t1114[8]) {
									_t1136 = 0;
									L38:
									if(_t1136 != 0) {
										goto L98;
									}
									if(_t1006[0xc] == _t1114[0xc]) {
										_t1136 = 0;
										L49:
										if(_t1136 != 0) {
											goto L98;
										}
										if(_t1006[0x10] == _t1114[0x10]) {
											_t1136 = 0;
											L60:
											if(_t1136 != 0) {
												goto L98;
											}
											if(_t1006[0x14] == _t1114[0x14]) {
												_t1136 = 0;
												L71:
												if(_t1136 != 0) {
													goto L98;
												}
												if(_t1006[0x18] == _t1114[0x18]) {
													_t1136 = 0;
													L82:
													if(_t1136 != 0) {
														goto L98;
													}
													if(_t1006[0x1c] == _t1114[0x1c]) {
														_t1136 = 0;
														L93:
														if(_t1136 != 0) {
															goto L98;
														} else {
															_t1006 =  &(_t1006[_t1134]);
															_t1114 =  &(_t1114[_t1134]);
															_t1135 = _t1135 - _t1134;
															continue;
														}
													}
													_t1149 = (_t1006[0x1c] & 0x000000ff) - (_t1114[0x1c] & 0x000000ff);
													if(_t1149 == 0) {
														L86:
														_t1151 = (_t1006[0x1d] & 0x000000ff) - (_t1114[0x1d] & 0x000000ff);
														if(_t1151 == 0) {
															L88:
															_t1153 = (_t1006[0x1e] & 0x000000ff) - (_t1114[0x1e] & 0x000000ff);
															if(_t1153 == 0) {
																L90:
																_t1136 = (_t1006[0x1f] & 0x000000ff) - (_t1114[0x1f] & 0x000000ff);
																if(_t1136 != 0) {
																	_t207 = (0 | _t1136 > 0x00000000) - 1; // -1
																	_t1136 = (_t1136 > 0) + _t207;
																}
																goto L93;
															}
															_t201 = (0 | _t1153 > 0x00000000) - 1; // -1
															_t1136 = (_t1153 > 0) + _t201;
															if(_t1136 != 0) {
																goto L98;
															}
															goto L90;
														}
														_t195 = (0 | _t1151 > 0x00000000) - 1; // -1
														_t1136 = (_t1151 > 0) + _t195;
														if(_t1136 != 0) {
															goto L98;
														}
														goto L88;
													}
													_t189 = (0 | _t1149 > 0x00000000) - 1; // -1
													_t1136 = (_t1149 > 0) + _t189;
													if(_t1136 != 0) {
														goto L98;
													}
													goto L86;
												}
												_t1156 = (_t1006[0x18] & 0x000000ff) - (_t1114[0x18] & 0x000000ff);
												if(_t1156 == 0) {
													L75:
													_t1158 = (_t1006[0x19] & 0x000000ff) - (_t1114[0x19] & 0x000000ff);
													if(_t1158 == 0) {
														L77:
														_t1160 = (_t1006[0x1a] & 0x000000ff) - (_t1114[0x1a] & 0x000000ff);
														if(_t1160 == 0) {
															L79:
															_t1136 = (_t1006[0x1b] & 0x000000ff) - (_t1114[0x1b] & 0x000000ff);
															if(_t1136 != 0) {
																_t181 = (0 | _t1136 > 0x00000000) - 1; // -1
																_t1136 = (_t1136 > 0) + _t181;
															}
															goto L82;
														}
														_t175 = (0 | _t1160 > 0x00000000) - 1; // -1
														_t1136 = (_t1160 > 0) + _t175;
														if(_t1136 != 0) {
															goto L98;
														}
														goto L79;
													}
													_t169 = (0 | _t1158 > 0x00000000) - 1; // -1
													_t1136 = (_t1158 > 0) + _t169;
													if(_t1136 != 0) {
														goto L98;
													}
													goto L77;
												}
												_t163 = (0 | _t1156 > 0x00000000) - 1; // -1
												_t1136 = (_t1156 > 0) + _t163;
												if(_t1136 != 0) {
													goto L98;
												}
												goto L75;
											}
											_t1163 = (_t1006[0x14] & 0x000000ff) - (_t1114[0x14] & 0x000000ff);
											if(_t1163 == 0) {
												L64:
												_t1165 = (_t1006[0x15] & 0x000000ff) - (_t1114[0x15] & 0x000000ff);
												if(_t1165 == 0) {
													L66:
													_t1167 = (_t1006[0x16] & 0x000000ff) - (_t1114[0x16] & 0x000000ff);
													if(_t1167 == 0) {
														L68:
														_t1136 = (_t1006[0x17] & 0x000000ff) - (_t1114[0x17] & 0x000000ff);
														if(_t1136 != 0) {
															_t155 = (0 | _t1136 > 0x00000000) - 1; // -1
															_t1136 = (_t1136 > 0) + _t155;
														}
														goto L71;
													}
													_t149 = (0 | _t1167 > 0x00000000) - 1; // -1
													_t1136 = (_t1167 > 0) + _t149;
													if(_t1136 != 0) {
														goto L98;
													}
													goto L68;
												}
												_t143 = (0 | _t1165 > 0x00000000) - 1; // -1
												_t1136 = (_t1165 > 0) + _t143;
												if(_t1136 != 0) {
													goto L98;
												}
												goto L66;
											}
											_t137 = (0 | _t1163 > 0x00000000) - 1; // -1
											_t1136 = (_t1163 > 0) + _t137;
											if(_t1136 != 0) {
												goto L98;
											}
											goto L64;
										}
										_t1170 = (_t1006[0x10] & 0x000000ff) - (_t1114[0x10] & 0x000000ff);
										if(_t1170 == 0) {
											L53:
											_t1172 = (_t1006[0x11] & 0x000000ff) - (_t1114[0x11] & 0x000000ff);
											if(_t1172 == 0) {
												L55:
												_t1174 = (_t1006[0x12] & 0x000000ff) - (_t1114[0x12] & 0x000000ff);
												if(_t1174 == 0) {
													L57:
													_t1136 = (_t1006[0x13] & 0x000000ff) - (_t1114[0x13] & 0x000000ff);
													if(_t1136 != 0) {
														_t129 = (0 | _t1136 > 0x00000000) - 1; // -1
														_t1136 = (_t1136 > 0) + _t129;
													}
													goto L60;
												}
												_t123 = (0 | _t1174 > 0x00000000) - 1; // -1
												_t1136 = (_t1174 > 0) + _t123;
												if(_t1136 != 0) {
													goto L98;
												}
												goto L57;
											}
											_t117 = (0 | _t1172 > 0x00000000) - 1; // -1
											_t1136 = (_t1172 > 0) + _t117;
											if(_t1136 != 0) {
												goto L98;
											}
											goto L55;
										}
										_t111 = (0 | _t1170 > 0x00000000) - 1; // -1
										_t1136 = (_t1170 > 0) + _t111;
										if(_t1136 != 0) {
											goto L98;
										}
										goto L53;
									}
									_t1177 = (_t1006[0xc] & 0x000000ff) - (_t1114[0xc] & 0x000000ff);
									if(_t1177 == 0) {
										L42:
										_t1179 = (_t1006[0xd] & 0x000000ff) - (_t1114[0xd] & 0x000000ff);
										if(_t1179 == 0) {
											L44:
											_t1181 = (_t1006[0xe] & 0x000000ff) - (_t1114[0xe] & 0x000000ff);
											if(_t1181 == 0) {
												L46:
												_t1136 = (_t1006[0xf] & 0x000000ff) - (_t1114[0xf] & 0x000000ff);
												if(_t1136 != 0) {
													_t103 = (0 | _t1136 > 0x00000000) - 1; // -1
													_t1136 = (_t1136 > 0) + _t103;
												}
												goto L49;
											}
											_t97 = (0 | _t1181 > 0x00000000) - 1; // -1
											_t1136 = (_t1181 > 0) + _t97;
											if(_t1136 != 0) {
												goto L98;
											}
											goto L46;
										}
										_t91 = (0 | _t1179 > 0x00000000) - 1; // -1
										_t1136 = (_t1179 > 0) + _t91;
										if(_t1136 != 0) {
											goto L98;
										}
										goto L44;
									}
									_t85 = (0 | _t1177 > 0x00000000) - 1; // -1
									_t1136 = (_t1177 > 0) + _t85;
									if(_t1136 != 0) {
										goto L98;
									}
									goto L42;
								}
								_t1184 = (_t1006[8] & 0x000000ff) - (_t1114[8] & 0x000000ff);
								if(_t1184 == 0) {
									L31:
									_t1186 = (_t1006[9] & 0x000000ff) - (_t1114[9] & 0x000000ff);
									if(_t1186 == 0) {
										L33:
										_t1188 = (_t1006[0xa] & 0x000000ff) - (_t1114[0xa] & 0x000000ff);
										if(_t1188 == 0) {
											L35:
											_t1136 = (_t1006[0xb] & 0x000000ff) - (_t1114[0xb] & 0x000000ff);
											if(_t1136 != 0) {
												_t77 = (0 | _t1136 > 0x00000000) - 1; // -1
												_t1136 = (_t1136 > 0) + _t77;
											}
											goto L38;
										}
										_t71 = (0 | _t1188 > 0x00000000) - 1; // -1
										_t1136 = (_t1188 > 0) + _t71;
										if(_t1136 != 0) {
											goto L98;
										}
										goto L35;
									}
									_t65 = (0 | _t1186 > 0x00000000) - 1; // -1
									_t1136 = (_t1186 > 0) + _t65;
									if(_t1136 != 0) {
										goto L98;
									}
									goto L33;
								}
								_t59 = (0 | _t1184 > 0x00000000) - 1; // -1
								_t1136 = (_t1184 > 0) + _t59;
								if(_t1136 != 0) {
									goto L98;
								}
								goto L31;
							}
							_t1191 = (_t1006[4] & 0x000000ff) - (_t1114[4] & 0x000000ff);
							if(_t1191 == 0) {
								L20:
								_t1193 = (_t1006[5] & 0x000000ff) - (_t1114[5] & 0x000000ff);
								if(_t1193 == 0) {
									L22:
									_t1195 = (_t1006[6] & 0x000000ff) - (_t1114[6] & 0x000000ff);
									if(_t1195 == 0) {
										L24:
										_t1136 = (_t1006[7] & 0x000000ff) - (_t1114[7] & 0x000000ff);
										if(_t1136 != 0) {
											_t51 = (0 | _t1136 > 0x00000000) - 1; // -1
											_t1136 = (_t1136 > 0) + _t51;
										}
										goto L27;
									}
									_t45 = (0 | _t1195 > 0x00000000) - 1; // -1
									_t1136 = (_t1195 > 0) + _t45;
									if(_t1136 != 0) {
										goto L98;
									}
									goto L24;
								}
								_t39 = (0 | _t1193 > 0x00000000) - 1; // -1
								_t1136 = (_t1193 > 0) + _t39;
								if(_t1136 != 0) {
									goto L98;
								}
								goto L22;
							}
							_t33 = (0 | _t1191 > 0x00000000) - 1; // -1
							_t1136 = (_t1191 > 0) + _t33;
							if(_t1136 != 0) {
								goto L98;
							}
							goto L20;
						}
						_t1198 = ( *_t1006 & 0x000000ff) - ( *_t1114 & 0x000000ff);
						if(_t1198 == 0) {
							L9:
							_t1200 = (_t1006[1] & 0x000000ff) - (_t1114[1] & 0x000000ff);
							if(_t1200 == 0) {
								L11:
								_t1202 = (_t1006[2] & 0x000000ff) - (_t1114[2] & 0x000000ff);
								if(_t1202 == 0) {
									L13:
									_t1136 = (_t1006[3] & 0x000000ff) - (_t1114[3] & 0x000000ff);
									if(_t1136 != 0) {
										_t25 = (0 | _t1136 > 0x00000000) - 1; // -1
										_t1136 = (_t1136 > 0) + _t25;
									}
									goto L16;
								}
								_t19 = (0 | _t1202 > 0x00000000) - 1; // -1
								_t1136 = (_t1202 > 0) + _t19;
								if(_t1136 != 0) {
									goto L98;
								}
								goto L13;
							}
							_t13 = (0 | _t1200 > 0x00000000) - 1; // -1
							_t1136 = (_t1200 > 0) + _t13;
							if(_t1136 != 0) {
								goto L98;
							}
							goto L11;
						}
						_t7 = (0 | _t1198 > 0x00000000) - 1; // -1
						_t1136 = (_t1198 > 0) + _t7;
						if(_t1136 != 0) {
							goto L98;
						}
						goto L9;
					}
					if(_t1135 > 0x1f) {
						L177:
						_t1007 = 0;
						goto L178;
					}
					switch( *((intOrPtr*)(_t1135 * 4 +  &M0019CEA2))) {
						case 0:
							goto L177;
						case 1:
							L256:
							__ecx =  *(__ecx - 1) & 0x000000ff;
							__eax =  *(__eax - 1) & 0x000000ff;
							__eax = __eax - __ecx;
							if(__eax != 0) {
								__ecx = 0;
								_t567 = (0 | __eax > 0x00000000) - 1; // -1
								__eax = (__eax > 0) + _t567;
							}
							goto L178;
						case 2:
							L335:
							if( *(__eax - 2) ==  *(__ecx - 2)) {
								goto L177;
							}
							goto L336;
						case 3:
							L416:
							__esi =  *(__eax - 3) & 0x000000ff;
							__edx =  *(__ecx - 3) & 0x000000ff;
							__esi = ( *(__eax - 3) & 0x000000ff) - ( *(__ecx - 3) & 0x000000ff);
							if(__esi == 0) {
								L336:
								__edx =  *(__ecx - 2) & 0x000000ff;
								__esi =  *(__eax - 2) & 0x000000ff;
								__esi = ( *(__eax - 2) & 0x000000ff) - ( *(__ecx - 2) & 0x000000ff);
								if(__esi == 0) {
									goto L256;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								__edx = (__esi > 0) + (__esi > 0) - 1;
								if(__edx != 0) {
									L418:
									__eax = __edx;
									goto L178;
								}
								goto L256;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							if(__edx == 0) {
								goto L336;
							}
							goto L418;
						case 4:
							L165:
							__edx =  *(__eax - 4);
							if( *(__eax - 4) ==  *(__ecx - 4)) {
								__eax = 0;
								L176:
								if(__eax != 0) {
									goto L178;
								}
								goto L177;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 4) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 4) & 0x000000ff);
							if(__esi == 0) {
								L168:
								__esi =  *(__eax - 3) & 0x000000ff;
								__edx =  *(__ecx - 3) & 0x000000ff;
								__esi = ( *(__eax - 3) & 0x000000ff) - ( *(__ecx - 3) & 0x000000ff);
								if(__esi == 0) {
									L170:
									__esi =  *(__eax - 2) & 0x000000ff;
									__edx =  *(__ecx - 2) & 0x000000ff;
									__esi = ( *(__eax - 2) & 0x000000ff) - ( *(__ecx - 2) & 0x000000ff);
									if(__esi == 0) {
										L173:
										__eax =  *(__eax - 1) & 0x000000ff;
										__eax = __eax - __ecx;
										if(__eax != 0) {
											__ecx = 0;
											_t385 = (0 | __eax > 0x00000000) - 1; // -1
											__eax = (__eax > 0) + _t385;
										}
										goto L176;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									if(__edx == 0) {
										goto L173;
									}
									L172:
									__eax = __edx;
									goto L176;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								__edx = (__esi > 0) + (__esi > 0) - 1;
								if(__edx != 0) {
									goto L172;
								}
								goto L170;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							if(__edx != 0) {
								goto L172;
							}
							goto L168;
						case 5:
							L245:
							__edx =  *(__eax - 5);
							if( *(__eax - 5) ==  *(__ecx - 5)) {
								__esi = 0;
								L255:
								if(__esi != 0) {
									goto L98;
								}
								goto L256;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 5) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 5) & 0x000000ff);
							if(__esi == 0) {
								L248:
								__esi =  *(__eax - 4) & 0x000000ff;
								__edx =  *(__ecx - 4) & 0x000000ff;
								__esi = ( *(__eax - 4) & 0x000000ff) - ( *(__ecx - 4) & 0x000000ff);
								if(__esi == 0) {
									L250:
									__esi =  *(__eax - 3) & 0x000000ff;
									__edx =  *(__ecx - 3) & 0x000000ff;
									__esi = ( *(__eax - 3) & 0x000000ff) - ( *(__ecx - 3) & 0x000000ff);
									if(__esi == 0) {
										L252:
										__esi =  *(__eax - 2) & 0x000000ff;
										__edx =  *(__ecx - 2) & 0x000000ff;
										__esi = ( *(__eax - 2) & 0x000000ff) - ( *(__ecx - 2) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t561 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t561;
										}
										goto L255;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t555 = __edx - 1; // -1
									__esi = __edx + _t555;
									if(__edx + _t555 != 0) {
										goto L98;
									}
									goto L252;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t549 = __edx - 1; // -1
								__esi = __edx + _t549;
								if(__edx + _t549 != 0) {
									goto L98;
								}
								goto L250;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t543 = __edx - 1; // -1
							__esi = __edx + _t543;
							if(__edx + _t543 != 0) {
								goto L98;
							}
							goto L248;
						case 6:
							L324:
							__edx =  *(__eax - 6);
							if( *(__eax - 6) ==  *(__ecx - 6)) {
								__esi = 0;
								L334:
								if(__esi != 0) {
									goto L98;
								}
								goto L335;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 6) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 6) & 0x000000ff);
							if(__esi == 0) {
								L327:
								__esi =  *(__eax - 5) & 0x000000ff;
								__edx =  *(__ecx - 5) & 0x000000ff;
								__esi = ( *(__eax - 5) & 0x000000ff) - ( *(__ecx - 5) & 0x000000ff);
								if(__esi == 0) {
									L329:
									__esi =  *(__eax - 4) & 0x000000ff;
									__edx =  *(__ecx - 4) & 0x000000ff;
									__esi = ( *(__eax - 4) & 0x000000ff) - ( *(__ecx - 4) & 0x000000ff);
									if(__esi == 0) {
										L331:
										__esi =  *(__eax - 3) & 0x000000ff;
										__edx =  *(__ecx - 3) & 0x000000ff;
										__esi = ( *(__eax - 3) & 0x000000ff) - ( *(__ecx - 3) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t743 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t743;
										}
										goto L334;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t737 = __edx - 1; // -1
									__esi = __edx + _t737;
									if(__edx + _t737 != 0) {
										goto L98;
									}
									goto L331;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t731 = __edx - 1; // -1
								__esi = __edx + _t731;
								if(__edx + _t731 != 0) {
									goto L98;
								}
								goto L329;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t725 = __edx - 1; // -1
							__esi = __edx + _t725;
							if(__edx + _t725 != 0) {
								goto L98;
							}
							goto L327;
						case 7:
							L405:
							__edx =  *(__eax - 7);
							if( *(__eax - 7) ==  *(__ecx - 7)) {
								__esi = 0;
								L415:
								if(__esi != 0) {
									goto L98;
								}
								goto L416;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 7) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 7) & 0x000000ff);
							if(__esi == 0) {
								L408:
								__esi =  *(__eax - 6) & 0x000000ff;
								__edx =  *(__ecx - 6) & 0x000000ff;
								__esi = ( *(__eax - 6) & 0x000000ff) - ( *(__ecx - 6) & 0x000000ff);
								if(__esi == 0) {
									L410:
									__esi =  *(__eax - 5) & 0x000000ff;
									__edx =  *(__ecx - 5) & 0x000000ff;
									__esi = ( *(__eax - 5) & 0x000000ff) - ( *(__ecx - 5) & 0x000000ff);
									if(__esi == 0) {
										L412:
										__esi =  *(__eax - 4) & 0x000000ff;
										__edx =  *(__ecx - 4) & 0x000000ff;
										__esi = ( *(__eax - 4) & 0x000000ff) - ( *(__ecx - 4) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t928 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t928;
										}
										goto L415;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t922 = __edx - 1; // -1
									__esi = __edx + _t922;
									if(__edx + _t922 != 0) {
										goto L98;
									}
									goto L412;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t916 = __edx - 1; // -1
								__esi = __edx + _t916;
								if(__edx + _t916 != 0) {
									goto L98;
								}
								goto L410;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t910 = __edx - 1; // -1
							__esi = __edx + _t910;
							if(__edx + _t910 != 0) {
								goto L98;
							}
							goto L408;
						case 8:
							L154:
							__edx =  *(__eax - 8);
							if( *(__eax - 8) ==  *(__ecx - 8)) {
								__esi = 0;
								L164:
								if(__esi != 0) {
									goto L98;
								}
								goto L165;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 8) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 8) & 0x000000ff);
							if(__esi == 0) {
								L157:
								__esi =  *(__eax - 7) & 0x000000ff;
								__edx =  *(__ecx - 7) & 0x000000ff;
								__esi = ( *(__eax - 7) & 0x000000ff) - ( *(__ecx - 7) & 0x000000ff);
								if(__esi == 0) {
									L159:
									__esi =  *(__eax - 6) & 0x000000ff;
									__edx =  *(__ecx - 6) & 0x000000ff;
									__esi = ( *(__eax - 6) & 0x000000ff) - ( *(__ecx - 6) & 0x000000ff);
									if(__esi == 0) {
										L161:
										__esi =  *(__eax - 5) & 0x000000ff;
										__edx =  *(__ecx - 5) & 0x000000ff;
										__esi = ( *(__eax - 5) & 0x000000ff) - ( *(__ecx - 5) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t360 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t360;
										}
										goto L164;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t354 = __edx - 1; // -1
									__esi = __edx + _t354;
									if(__edx + _t354 != 0) {
										goto L98;
									}
									goto L161;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t348 = __edx - 1; // -1
								__esi = __edx + _t348;
								if(__edx + _t348 != 0) {
									goto L98;
								}
								goto L159;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t342 = __edx - 1; // -1
							__esi = __edx + _t342;
							if(__edx + _t342 != 0) {
								goto L98;
							}
							goto L157;
						case 9:
							L234:
							__edx =  *(__eax - 9);
							if( *(__eax - 9) ==  *(__ecx - 9)) {
								__esi = 0;
								L244:
								if(__esi != 0) {
									goto L98;
								}
								goto L245;
							}
							__edx =  *(__ecx - 9) & 0x000000ff;
							__esi =  *(__eax - 9) & 0x000000ff;
							__esi = ( *(__eax - 9) & 0x000000ff) - ( *(__ecx - 9) & 0x000000ff);
							if(__esi == 0) {
								L237:
								__esi =  *(__eax - 8) & 0x000000ff;
								__edx =  *(__ecx - 8) & 0x000000ff;
								__esi = ( *(__eax - 8) & 0x000000ff) - ( *(__ecx - 8) & 0x000000ff);
								if(__esi == 0) {
									L239:
									__esi =  *(__eax - 7) & 0x000000ff;
									__edx =  *(__ecx - 7) & 0x000000ff;
									__esi = ( *(__eax - 7) & 0x000000ff) - ( *(__ecx - 7) & 0x000000ff);
									if(__esi == 0) {
										L241:
										__esi =  *(__eax - 6) & 0x000000ff;
										__edx =  *(__ecx - 6) & 0x000000ff;
										__esi = ( *(__eax - 6) & 0x000000ff) - ( *(__ecx - 6) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t536 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t536;
										}
										goto L244;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t530 = __edx - 1; // -1
									__esi = __edx + _t530;
									if(__edx + _t530 != 0) {
										goto L98;
									}
									goto L241;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t524 = __edx - 1; // -1
								__esi = __edx + _t524;
								if(__edx + _t524 != 0) {
									goto L98;
								}
								goto L239;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t518 = __edx - 1; // -1
							__esi = __edx + _t518;
							if(__edx + _t518 != 0) {
								goto L98;
							}
							goto L237;
						case 0xa:
							L313:
							__edx =  *(__eax - 0xa);
							if( *(__eax - 0xa) ==  *(__ecx - 0xa)) {
								__esi = 0;
								L323:
								if(__esi != 0) {
									goto L98;
								}
								goto L324;
							}
							__edx =  *(__ecx - 0xa) & 0x000000ff;
							__esi =  *(__eax - 0xa) & 0x000000ff;
							__esi = ( *(__eax - 0xa) & 0x000000ff) - ( *(__ecx - 0xa) & 0x000000ff);
							if(__esi == 0) {
								L316:
								__edx =  *(__ecx - 9) & 0x000000ff;
								__esi =  *(__eax - 9) & 0x000000ff;
								__esi = ( *(__eax - 9) & 0x000000ff) - ( *(__ecx - 9) & 0x000000ff);
								if(__esi == 0) {
									L318:
									__edx =  *(__ecx - 8) & 0x000000ff;
									__esi =  *(__eax - 8) & 0x000000ff;
									__esi = ( *(__eax - 8) & 0x000000ff) - ( *(__ecx - 8) & 0x000000ff);
									if(__esi == 0) {
										L320:
										__edx =  *(__ecx - 7) & 0x000000ff;
										__esi =  *(__eax - 7) & 0x000000ff;
										__esi = ( *(__eax - 7) & 0x000000ff) - ( *(__ecx - 7) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t718 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t718;
										}
										goto L323;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t712 = __edx - 1; // -1
									__esi = __edx + _t712;
									if(__edx + _t712 != 0) {
										goto L98;
									}
									goto L320;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t706 = __edx - 1; // -1
								__esi = __edx + _t706;
								if(__edx + _t706 != 0) {
									goto L98;
								}
								goto L318;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t700 = __edx - 1; // -1
							__esi = __edx + _t700;
							if(__edx + _t700 != 0) {
								goto L98;
							}
							goto L316;
						case 0xb:
							L394:
							__edx =  *(__eax - 0xb);
							if( *(__eax - 0xb) ==  *(__ecx - 0xb)) {
								__esi = 0;
								L404:
								if(__esi != 0) {
									goto L98;
								}
								goto L405;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0xb) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0xb) & 0x000000ff);
							if(__esi == 0) {
								L397:
								__esi =  *(__eax - 0xa) & 0x000000ff;
								__edx =  *(__ecx - 0xa) & 0x000000ff;
								__esi = ( *(__eax - 0xa) & 0x000000ff) - ( *(__ecx - 0xa) & 0x000000ff);
								if(__esi == 0) {
									L399:
									__esi =  *(__eax - 9) & 0x000000ff;
									__edx =  *(__ecx - 9) & 0x000000ff;
									__esi = ( *(__eax - 9) & 0x000000ff) - ( *(__ecx - 9) & 0x000000ff);
									if(__esi == 0) {
										L401:
										__esi =  *(__eax - 8) & 0x000000ff;
										__edx =  *(__ecx - 8) & 0x000000ff;
										__esi = ( *(__eax - 8) & 0x000000ff) - ( *(__ecx - 8) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t903 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t903;
										}
										goto L404;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t897 = __edx - 1; // -1
									__esi = __edx + _t897;
									if(__edx + _t897 != 0) {
										goto L98;
									}
									goto L401;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t891 = __edx - 1; // -1
								__esi = __edx + _t891;
								if(__edx + _t891 != 0) {
									goto L98;
								}
								goto L399;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t885 = __edx - 1; // -1
							__esi = __edx + _t885;
							if(__edx + _t885 != 0) {
								goto L98;
							}
							goto L397;
						case 0xc:
							L143:
							__edx =  *(__eax - 0xc);
							if( *(__eax - 0xc) ==  *(__ecx - 0xc)) {
								__esi = 0;
								L153:
								if(__esi != 0) {
									goto L98;
								}
								goto L154;
							}
							__edx =  *(__ecx - 0xc) & 0x000000ff;
							__esi =  *(__eax - 0xc) & 0x000000ff;
							__esi = ( *(__eax - 0xc) & 0x000000ff) - ( *(__ecx - 0xc) & 0x000000ff);
							if(__esi == 0) {
								L146:
								__esi =  *(__eax - 0xb) & 0x000000ff;
								__edx =  *(__ecx - 0xb) & 0x000000ff;
								__esi = ( *(__eax - 0xb) & 0x000000ff) - ( *(__ecx - 0xb) & 0x000000ff);
								if(__esi == 0) {
									L148:
									__esi =  *(__eax - 0xa) & 0x000000ff;
									__edx =  *(__ecx - 0xa) & 0x000000ff;
									__esi = ( *(__eax - 0xa) & 0x000000ff) - ( *(__ecx - 0xa) & 0x000000ff);
									if(__esi == 0) {
										L150:
										__esi =  *(__eax - 9) & 0x000000ff;
										__edx =  *(__ecx - 9) & 0x000000ff;
										__esi = ( *(__eax - 9) & 0x000000ff) - ( *(__ecx - 9) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t335 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t335;
										}
										goto L153;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t329 = __edx - 1; // -1
									__esi = __edx + _t329;
									if(__edx + _t329 != 0) {
										goto L98;
									}
									goto L150;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t323 = __edx - 1; // -1
								__esi = __edx + _t323;
								if(__edx + _t323 != 0) {
									goto L98;
								}
								goto L148;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t317 = __edx - 1; // -1
							__esi = __edx + _t317;
							if(__edx + _t317 != 0) {
								goto L98;
							}
							goto L146;
						case 0xd:
							L223:
							__edx =  *(__eax - 0xd);
							if( *(__eax - 0xd) ==  *(__ecx - 0xd)) {
								__esi = 0;
								L233:
								if(__esi != 0) {
									goto L98;
								}
								goto L234;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0xd) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0xd) & 0x000000ff);
							if(__esi == 0) {
								L226:
								__esi =  *(__eax - 0xc) & 0x000000ff;
								__edx =  *(__ecx - 0xc) & 0x000000ff;
								__esi = ( *(__eax - 0xc) & 0x000000ff) - ( *(__ecx - 0xc) & 0x000000ff);
								if(__esi == 0) {
									L228:
									__esi =  *(__eax - 0xb) & 0x000000ff;
									__edx =  *(__ecx - 0xb) & 0x000000ff;
									__esi = ( *(__eax - 0xb) & 0x000000ff) - ( *(__ecx - 0xb) & 0x000000ff);
									if(__esi == 0) {
										L230:
										__esi =  *(__eax - 0xa) & 0x000000ff;
										__edx =  *(__ecx - 0xa) & 0x000000ff;
										__esi = ( *(__eax - 0xa) & 0x000000ff) - ( *(__ecx - 0xa) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t510 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t510;
										}
										goto L233;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t504 = __edx - 1; // -1
									__esi = __edx + _t504;
									if(__edx + _t504 != 0) {
										goto L98;
									}
									goto L230;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t498 = __edx - 1; // -1
								__esi = __edx + _t498;
								if(__edx + _t498 != 0) {
									goto L98;
								}
								goto L228;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t492 = __edx - 1; // -1
							__esi = __edx + _t492;
							if(__edx + _t492 != 0) {
								goto L98;
							}
							goto L226;
						case 0xe:
							L302:
							__edx =  *(__eax - 0xe);
							if( *(__eax - 0xe) ==  *(__ecx - 0xe)) {
								__esi = 0;
								L312:
								if(__esi != 0) {
									goto L98;
								}
								goto L313;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0xe) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0xe) & 0x000000ff);
							if(__esi == 0) {
								L305:
								__esi =  *(__eax - 0xd) & 0x000000ff;
								__edx =  *(__ecx - 0xd) & 0x000000ff;
								__esi = ( *(__eax - 0xd) & 0x000000ff) - ( *(__ecx - 0xd) & 0x000000ff);
								if(__esi == 0) {
									L307:
									__esi =  *(__eax - 0xc) & 0x000000ff;
									__edx =  *(__ecx - 0xc) & 0x000000ff;
									__esi = ( *(__eax - 0xc) & 0x000000ff) - ( *(__ecx - 0xc) & 0x000000ff);
									if(__esi == 0) {
										L309:
										__esi =  *(__eax - 0xb) & 0x000000ff;
										__edx =  *(__ecx - 0xb) & 0x000000ff;
										__esi = ( *(__eax - 0xb) & 0x000000ff) - ( *(__ecx - 0xb) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t692 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t692;
										}
										goto L312;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t686 = __edx - 1; // -1
									__esi = __edx + _t686;
									if(__edx + _t686 != 0) {
										goto L98;
									}
									goto L309;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t680 = __edx - 1; // -1
								__esi = __edx + _t680;
								if(__edx + _t680 != 0) {
									goto L98;
								}
								goto L307;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t674 = __edx - 1; // -1
							__esi = __edx + _t674;
							if(__edx + _t674 != 0) {
								goto L98;
							}
							goto L305;
						case 0xf:
							L383:
							__edx =  *(__eax - 0xf);
							if( *(__eax - 0xf) ==  *(__ecx - 0xf)) {
								__esi = 0;
								L393:
								if(__esi != 0) {
									goto L98;
								}
								goto L394;
							}
							__edx =  *(__ecx - 0xf) & 0x000000ff;
							__esi =  *(__eax - 0xf) & 0x000000ff;
							__esi = ( *(__eax - 0xf) & 0x000000ff) - ( *(__ecx - 0xf) & 0x000000ff);
							if(__esi == 0) {
								L386:
								__esi =  *(__eax - 0xe) & 0x000000ff;
								__edx =  *(__ecx - 0xe) & 0x000000ff;
								__esi = ( *(__eax - 0xe) & 0x000000ff) - ( *(__ecx - 0xe) & 0x000000ff);
								if(__esi == 0) {
									L388:
									__esi =  *(__eax - 0xd) & 0x000000ff;
									__edx =  *(__ecx - 0xd) & 0x000000ff;
									__esi = ( *(__eax - 0xd) & 0x000000ff) - ( *(__ecx - 0xd) & 0x000000ff);
									if(__esi == 0) {
										L390:
										__esi =  *(__eax - 0xc) & 0x000000ff;
										__edx =  *(__ecx - 0xc) & 0x000000ff;
										__esi = ( *(__eax - 0xc) & 0x000000ff) - ( *(__ecx - 0xc) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t878 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t878;
										}
										goto L393;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t872 = __edx - 1; // -1
									__esi = __edx + _t872;
									if(__edx + _t872 != 0) {
										goto L98;
									}
									goto L390;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t866 = __edx - 1; // -1
								__esi = __edx + _t866;
								if(__edx + _t866 != 0) {
									goto L98;
								}
								goto L388;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t860 = __edx - 1; // -1
							__esi = __edx + _t860;
							if(__edx + _t860 != 0) {
								goto L98;
							}
							goto L386;
						case 0x10:
							L132:
							__edx =  *(__eax - 0x10);
							if( *(__eax - 0x10) ==  *(__ecx - 0x10)) {
								__esi = 0;
								L142:
								if(__esi != 0) {
									goto L98;
								}
								goto L143;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x10) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x10) & 0x000000ff);
							if(__esi == 0) {
								L135:
								__esi =  *(__eax - 0xf) & 0x000000ff;
								__edx =  *(__ecx - 0xf) & 0x000000ff;
								__esi = ( *(__eax - 0xf) & 0x000000ff) - ( *(__ecx - 0xf) & 0x000000ff);
								if(__esi == 0) {
									L137:
									__esi =  *(__eax - 0xe) & 0x000000ff;
									__edx =  *(__ecx - 0xe) & 0x000000ff;
									__esi = ( *(__eax - 0xe) & 0x000000ff) - ( *(__ecx - 0xe) & 0x000000ff);
									if(__esi == 0) {
										L139:
										__esi =  *(__eax - 0xd) & 0x000000ff;
										__edx =  *(__ecx - 0xd) & 0x000000ff;
										__esi = ( *(__eax - 0xd) & 0x000000ff) - ( *(__ecx - 0xd) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t309 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t309;
										}
										goto L142;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t303 = __edx - 1; // -1
									__esi = __edx + _t303;
									if(__edx + _t303 != 0) {
										goto L98;
									}
									goto L139;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t297 = __edx - 1; // -1
								__esi = __edx + _t297;
								if(__edx + _t297 != 0) {
									goto L98;
								}
								goto L137;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t291 = __edx - 1; // -1
							__esi = __edx + _t291;
							if(__edx + _t291 != 0) {
								goto L98;
							}
							goto L135;
						case 0x11:
							L212:
							__edx =  *(__eax - 0x11);
							if( *(__eax - 0x11) ==  *(__ecx - 0x11)) {
								__esi = 0;
								L222:
								if(__esi != 0) {
									goto L98;
								}
								goto L223;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x11) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x11) & 0x000000ff);
							if(__esi == 0) {
								L215:
								__esi =  *(__eax - 0x10) & 0x000000ff;
								__edx =  *(__ecx - 0x10) & 0x000000ff;
								__esi = ( *(__eax - 0x10) & 0x000000ff) - ( *(__ecx - 0x10) & 0x000000ff);
								if(__esi == 0) {
									L217:
									__esi =  *(__eax - 0xf) & 0x000000ff;
									__edx =  *(__ecx - 0xf) & 0x000000ff;
									__esi = ( *(__eax - 0xf) & 0x000000ff) - ( *(__ecx - 0xf) & 0x000000ff);
									if(__esi == 0) {
										L219:
										__esi =  *(__eax - 0xe) & 0x000000ff;
										__edx =  *(__ecx - 0xe) & 0x000000ff;
										__esi = ( *(__eax - 0xe) & 0x000000ff) - ( *(__ecx - 0xe) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t485 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t485;
										}
										goto L222;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t479 = __edx - 1; // -1
									__esi = __edx + _t479;
									if(__edx + _t479 != 0) {
										goto L98;
									}
									goto L219;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t473 = __edx - 1; // -1
								__esi = __edx + _t473;
								if(__edx + _t473 != 0) {
									goto L98;
								}
								goto L217;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t467 = __edx - 1; // -1
							__esi = __edx + _t467;
							if(__edx + _t467 != 0) {
								goto L98;
							}
							goto L215;
						case 0x12:
							L291:
							__edx =  *(__eax - 0x12);
							if( *(__eax - 0x12) ==  *(__ecx - 0x12)) {
								__esi = 0;
								L301:
								if(__esi != 0) {
									goto L98;
								}
								goto L302;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x12) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x12) & 0x000000ff);
							if(__esi == 0) {
								L294:
								__esi =  *(__eax - 0x11) & 0x000000ff;
								__edx =  *(__ecx - 0x11) & 0x000000ff;
								__esi = ( *(__eax - 0x11) & 0x000000ff) - ( *(__ecx - 0x11) & 0x000000ff);
								if(__esi == 0) {
									L296:
									__esi =  *(__eax - 0x10) & 0x000000ff;
									__edx =  *(__ecx - 0x10) & 0x000000ff;
									__esi = ( *(__eax - 0x10) & 0x000000ff) - ( *(__ecx - 0x10) & 0x000000ff);
									if(__esi == 0) {
										L298:
										__esi =  *(__eax - 0xf) & 0x000000ff;
										__edx =  *(__ecx - 0xf) & 0x000000ff;
										__esi = ( *(__eax - 0xf) & 0x000000ff) - ( *(__ecx - 0xf) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t667 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t667;
										}
										goto L301;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t661 = __edx - 1; // -1
									__esi = __edx + _t661;
									if(__edx + _t661 != 0) {
										goto L98;
									}
									goto L298;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t655 = __edx - 1; // -1
								__esi = __edx + _t655;
								if(__edx + _t655 != 0) {
									goto L98;
								}
								goto L296;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t649 = __edx - 1; // -1
							__esi = __edx + _t649;
							if(__edx + _t649 != 0) {
								goto L98;
							}
							goto L294;
						case 0x13:
							L372:
							__edx =  *(__eax - 0x13);
							if( *(__eax - 0x13) ==  *(__ecx - 0x13)) {
								__esi = 0;
								L382:
								if(__esi != 0) {
									goto L98;
								}
								goto L383;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x13) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x13) & 0x000000ff);
							if(__esi == 0) {
								L375:
								__esi =  *(__eax - 0x12) & 0x000000ff;
								__edx =  *(__ecx - 0x12) & 0x000000ff;
								__esi = ( *(__eax - 0x12) & 0x000000ff) - ( *(__ecx - 0x12) & 0x000000ff);
								if(__esi == 0) {
									L377:
									__esi =  *(__eax - 0x11) & 0x000000ff;
									__edx =  *(__ecx - 0x11) & 0x000000ff;
									__esi = ( *(__eax - 0x11) & 0x000000ff) - ( *(__ecx - 0x11) & 0x000000ff);
									if(__esi == 0) {
										L379:
										__esi =  *(__eax - 0x10) & 0x000000ff;
										__edx =  *(__ecx - 0x10) & 0x000000ff;
										__esi = ( *(__eax - 0x10) & 0x000000ff) - ( *(__ecx - 0x10) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t852 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t852;
										}
										goto L382;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t846 = __edx - 1; // -1
									__esi = __edx + _t846;
									if(__edx + _t846 != 0) {
										goto L98;
									}
									goto L379;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t840 = __edx - 1; // -1
								__esi = __edx + _t840;
								if(__edx + _t840 != 0) {
									goto L98;
								}
								goto L377;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t834 = __edx - 1; // -1
							__esi = __edx + _t834;
							if(__edx + _t834 != 0) {
								goto L98;
							}
							goto L375;
						case 0x14:
							L121:
							__edx =  *(__eax - 0x14);
							if( *(__eax - 0x14) ==  *(__ecx - 0x14)) {
								__esi = 0;
								L131:
								if(__esi != 0) {
									goto L98;
								}
								goto L132;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x14) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x14) & 0x000000ff);
							if(__esi == 0) {
								L124:
								__esi =  *(__eax - 0x13) & 0x000000ff;
								__edx =  *(__ecx - 0x13) & 0x000000ff;
								__esi = ( *(__eax - 0x13) & 0x000000ff) - ( *(__ecx - 0x13) & 0x000000ff);
								if(__esi == 0) {
									L126:
									__esi =  *(__eax - 0x12) & 0x000000ff;
									__edx =  *(__ecx - 0x12) & 0x000000ff;
									__esi = ( *(__eax - 0x12) & 0x000000ff) - ( *(__ecx - 0x12) & 0x000000ff);
									if(__esi == 0) {
										L128:
										__esi =  *(__eax - 0x11) & 0x000000ff;
										__edx =  *(__ecx - 0x11) & 0x000000ff;
										__esi = ( *(__eax - 0x11) & 0x000000ff) - ( *(__ecx - 0x11) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t284 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t284;
										}
										goto L131;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t278 = __edx - 1; // -1
									__esi = __edx + _t278;
									if(__edx + _t278 != 0) {
										goto L98;
									}
									goto L128;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t272 = __edx - 1; // -1
								__esi = __edx + _t272;
								if(__edx + _t272 != 0) {
									goto L98;
								}
								goto L126;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t266 = __edx - 1; // -1
							__esi = __edx + _t266;
							if(__edx + _t266 != 0) {
								goto L98;
							}
							goto L124;
						case 0x15:
							L201:
							__edx =  *(__eax - 0x15);
							if( *(__eax - 0x15) ==  *(__ecx - 0x15)) {
								__esi = 0;
								L211:
								if(__esi != 0) {
									goto L98;
								}
								goto L212;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x15) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x15) & 0x000000ff);
							if(__esi == 0) {
								L204:
								__esi =  *(__eax - 0x14) & 0x000000ff;
								__edx =  *(__ecx - 0x14) & 0x000000ff;
								__esi = ( *(__eax - 0x14) & 0x000000ff) - ( *(__ecx - 0x14) & 0x000000ff);
								if(__esi == 0) {
									L206:
									__esi =  *(__eax - 0x13) & 0x000000ff;
									__edx =  *(__ecx - 0x13) & 0x000000ff;
									__esi = ( *(__eax - 0x13) & 0x000000ff) - ( *(__ecx - 0x13) & 0x000000ff);
									if(__esi == 0) {
										L208:
										__esi =  *(__eax - 0x12) & 0x000000ff;
										__edx =  *(__ecx - 0x12) & 0x000000ff;
										__esi = ( *(__eax - 0x12) & 0x000000ff) - ( *(__ecx - 0x12) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t460 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t460;
										}
										goto L211;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t454 = __edx - 1; // -1
									__esi = __edx + _t454;
									if(__edx + _t454 != 0) {
										goto L98;
									}
									goto L208;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t448 = __edx - 1; // -1
								__esi = __edx + _t448;
								if(__edx + _t448 != 0) {
									goto L98;
								}
								goto L206;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t442 = __edx - 1; // -1
							__esi = __edx + _t442;
							if(__edx + _t442 != 0) {
								goto L98;
							}
							goto L204;
						case 0x16:
							L280:
							__edx =  *(__eax - 0x16);
							if( *(__eax - 0x16) ==  *(__ecx - 0x16)) {
								__esi = 0;
								L290:
								if(__esi != 0) {
									goto L98;
								}
								goto L291;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x16) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x16) & 0x000000ff);
							if(__esi == 0) {
								L283:
								__esi =  *(__eax - 0x15) & 0x000000ff;
								__edx =  *(__ecx - 0x15) & 0x000000ff;
								__esi = ( *(__eax - 0x15) & 0x000000ff) - ( *(__ecx - 0x15) & 0x000000ff);
								if(__esi == 0) {
									L285:
									__esi =  *(__eax - 0x14) & 0x000000ff;
									__edx =  *(__ecx - 0x14) & 0x000000ff;
									__esi = ( *(__eax - 0x14) & 0x000000ff) - ( *(__ecx - 0x14) & 0x000000ff);
									if(__esi == 0) {
										L287:
										__esi =  *(__eax - 0x13) & 0x000000ff;
										__edx =  *(__ecx - 0x13) & 0x000000ff;
										__esi = ( *(__eax - 0x13) & 0x000000ff) - ( *(__ecx - 0x13) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t642 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t642;
										}
										goto L290;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t636 = __edx - 1; // -1
									__esi = __edx + _t636;
									if(__edx + _t636 != 0) {
										goto L98;
									}
									goto L287;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t630 = __edx - 1; // -1
								__esi = __edx + _t630;
								if(__edx + _t630 != 0) {
									goto L98;
								}
								goto L285;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t624 = __edx - 1; // -1
							__esi = __edx + _t624;
							if(__edx + _t624 != 0) {
								goto L98;
							}
							goto L283;
						case 0x17:
							L361:
							__edx =  *(__eax - 0x17);
							if( *(__eax - 0x17) ==  *(__ecx - 0x17)) {
								__esi = 0;
								L371:
								if(__esi != 0) {
									goto L98;
								}
								goto L372;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x17) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x17) & 0x000000ff);
							if(__esi == 0) {
								L364:
								__esi =  *(__eax - 0x16) & 0x000000ff;
								__edx =  *(__ecx - 0x16) & 0x000000ff;
								__esi = ( *(__eax - 0x16) & 0x000000ff) - ( *(__ecx - 0x16) & 0x000000ff);
								if(__esi == 0) {
									L366:
									__esi =  *(__eax - 0x15) & 0x000000ff;
									__edx =  *(__ecx - 0x15) & 0x000000ff;
									__esi = ( *(__eax - 0x15) & 0x000000ff) - ( *(__ecx - 0x15) & 0x000000ff);
									if(__esi == 0) {
										L368:
										__esi =  *(__eax - 0x14) & 0x000000ff;
										__edx =  *(__ecx - 0x14) & 0x000000ff;
										__esi = ( *(__eax - 0x14) & 0x000000ff) - ( *(__ecx - 0x14) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t827 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t827;
										}
										goto L371;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t821 = __edx - 1; // -1
									__esi = __edx + _t821;
									if(__edx + _t821 != 0) {
										goto L98;
									}
									goto L368;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t815 = __edx - 1; // -1
								__esi = __edx + _t815;
								if(__edx + _t815 != 0) {
									goto L98;
								}
								goto L366;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t809 = __edx - 1; // -1
							__esi = __edx + _t809;
							if(__edx + _t809 != 0) {
								goto L98;
							}
							goto L364;
						case 0x18:
							L110:
							__edx =  *(__eax - 0x18);
							if( *(__eax - 0x18) ==  *(__ecx - 0x18)) {
								__esi = 0;
								L120:
								if(__esi != 0) {
									goto L98;
								}
								goto L121;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x18) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x18) & 0x000000ff);
							if(__esi == 0) {
								L113:
								__esi =  *(__eax - 0x17) & 0x000000ff;
								__edx =  *(__ecx - 0x17) & 0x000000ff;
								__esi = ( *(__eax - 0x17) & 0x000000ff) - ( *(__ecx - 0x17) & 0x000000ff);
								if(__esi == 0) {
									L115:
									__esi =  *(__eax - 0x16) & 0x000000ff;
									__edx =  *(__ecx - 0x16) & 0x000000ff;
									__esi = ( *(__eax - 0x16) & 0x000000ff) - ( *(__ecx - 0x16) & 0x000000ff);
									if(__esi == 0) {
										L117:
										__esi =  *(__eax - 0x15) & 0x000000ff;
										__edx =  *(__ecx - 0x15) & 0x000000ff;
										__esi = ( *(__eax - 0x15) & 0x000000ff) - ( *(__ecx - 0x15) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t259 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t259;
										}
										goto L120;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t253 = __edx - 1; // -1
									__esi = __edx + _t253;
									if(__edx + _t253 != 0) {
										goto L98;
									}
									goto L117;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t247 = __edx - 1; // -1
								__esi = __edx + _t247;
								if(__edx + _t247 != 0) {
									goto L98;
								}
								goto L115;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t241 = __edx - 1; // -1
							__esi = __edx + _t241;
							if(__edx + _t241 != 0) {
								goto L98;
							}
							goto L113;
						case 0x19:
							L190:
							__edx =  *(__eax - 0x19);
							if( *(__eax - 0x19) ==  *(__ecx - 0x19)) {
								__esi = 0;
								L200:
								if(__esi != 0) {
									goto L98;
								}
								goto L201;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x19) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
							if(__esi == 0) {
								L193:
								__esi =  *(__eax - 0x18) & 0x000000ff;
								__edx =  *(__ecx - 0x18) & 0x000000ff;
								__esi = ( *(__eax - 0x18) & 0x000000ff) - ( *(__ecx - 0x18) & 0x000000ff);
								if(__esi == 0) {
									L195:
									__esi =  *(__eax - 0x17) & 0x000000ff;
									__edx =  *(__ecx - 0x17) & 0x000000ff;
									__esi = ( *(__eax - 0x17) & 0x000000ff) - ( *(__ecx - 0x17) & 0x000000ff);
									if(__esi == 0) {
										L197:
										__esi =  *(__eax - 0x16) & 0x000000ff;
										__edx =  *(__ecx - 0x16) & 0x000000ff;
										__esi = ( *(__eax - 0x16) & 0x000000ff) - ( *(__ecx - 0x16) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t435 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t435;
										}
										goto L200;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t429 = __edx - 1; // -1
									__esi = __edx + _t429;
									if(__edx + _t429 != 0) {
										goto L98;
									}
									goto L197;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t423 = __edx - 1; // -1
								__esi = __edx + _t423;
								if(__edx + _t423 != 0) {
									goto L98;
								}
								goto L195;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t417 = __edx - 1; // -1
							__esi = __edx + _t417;
							if(__edx + _t417 != 0) {
								goto L98;
							}
							goto L193;
						case 0x1a:
							L269:
							__edx =  *(__eax - 0x1a);
							if( *(__eax - 0x1a) ==  *(__ecx - 0x1a)) {
								__esi = 0;
								L279:
								if(__esi != 0) {
									goto L98;
								}
								goto L280;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L272:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi == 0) {
									L274:
									__esi =  *(__eax - 0x18) & 0x000000ff;
									__edx =  *(__ecx - 0x18) & 0x000000ff;
									__esi = ( *(__eax - 0x18) & 0x000000ff) - ( *(__ecx - 0x18) & 0x000000ff);
									if(__esi == 0) {
										L276:
										__esi =  *(__eax - 0x17) & 0x000000ff;
										__edx =  *(__ecx - 0x17) & 0x000000ff;
										__esi = ( *(__eax - 0x17) & 0x000000ff) - ( *(__ecx - 0x17) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t617 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t617;
										}
										goto L279;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t611 = __edx - 1; // -1
									__esi = __edx + _t611;
									if(__edx + _t611 != 0) {
										goto L98;
									}
									goto L276;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t605 = __edx - 1; // -1
								__esi = __edx + _t605;
								if(__edx + _t605 != 0) {
									goto L98;
								}
								goto L274;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t599 = __edx - 1; // -1
							__esi = __edx + _t599;
							if(__edx + _t599 != 0) {
								goto L98;
							}
							goto L272;
						case 0x1b:
							L350:
							__edx =  *(__eax - 0x1b);
							if( *(__eax - 0x1b) ==  *(__ecx - 0x1b)) {
								__esi = 0;
								L360:
								if(__esi != 0) {
									goto L98;
								}
								goto L361;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L353:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi == 0) {
									L355:
									__esi =  *(__eax - 0x19) & 0x000000ff;
									__edx =  *(__ecx - 0x19) & 0x000000ff;
									__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
									if(__esi == 0) {
										L357:
										__esi =  *(__eax - 0x18) & 0x000000ff;
										__edx =  *(__ecx - 0x18) & 0x000000ff;
										__esi = ( *(__eax - 0x18) & 0x000000ff) - ( *(__ecx - 0x18) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t802 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t802;
										}
										goto L360;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t796 = __edx - 1; // -1
									__esi = __edx + _t796;
									if(__edx + _t796 != 0) {
										goto L98;
									}
									goto L357;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t790 = __edx - 1; // -1
								__esi = __edx + _t790;
								if(__edx + _t790 != 0) {
									goto L98;
								}
								goto L355;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t784 = __edx - 1; // -1
							__esi = __edx + _t784;
							if(__edx + _t784 != 0) {
								goto L98;
							}
							goto L353;
						case 0x1c:
							__edx =  *(__eax - 0x1c);
							if( *(__eax - 0x1c) ==  *(__ecx - 0x1c)) {
								__esi = 0;
								L109:
								if(__esi != 0) {
									goto L98;
								}
								goto L110;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L102:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi == 0) {
									L104:
									__esi =  *(__eax - 0x1a) & 0x000000ff;
									__edx =  *(__ecx - 0x1a) & 0x000000ff;
									__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
									if(__esi == 0) {
										L106:
										__esi =  *(__eax - 0x19) & 0x000000ff;
										__edx =  *(__ecx - 0x19) & 0x000000ff;
										__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t234 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t234;
										}
										goto L109;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t228 = __edx - 1; // -1
									__esi = __edx + _t228;
									if(__edx + _t228 != 0) {
										goto L98;
									}
									goto L106;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t222 = __edx - 1; // -1
								__esi = __edx + _t222;
								if(__edx + _t222 != 0) {
									goto L98;
								}
								goto L104;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t216 = __edx - 1; // -1
							__esi = __edx + _t216;
							if(__edx + _t216 != 0) {
								goto L98;
							}
							goto L102;
						case 0x1d:
							__edx =  *(__eax - 0x1d);
							if( *(__eax - 0x1d) ==  *(__ecx - 0x1d)) {
								__esi = 0;
								L189:
								if(__esi != 0) {
									goto L98;
								}
								goto L190;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L182:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi == 0) {
									L184:
									__esi =  *(__eax - 0x1b) & 0x000000ff;
									__edx =  *(__ecx - 0x1b) & 0x000000ff;
									__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
									if(__esi == 0) {
										L186:
										__esi =  *(__eax - 0x1a) & 0x000000ff;
										__edx =  *(__ecx - 0x1a) & 0x000000ff;
										__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t410 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t410;
										}
										goto L189;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t404 = __edx - 1; // -1
									__esi = __edx + _t404;
									if(__edx + _t404 != 0) {
										goto L98;
									}
									goto L186;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t398 = __edx - 1; // -1
								__esi = __edx + _t398;
								if(__edx + _t398 != 0) {
									goto L98;
								}
								goto L184;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t392 = __edx - 1; // -1
							__esi = __edx + _t392;
							if(__edx + _t392 != 0) {
								goto L98;
							}
							goto L182;
						case 0x1e:
							__edx =  *(__eax - 0x1e);
							if( *(__eax - 0x1e) ==  *(__ecx - 0x1e)) {
								__esi = 0;
								L268:
								if(__esi != 0) {
									goto L98;
								}
								goto L269;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1e) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
							if(__esi == 0) {
								L261:
								__esi =  *(__eax - 0x1d) & 0x000000ff;
								__edx =  *(__ecx - 0x1d) & 0x000000ff;
								__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
								if(__esi == 0) {
									L263:
									__esi =  *(__eax - 0x1c) & 0x000000ff;
									__edx =  *(__ecx - 0x1c) & 0x000000ff;
									__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
									if(__esi == 0) {
										L265:
										__esi =  *(__eax - 0x1b) & 0x000000ff;
										__edx =  *(__ecx - 0x1b) & 0x000000ff;
										__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t592 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t592;
										}
										goto L268;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t586 = __edx - 1; // -1
									__esi = __edx + _t586;
									if(__edx + _t586 != 0) {
										goto L98;
									}
									goto L265;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t580 = __edx - 1; // -1
								__esi = __edx + _t580;
								if(__edx + _t580 != 0) {
									goto L98;
								}
								goto L263;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t574 = __edx - 1; // -1
							__esi = __edx + _t574;
							if(__edx + _t574 != 0) {
								goto L98;
							}
							goto L261;
						case 0x1f:
							__edx =  *(__eax - 0x1f);
							if( *(__eax - 0x1f) ==  *(__ecx - 0x1f)) {
								__esi = 0;
								L349:
								if(__esi != 0) {
									goto L98;
								}
								goto L350;
							}
							__edx =  *(__ecx - 0x1f) & 0x000000ff;
							__esi =  *(__eax - 0x1f) & 0x000000ff;
							__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
							if(__esi == 0) {
								L342:
								__esi =  *(__eax - 0x1e) & 0x000000ff;
								__edx =  *(__ecx - 0x1e) & 0x000000ff;
								__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
								if(__esi == 0) {
									L344:
									__esi =  *(__eax - 0x1d) & 0x000000ff;
									__edx =  *(__ecx - 0x1d) & 0x000000ff;
									__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
									if(__esi == 0) {
										L346:
										__esi =  *(__eax - 0x1c) & 0x000000ff;
										__edx =  *(__ecx - 0x1c) & 0x000000ff;
										__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t777 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t777;
										}
										goto L349;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t771 = __edx - 1; // -1
									__esi = __edx + _t771;
									if(__edx + _t771 != 0) {
										goto L98;
									}
									goto L346;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t765 = __edx - 1; // -1
								__esi = __edx + _t765;
								if(__edx + _t765 != 0) {
									goto L98;
								}
								goto L344;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t759 = __edx - 1; // -1
							__esi = __edx + _t759;
							if(__edx + _t759 != 0) {
								goto L98;
							}
							goto L342;
					}
				}
			}

0x0019b9d5
0x0019b9da
0x0019b9dd
0x00000000
0x0019ce9a
0x0019b9e3
0x0019b9e4
0x0019ce8f
0x0019ce92
0x0019ce01
0x0019ce01
0x0019ce03
0x0019ce9f
0x0019ce9f
0x0019ce9f
0x0019ce10
0x00000000
0x0019ce10
0x0019b9ea
0x0019b9eb
0x0019ce5d
0x0019ce60
0x0019ce69
0x0019ce6b
0x0019ce7c
0x0019ce7c
0x0019ce80
0x00000000
0x0019ce80
0x0019ce74
0x0019ce74
0x0019ce7a
0x00000000
0x00000000
0x00000000
0x0019ce7a
0x0019b9f1
0x0019b9f2
0x0019ce19
0x0019ce1c
0x0019ce25
0x0019ce27
0x0019ce38
0x0019ce40
0x0019ce42
0x0019ce53
0x0019ce53
0x0019ce57
0x00000000
0x0019ce57
0x0019ce4b
0x0019ce4b
0x0019ce51
0x00000000
0x00000000
0x00000000
0x0019ce51
0x0019ce30
0x0019ce30
0x0019ce36
0x00000000
0x00000000
0x00000000
0x0019ce36
0x0019b9f9
0x0019cd98
0x0019cd9b
0x0019cda4
0x0019cda6
0x0019cdbb
0x0019cdc3
0x0019cdc5
0x0019cdda
0x0019cde2
0x0019cde4
0x0019cdf9
0x0019cdf9
0x0019cdfd
0x00000000
0x0019cdfd
0x0019cded
0x0019cded
0x0019cdf3
0x00000000
0x00000000
0x00000000
0x0019cdf3
0x0019cdce
0x0019cdce
0x0019cdd4
0x00000000
0x00000000
0x00000000
0x0019cdd4
0x0019cdaf
0x0019cdaf
0x0019cdb5
0x00000000
0x00000000
0x00000000
0x0019b9ff
0x0019b9ff
0x0019ba02
0x0019ba08
0x0019be40
0x0019ba12
0x0019ba88
0x0019ba8a
0x0019ba8c
0x0019be5c
0x0019be5c
0x0019c1fb
0x00000000
0x0019c1fb
0x0019ba98
0x0019bb10
0x0019bb12
0x0019bb14
0x00000000
0x00000000
0x0019bb20
0x0019bb98
0x0019bb9a
0x0019bb9c
0x00000000
0x00000000
0x0019bba8
0x0019bc20
0x0019bc22
0x0019bc24
0x00000000
0x00000000
0x0019bc30
0x0019bca8
0x0019bcaa
0x0019bcac
0x00000000
0x00000000
0x0019bcb8
0x0019bd30
0x0019bd32
0x0019bd34
0x00000000
0x00000000
0x0019bd40
0x0019bdb8
0x0019bdba
0x0019bdbc
0x00000000
0x00000000
0x0019bdc8
0x0019be34
0x0019be36
0x0019be38
0x00000000
0x0019be3a
0x0019be3a
0x0019be3c
0x0019be3e
0x00000000
0x0019be3e
0x0019be38
0x0019bdd2
0x0019bdd4
0x0019bde5
0x0019bded
0x0019bdef
0x0019be00
0x0019be08
0x0019be0a
0x0019be1b
0x0019be23
0x0019be25
0x0019be2e
0x0019be2e
0x0019be2e
0x00000000
0x0019be25
0x0019be13
0x0019be13
0x0019be19
0x00000000
0x00000000
0x00000000
0x0019be19
0x0019bdf8
0x0019bdf8
0x0019bdfe
0x00000000
0x00000000
0x00000000
0x0019bdfe
0x0019bddd
0x0019bddd
0x0019bde3
0x00000000
0x00000000
0x00000000
0x0019bde3
0x0019bd4a
0x0019bd4c
0x0019bd61
0x0019bd69
0x0019bd6b
0x0019bd80
0x0019bd88
0x0019bd8a
0x0019bd9f
0x0019bda7
0x0019bda9
0x0019bdb2
0x0019bdb2
0x0019bdb2
0x00000000
0x0019bda9
0x0019bd93
0x0019bd93
0x0019bd99
0x00000000
0x00000000
0x00000000
0x0019bd99
0x0019bd74
0x0019bd74
0x0019bd7a
0x00000000
0x00000000
0x00000000
0x0019bd7a
0x0019bd55
0x0019bd55
0x0019bd5b
0x00000000
0x00000000
0x00000000
0x0019bd5b
0x0019bcc2
0x0019bcc4
0x0019bcd9
0x0019bce1
0x0019bce3
0x0019bcf8
0x0019bd00
0x0019bd02
0x0019bd17
0x0019bd1f
0x0019bd21
0x0019bd2a
0x0019bd2a
0x0019bd2a
0x00000000
0x0019bd21
0x0019bd0b
0x0019bd0b
0x0019bd11
0x00000000
0x00000000
0x00000000
0x0019bd11
0x0019bcec
0x0019bcec
0x0019bcf2
0x00000000
0x00000000
0x00000000
0x0019bcf2
0x0019bccd
0x0019bccd
0x0019bcd3
0x00000000
0x00000000
0x00000000
0x0019bcd3
0x0019bc3a
0x0019bc3c
0x0019bc51
0x0019bc59
0x0019bc5b
0x0019bc70
0x0019bc78
0x0019bc7a
0x0019bc8f
0x0019bc97
0x0019bc99
0x0019bca2
0x0019bca2
0x0019bca2
0x00000000
0x0019bc99
0x0019bc83
0x0019bc83
0x0019bc89
0x00000000
0x00000000
0x00000000
0x0019bc89
0x0019bc64
0x0019bc64
0x0019bc6a
0x00000000
0x00000000
0x00000000
0x0019bc6a
0x0019bc45
0x0019bc45
0x0019bc4b
0x00000000
0x00000000
0x00000000
0x0019bc4b
0x0019bbb2
0x0019bbb4
0x0019bbc9
0x0019bbd1
0x0019bbd3
0x0019bbe8
0x0019bbf0
0x0019bbf2
0x0019bc07
0x0019bc0f
0x0019bc11
0x0019bc1a
0x0019bc1a
0x0019bc1a
0x00000000
0x0019bc11
0x0019bbfb
0x0019bbfb
0x0019bc01
0x00000000
0x00000000
0x00000000
0x0019bc01
0x0019bbdc
0x0019bbdc
0x0019bbe2
0x00000000
0x00000000
0x00000000
0x0019bbe2
0x0019bbbd
0x0019bbbd
0x0019bbc3
0x00000000
0x00000000
0x00000000
0x0019bbc3
0x0019bb2a
0x0019bb2c
0x0019bb41
0x0019bb49
0x0019bb4b
0x0019bb60
0x0019bb68
0x0019bb6a
0x0019bb7f
0x0019bb87
0x0019bb89
0x0019bb92
0x0019bb92
0x0019bb92
0x00000000
0x0019bb89
0x0019bb73
0x0019bb73
0x0019bb79
0x00000000
0x00000000
0x00000000
0x0019bb79
0x0019bb54
0x0019bb54
0x0019bb5a
0x00000000
0x00000000
0x00000000
0x0019bb5a
0x0019bb35
0x0019bb35
0x0019bb3b
0x00000000
0x00000000
0x00000000
0x0019bb3b
0x0019baa2
0x0019baa4
0x0019bab9
0x0019bac1
0x0019bac3
0x0019bad8
0x0019bae0
0x0019bae2
0x0019baf7
0x0019baff
0x0019bb01
0x0019bb0a
0x0019bb0a
0x0019bb0a
0x00000000
0x0019bb01
0x0019baeb
0x0019baeb
0x0019baf1
0x00000000
0x00000000
0x00000000
0x0019baf1
0x0019bacc
0x0019bacc
0x0019bad2
0x00000000
0x00000000
0x00000000
0x0019bad2
0x0019baad
0x0019baad
0x0019bab3
0x00000000
0x00000000
0x00000000
0x0019bab3
0x0019ba1a
0x0019ba1c
0x0019ba31
0x0019ba39
0x0019ba3b
0x0019ba50
0x0019ba58
0x0019ba5a
0x0019ba6f
0x0019ba77
0x0019ba79
0x0019ba82
0x0019ba82
0x0019ba82
0x00000000
0x0019ba79
0x0019ba63
0x0019ba63
0x0019ba69
0x00000000
0x00000000
0x00000000
0x0019ba69
0x0019ba44
0x0019ba44
0x0019ba4a
0x00000000
0x00000000
0x00000000
0x0019ba4a
0x0019ba25
0x0019ba25
0x0019ba2b
0x00000000
0x00000000
0x00000000
0x0019ba2b
0x0019be4f
0x0019c1f9
0x0019c1f9
0x00000000
0x0019c1f9
0x0019be55
0x00000000
0x00000000
0x00000000
0x0019c5b3
0x0019c5b3
0x0019c5b7
0x0019c5bb
0x0019c5bd
0x0019c5c3
0x0019c5ca
0x0019c5ca
0x0019c5ca
0x00000000
0x00000000
0x0019c985
0x0019c98d
0x00000000
0x00000000
0x00000000
0x00000000
0x0019cd6e
0x0019cd6e
0x0019cd72
0x0019cd76
0x0019cd78
0x0019c993
0x0019c993
0x0019c997
0x0019c99b
0x0019c99d
0x00000000
0x00000000
0x0019c9a3
0x0019c9a7
0x0019c9aa
0x0019c9b0
0x0019cd91
0x0019cd91
0x00000000
0x0019cd91
0x00000000
0x0019c9b6
0x0019cd7e
0x0019cd82
0x0019cd85
0x0019cd8b
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c17e
0x0019c17e
0x0019c184
0x0019c1f3
0x0019c1f5
0x0019c1f7
0x00000000
0x00000000
0x00000000
0x0019c1f7
0x0019c186
0x0019c189
0x0019c18d
0x0019c18f
0x0019c1a0
0x0019c1a0
0x0019c1a4
0x0019c1a8
0x0019c1aa
0x0019c1bb
0x0019c1bb
0x0019c1bf
0x0019c1c3
0x0019c1c5
0x0019c1da
0x0019c1da
0x0019c1e2
0x0019c1e4
0x0019c1e6
0x0019c1ed
0x0019c1ed
0x0019c1ed
0x00000000
0x0019c1e4
0x0019c1c7
0x0019c1cb
0x0019c1ce
0x0019c1d4
0x00000000
0x00000000
0x0019c1d6
0x0019c1d6
0x00000000
0x0019c1d6
0x0019c1ac
0x0019c1b0
0x0019c1b3
0x0019c1b9
0x00000000
0x00000000
0x00000000
0x0019c1b9
0x0019c191
0x0019c195
0x0019c198
0x0019c19e
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c52c
0x0019c52c
0x0019c532
0x0019c5a9
0x0019c5ab
0x0019c5ad
0x00000000
0x00000000
0x00000000
0x0019c5ad
0x0019c534
0x0019c537
0x0019c53b
0x0019c53d
0x0019c552
0x0019c552
0x0019c556
0x0019c55a
0x0019c55c
0x0019c571
0x0019c571
0x0019c575
0x0019c579
0x0019c57b
0x0019c590
0x0019c590
0x0019c594
0x0019c598
0x0019c59a
0x0019c59c
0x0019c5a3
0x0019c5a3
0x0019c5a3
0x00000000
0x0019c59a
0x0019c57d
0x0019c581
0x0019c584
0x0019c584
0x0019c58a
0x00000000
0x00000000
0x00000000
0x0019c58a
0x0019c55e
0x0019c562
0x0019c565
0x0019c565
0x0019c56b
0x00000000
0x00000000
0x00000000
0x0019c56b
0x0019c53f
0x0019c543
0x0019c546
0x0019c546
0x0019c54c
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c8fe
0x0019c8fe
0x0019c904
0x0019c97b
0x0019c97d
0x0019c97f
0x00000000
0x00000000
0x00000000
0x0019c97f
0x0019c906
0x0019c909
0x0019c90d
0x0019c90f
0x0019c924
0x0019c924
0x0019c928
0x0019c92c
0x0019c92e
0x0019c943
0x0019c943
0x0019c947
0x0019c94b
0x0019c94d
0x0019c962
0x0019c962
0x0019c966
0x0019c96a
0x0019c96c
0x0019c96e
0x0019c975
0x0019c975
0x0019c975
0x00000000
0x0019c96c
0x0019c94f
0x0019c953
0x0019c956
0x0019c956
0x0019c95c
0x00000000
0x00000000
0x00000000
0x0019c95c
0x0019c930
0x0019c934
0x0019c937
0x0019c937
0x0019c93d
0x00000000
0x00000000
0x00000000
0x0019c93d
0x0019c911
0x0019c915
0x0019c918
0x0019c918
0x0019c91e
0x00000000
0x00000000
0x00000000
0x00000000
0x0019cce7
0x0019cce7
0x0019cced
0x0019cd64
0x0019cd66
0x0019cd68
0x00000000
0x00000000
0x00000000
0x0019cd68
0x0019ccef
0x0019ccf2
0x0019ccf6
0x0019ccf8
0x0019cd0d
0x0019cd0d
0x0019cd11
0x0019cd15
0x0019cd17
0x0019cd2c
0x0019cd2c
0x0019cd30
0x0019cd34
0x0019cd36
0x0019cd4b
0x0019cd4b
0x0019cd4f
0x0019cd53
0x0019cd55
0x0019cd57
0x0019cd5e
0x0019cd5e
0x0019cd5e
0x00000000
0x0019cd55
0x0019cd38
0x0019cd3c
0x0019cd3f
0x0019cd3f
0x0019cd45
0x00000000
0x00000000
0x00000000
0x0019cd45
0x0019cd19
0x0019cd1d
0x0019cd20
0x0019cd20
0x0019cd26
0x00000000
0x00000000
0x00000000
0x0019cd26
0x0019ccfa
0x0019ccfe
0x0019cd01
0x0019cd01
0x0019cd07
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c0f7
0x0019c0f7
0x0019c0fd
0x0019c174
0x0019c176
0x0019c178
0x00000000
0x00000000
0x00000000
0x0019c178
0x0019c0ff
0x0019c102
0x0019c106
0x0019c108
0x0019c11d
0x0019c11d
0x0019c121
0x0019c125
0x0019c127
0x0019c13c
0x0019c13c
0x0019c140
0x0019c144
0x0019c146
0x0019c15b
0x0019c15b
0x0019c15f
0x0019c163
0x0019c165
0x0019c167
0x0019c16e
0x0019c16e
0x0019c16e
0x00000000
0x0019c165
0x0019c148
0x0019c14c
0x0019c14f
0x0019c14f
0x0019c155
0x00000000
0x00000000
0x00000000
0x0019c155
0x0019c129
0x0019c12d
0x0019c130
0x0019c130
0x0019c136
0x00000000
0x00000000
0x00000000
0x0019c136
0x0019c10a
0x0019c10e
0x0019c111
0x0019c111
0x0019c117
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c4a4
0x0019c4a4
0x0019c4aa
0x0019c522
0x0019c524
0x0019c526
0x00000000
0x00000000
0x00000000
0x0019c526
0x0019c4ac
0x0019c4b0
0x0019c4b4
0x0019c4b6
0x0019c4cb
0x0019c4cb
0x0019c4cf
0x0019c4d3
0x0019c4d5
0x0019c4ea
0x0019c4ea
0x0019c4ee
0x0019c4f2
0x0019c4f4
0x0019c509
0x0019c509
0x0019c50d
0x0019c511
0x0019c513
0x0019c515
0x0019c51c
0x0019c51c
0x0019c51c
0x00000000
0x0019c513
0x0019c4f6
0x0019c4fa
0x0019c4fd
0x0019c4fd
0x0019c503
0x00000000
0x00000000
0x00000000
0x0019c503
0x0019c4d7
0x0019c4db
0x0019c4de
0x0019c4de
0x0019c4e4
0x00000000
0x00000000
0x00000000
0x0019c4e4
0x0019c4b8
0x0019c4bc
0x0019c4bf
0x0019c4bf
0x0019c4c5
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c876
0x0019c876
0x0019c87c
0x0019c8f4
0x0019c8f6
0x0019c8f8
0x00000000
0x00000000
0x00000000
0x0019c8f8
0x0019c87e
0x0019c882
0x0019c886
0x0019c888
0x0019c89d
0x0019c89d
0x0019c8a1
0x0019c8a5
0x0019c8a7
0x0019c8bc
0x0019c8bc
0x0019c8c0
0x0019c8c4
0x0019c8c6
0x0019c8db
0x0019c8db
0x0019c8df
0x0019c8e3
0x0019c8e5
0x0019c8e7
0x0019c8ee
0x0019c8ee
0x0019c8ee
0x00000000
0x0019c8e5
0x0019c8c8
0x0019c8cc
0x0019c8cf
0x0019c8cf
0x0019c8d5
0x00000000
0x00000000
0x00000000
0x0019c8d5
0x0019c8a9
0x0019c8ad
0x0019c8b0
0x0019c8b0
0x0019c8b6
0x00000000
0x00000000
0x00000000
0x0019c8b6
0x0019c88a
0x0019c88e
0x0019c891
0x0019c891
0x0019c897
0x00000000
0x00000000
0x00000000
0x00000000
0x0019cc60
0x0019cc60
0x0019cc66
0x0019ccdd
0x0019ccdf
0x0019cce1
0x00000000
0x00000000
0x00000000
0x0019cce1
0x0019cc68
0x0019cc6b
0x0019cc6f
0x0019cc71
0x0019cc86
0x0019cc86
0x0019cc8a
0x0019cc8e
0x0019cc90
0x0019cca5
0x0019cca5
0x0019cca9
0x0019ccad
0x0019ccaf
0x0019ccc4
0x0019ccc4
0x0019ccc8
0x0019cccc
0x0019ccce
0x0019ccd0
0x0019ccd7
0x0019ccd7
0x0019ccd7
0x00000000
0x0019ccce
0x0019ccb1
0x0019ccb5
0x0019ccb8
0x0019ccb8
0x0019ccbe
0x00000000
0x00000000
0x00000000
0x0019ccbe
0x0019cc92
0x0019cc96
0x0019cc99
0x0019cc99
0x0019cc9f
0x00000000
0x00000000
0x00000000
0x0019cc9f
0x0019cc73
0x0019cc77
0x0019cc7a
0x0019cc7a
0x0019cc80
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c06f
0x0019c06f
0x0019c075
0x0019c0ed
0x0019c0ef
0x0019c0f1
0x00000000
0x00000000
0x00000000
0x0019c0f1
0x0019c077
0x0019c07b
0x0019c07f
0x0019c081
0x0019c096
0x0019c096
0x0019c09a
0x0019c09e
0x0019c0a0
0x0019c0b5
0x0019c0b5
0x0019c0b9
0x0019c0bd
0x0019c0bf
0x0019c0d4
0x0019c0d4
0x0019c0d8
0x0019c0dc
0x0019c0de
0x0019c0e0
0x0019c0e7
0x0019c0e7
0x0019c0e7
0x00000000
0x0019c0de
0x0019c0c1
0x0019c0c5
0x0019c0c8
0x0019c0c8
0x0019c0ce
0x00000000
0x00000000
0x00000000
0x0019c0ce
0x0019c0a2
0x0019c0a6
0x0019c0a9
0x0019c0a9
0x0019c0af
0x00000000
0x00000000
0x00000000
0x0019c0af
0x0019c083
0x0019c087
0x0019c08a
0x0019c08a
0x0019c090
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c41d
0x0019c41d
0x0019c423
0x0019c49a
0x0019c49c
0x0019c49e
0x00000000
0x00000000
0x00000000
0x0019c49e
0x0019c425
0x0019c428
0x0019c42c
0x0019c42e
0x0019c443
0x0019c443
0x0019c447
0x0019c44b
0x0019c44d
0x0019c462
0x0019c462
0x0019c466
0x0019c46a
0x0019c46c
0x0019c481
0x0019c481
0x0019c485
0x0019c489
0x0019c48b
0x0019c48d
0x0019c494
0x0019c494
0x0019c494
0x00000000
0x0019c48b
0x0019c46e
0x0019c472
0x0019c475
0x0019c475
0x0019c47b
0x00000000
0x00000000
0x00000000
0x0019c47b
0x0019c44f
0x0019c453
0x0019c456
0x0019c456
0x0019c45c
0x00000000
0x00000000
0x00000000
0x0019c45c
0x0019c430
0x0019c434
0x0019c437
0x0019c437
0x0019c43d
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c7ef
0x0019c7ef
0x0019c7f5
0x0019c86c
0x0019c86e
0x0019c870
0x00000000
0x00000000
0x00000000
0x0019c870
0x0019c7f7
0x0019c7fa
0x0019c7fe
0x0019c800
0x0019c815
0x0019c815
0x0019c819
0x0019c81d
0x0019c81f
0x0019c834
0x0019c834
0x0019c838
0x0019c83c
0x0019c83e
0x0019c853
0x0019c853
0x0019c857
0x0019c85b
0x0019c85d
0x0019c85f
0x0019c866
0x0019c866
0x0019c866
0x00000000
0x0019c85d
0x0019c840
0x0019c844
0x0019c847
0x0019c847
0x0019c84d
0x00000000
0x00000000
0x00000000
0x0019c84d
0x0019c821
0x0019c825
0x0019c828
0x0019c828
0x0019c82e
0x00000000
0x00000000
0x00000000
0x0019c82e
0x0019c802
0x0019c806
0x0019c809
0x0019c809
0x0019c80f
0x00000000
0x00000000
0x00000000
0x00000000
0x0019cbd8
0x0019cbd8
0x0019cbde
0x0019cc56
0x0019cc58
0x0019cc5a
0x00000000
0x00000000
0x00000000
0x0019cc5a
0x0019cbe0
0x0019cbe4
0x0019cbe8
0x0019cbea
0x0019cbff
0x0019cbff
0x0019cc03
0x0019cc07
0x0019cc09
0x0019cc1e
0x0019cc1e
0x0019cc22
0x0019cc26
0x0019cc28
0x0019cc3d
0x0019cc3d
0x0019cc41
0x0019cc45
0x0019cc47
0x0019cc49
0x0019cc50
0x0019cc50
0x0019cc50
0x00000000
0x0019cc47
0x0019cc2a
0x0019cc2e
0x0019cc31
0x0019cc31
0x0019cc37
0x00000000
0x00000000
0x00000000
0x0019cc37
0x0019cc0b
0x0019cc0f
0x0019cc12
0x0019cc12
0x0019cc18
0x00000000
0x00000000
0x00000000
0x0019cc18
0x0019cbec
0x0019cbf0
0x0019cbf3
0x0019cbf3
0x0019cbf9
0x00000000
0x00000000
0x00000000
0x00000000
0x0019bfe8
0x0019bfe8
0x0019bfee
0x0019c065
0x0019c067
0x0019c069
0x00000000
0x00000000
0x00000000
0x0019c069
0x0019bff0
0x0019bff3
0x0019bff7
0x0019bff9
0x0019c00e
0x0019c00e
0x0019c012
0x0019c016
0x0019c018
0x0019c02d
0x0019c02d
0x0019c031
0x0019c035
0x0019c037
0x0019c04c
0x0019c04c
0x0019c050
0x0019c054
0x0019c056
0x0019c058
0x0019c05f
0x0019c05f
0x0019c05f
0x00000000
0x0019c056
0x0019c039
0x0019c03d
0x0019c040
0x0019c040
0x0019c046
0x00000000
0x00000000
0x00000000
0x0019c046
0x0019c01a
0x0019c01e
0x0019c021
0x0019c021
0x0019c027
0x00000000
0x00000000
0x00000000
0x0019c027
0x0019bffb
0x0019bfff
0x0019c002
0x0019c002
0x0019c008
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c396
0x0019c396
0x0019c39c
0x0019c413
0x0019c415
0x0019c417
0x00000000
0x00000000
0x00000000
0x0019c417
0x0019c39e
0x0019c3a1
0x0019c3a5
0x0019c3a7
0x0019c3bc
0x0019c3bc
0x0019c3c0
0x0019c3c4
0x0019c3c6
0x0019c3db
0x0019c3db
0x0019c3df
0x0019c3e3
0x0019c3e5
0x0019c3fa
0x0019c3fa
0x0019c3fe
0x0019c402
0x0019c404
0x0019c406
0x0019c40d
0x0019c40d
0x0019c40d
0x00000000
0x0019c404
0x0019c3e7
0x0019c3eb
0x0019c3ee
0x0019c3ee
0x0019c3f4
0x00000000
0x00000000
0x00000000
0x0019c3f4
0x0019c3c8
0x0019c3cc
0x0019c3cf
0x0019c3cf
0x0019c3d5
0x00000000
0x00000000
0x00000000
0x0019c3d5
0x0019c3a9
0x0019c3ad
0x0019c3b0
0x0019c3b0
0x0019c3b6
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c768
0x0019c768
0x0019c76e
0x0019c7e5
0x0019c7e7
0x0019c7e9
0x00000000
0x00000000
0x00000000
0x0019c7e9
0x0019c770
0x0019c773
0x0019c777
0x0019c779
0x0019c78e
0x0019c78e
0x0019c792
0x0019c796
0x0019c798
0x0019c7ad
0x0019c7ad
0x0019c7b1
0x0019c7b5
0x0019c7b7
0x0019c7cc
0x0019c7cc
0x0019c7d0
0x0019c7d4
0x0019c7d6
0x0019c7d8
0x0019c7df
0x0019c7df
0x0019c7df
0x00000000
0x0019c7d6
0x0019c7b9
0x0019c7bd
0x0019c7c0
0x0019c7c0
0x0019c7c6
0x00000000
0x00000000
0x00000000
0x0019c7c6
0x0019c79a
0x0019c79e
0x0019c7a1
0x0019c7a1
0x0019c7a7
0x00000000
0x00000000
0x00000000
0x0019c7a7
0x0019c77b
0x0019c77f
0x0019c782
0x0019c782
0x0019c788
0x00000000
0x00000000
0x00000000
0x00000000
0x0019cb51
0x0019cb51
0x0019cb57
0x0019cbce
0x0019cbd0
0x0019cbd2
0x00000000
0x00000000
0x00000000
0x0019cbd2
0x0019cb59
0x0019cb5c
0x0019cb60
0x0019cb62
0x0019cb77
0x0019cb77
0x0019cb7b
0x0019cb7f
0x0019cb81
0x0019cb96
0x0019cb96
0x0019cb9a
0x0019cb9e
0x0019cba0
0x0019cbb5
0x0019cbb5
0x0019cbb9
0x0019cbbd
0x0019cbbf
0x0019cbc1
0x0019cbc8
0x0019cbc8
0x0019cbc8
0x00000000
0x0019cbbf
0x0019cba2
0x0019cba6
0x0019cba9
0x0019cba9
0x0019cbaf
0x00000000
0x00000000
0x00000000
0x0019cbaf
0x0019cb83
0x0019cb87
0x0019cb8a
0x0019cb8a
0x0019cb90
0x00000000
0x00000000
0x00000000
0x0019cb90
0x0019cb64
0x0019cb68
0x0019cb6b
0x0019cb6b
0x0019cb71
0x00000000
0x00000000
0x00000000
0x00000000
0x0019bf61
0x0019bf61
0x0019bf67
0x0019bfde
0x0019bfe0
0x0019bfe2
0x00000000
0x00000000
0x00000000
0x0019bfe2
0x0019bf69
0x0019bf6c
0x0019bf70
0x0019bf72
0x0019bf87
0x0019bf87
0x0019bf8b
0x0019bf8f
0x0019bf91
0x0019bfa6
0x0019bfa6
0x0019bfaa
0x0019bfae
0x0019bfb0
0x0019bfc5
0x0019bfc5
0x0019bfc9
0x0019bfcd
0x0019bfcf
0x0019bfd1
0x0019bfd8
0x0019bfd8
0x0019bfd8
0x00000000
0x0019bfcf
0x0019bfb2
0x0019bfb6
0x0019bfb9
0x0019bfb9
0x0019bfbf
0x00000000
0x00000000
0x00000000
0x0019bfbf
0x0019bf93
0x0019bf97
0x0019bf9a
0x0019bf9a
0x0019bfa0
0x00000000
0x00000000
0x00000000
0x0019bfa0
0x0019bf74
0x0019bf78
0x0019bf7b
0x0019bf7b
0x0019bf81
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c30f
0x0019c30f
0x0019c315
0x0019c38c
0x0019c38e
0x0019c390
0x00000000
0x00000000
0x00000000
0x0019c390
0x0019c317
0x0019c31a
0x0019c31e
0x0019c320
0x0019c335
0x0019c335
0x0019c339
0x0019c33d
0x0019c33f
0x0019c354
0x0019c354
0x0019c358
0x0019c35c
0x0019c35e
0x0019c373
0x0019c373
0x0019c377
0x0019c37b
0x0019c37d
0x0019c37f
0x0019c386
0x0019c386
0x0019c386
0x00000000
0x0019c37d
0x0019c360
0x0019c364
0x0019c367
0x0019c367
0x0019c36d
0x00000000
0x00000000
0x00000000
0x0019c36d
0x0019c341
0x0019c345
0x0019c348
0x0019c348
0x0019c34e
0x00000000
0x00000000
0x00000000
0x0019c34e
0x0019c322
0x0019c326
0x0019c329
0x0019c329
0x0019c32f
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c6e1
0x0019c6e1
0x0019c6e7
0x0019c75e
0x0019c760
0x0019c762
0x00000000
0x00000000
0x00000000
0x0019c762
0x0019c6e9
0x0019c6ec
0x0019c6f0
0x0019c6f2
0x0019c707
0x0019c707
0x0019c70b
0x0019c70f
0x0019c711
0x0019c726
0x0019c726
0x0019c72a
0x0019c72e
0x0019c730
0x0019c745
0x0019c745
0x0019c749
0x0019c74d
0x0019c74f
0x0019c751
0x0019c758
0x0019c758
0x0019c758
0x00000000
0x0019c74f
0x0019c732
0x0019c736
0x0019c739
0x0019c739
0x0019c73f
0x00000000
0x00000000
0x00000000
0x0019c73f
0x0019c713
0x0019c717
0x0019c71a
0x0019c71a
0x0019c720
0x00000000
0x00000000
0x00000000
0x0019c720
0x0019c6f4
0x0019c6f8
0x0019c6fb
0x0019c6fb
0x0019c701
0x00000000
0x00000000
0x00000000
0x00000000
0x0019caca
0x0019caca
0x0019cad0
0x0019cb47
0x0019cb49
0x0019cb4b
0x00000000
0x00000000
0x00000000
0x0019cb4b
0x0019cad2
0x0019cad5
0x0019cad9
0x0019cadb
0x0019caf0
0x0019caf0
0x0019caf4
0x0019caf8
0x0019cafa
0x0019cb0f
0x0019cb0f
0x0019cb13
0x0019cb17
0x0019cb19
0x0019cb2e
0x0019cb2e
0x0019cb32
0x0019cb36
0x0019cb38
0x0019cb3a
0x0019cb41
0x0019cb41
0x0019cb41
0x00000000
0x0019cb38
0x0019cb1b
0x0019cb1f
0x0019cb22
0x0019cb22
0x0019cb28
0x00000000
0x00000000
0x00000000
0x0019cb28
0x0019cafc
0x0019cb00
0x0019cb03
0x0019cb03
0x0019cb09
0x00000000
0x00000000
0x00000000
0x0019cb09
0x0019cadd
0x0019cae1
0x0019cae4
0x0019cae4
0x0019caea
0x00000000
0x00000000
0x00000000
0x00000000
0x0019beda
0x0019beda
0x0019bee0
0x0019bf57
0x0019bf59
0x0019bf5b
0x00000000
0x00000000
0x00000000
0x0019bf5b
0x0019bee2
0x0019bee5
0x0019bee9
0x0019beeb
0x0019bf00
0x0019bf00
0x0019bf04
0x0019bf08
0x0019bf0a
0x0019bf1f
0x0019bf1f
0x0019bf23
0x0019bf27
0x0019bf29
0x0019bf3e
0x0019bf3e
0x0019bf42
0x0019bf46
0x0019bf48
0x0019bf4a
0x0019bf51
0x0019bf51
0x0019bf51
0x00000000
0x0019bf48
0x0019bf2b
0x0019bf2f
0x0019bf32
0x0019bf32
0x0019bf38
0x00000000
0x00000000
0x00000000
0x0019bf38
0x0019bf0c
0x0019bf10
0x0019bf13
0x0019bf13
0x0019bf19
0x00000000
0x00000000
0x00000000
0x0019bf19
0x0019beed
0x0019bef1
0x0019bef4
0x0019bef4
0x0019befa
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c288
0x0019c288
0x0019c28e
0x0019c305
0x0019c307
0x0019c309
0x00000000
0x00000000
0x00000000
0x0019c309
0x0019c290
0x0019c293
0x0019c297
0x0019c299
0x0019c2ae
0x0019c2ae
0x0019c2b2
0x0019c2b6
0x0019c2b8
0x0019c2cd
0x0019c2cd
0x0019c2d1
0x0019c2d5
0x0019c2d7
0x0019c2ec
0x0019c2ec
0x0019c2f0
0x0019c2f4
0x0019c2f6
0x0019c2f8
0x0019c2ff
0x0019c2ff
0x0019c2ff
0x00000000
0x0019c2f6
0x0019c2d9
0x0019c2dd
0x0019c2e0
0x0019c2e0
0x0019c2e6
0x00000000
0x00000000
0x00000000
0x0019c2e6
0x0019c2ba
0x0019c2be
0x0019c2c1
0x0019c2c1
0x0019c2c7
0x00000000
0x00000000
0x00000000
0x0019c2c7
0x0019c29b
0x0019c29f
0x0019c2a2
0x0019c2a2
0x0019c2a8
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c65a
0x0019c65a
0x0019c660
0x0019c6d7
0x0019c6d9
0x0019c6db
0x00000000
0x00000000
0x00000000
0x0019c6db
0x0019c662
0x0019c665
0x0019c669
0x0019c66b
0x0019c680
0x0019c680
0x0019c684
0x0019c688
0x0019c68a
0x0019c69f
0x0019c69f
0x0019c6a3
0x0019c6a7
0x0019c6a9
0x0019c6be
0x0019c6be
0x0019c6c2
0x0019c6c6
0x0019c6c8
0x0019c6ca
0x0019c6d1
0x0019c6d1
0x0019c6d1
0x00000000
0x0019c6c8
0x0019c6ab
0x0019c6af
0x0019c6b2
0x0019c6b2
0x0019c6b8
0x00000000
0x00000000
0x00000000
0x0019c6b8
0x0019c68c
0x0019c690
0x0019c693
0x0019c693
0x0019c699
0x00000000
0x00000000
0x00000000
0x0019c699
0x0019c66d
0x0019c671
0x0019c674
0x0019c674
0x0019c67a
0x00000000
0x00000000
0x00000000
0x00000000
0x0019ca43
0x0019ca43
0x0019ca49
0x0019cac0
0x0019cac2
0x0019cac4
0x00000000
0x00000000
0x00000000
0x0019cac4
0x0019ca4b
0x0019ca4e
0x0019ca52
0x0019ca54
0x0019ca69
0x0019ca69
0x0019ca6d
0x0019ca71
0x0019ca73
0x0019ca88
0x0019ca88
0x0019ca8c
0x0019ca90
0x0019ca92
0x0019caa7
0x0019caa7
0x0019caab
0x0019caaf
0x0019cab1
0x0019cab3
0x0019caba
0x0019caba
0x0019caba
0x00000000
0x0019cab1
0x0019ca94
0x0019ca98
0x0019ca9b
0x0019ca9b
0x0019caa1
0x00000000
0x00000000
0x00000000
0x0019caa1
0x0019ca75
0x0019ca79
0x0019ca7c
0x0019ca7c
0x0019ca82
0x00000000
0x00000000
0x00000000
0x0019ca82
0x0019ca56
0x0019ca5a
0x0019ca5d
0x0019ca5d
0x0019ca63
0x00000000
0x00000000
0x00000000
0x00000000
0x0019be63
0x0019be69
0x0019bed4
0x0019bed6
0x0019bed8
0x00000000
0x00000000
0x00000000
0x0019bed8
0x0019be6b
0x0019be6e
0x0019be72
0x0019be74
0x0019be85
0x0019be85
0x0019be89
0x0019be8d
0x0019be8f
0x0019bea0
0x0019bea0
0x0019bea4
0x0019bea8
0x0019beaa
0x0019bebb
0x0019bebb
0x0019bebf
0x0019bec3
0x0019bec5
0x0019bec7
0x0019bece
0x0019bece
0x0019bece
0x00000000
0x0019bec5
0x0019beac
0x0019beb0
0x0019beb3
0x0019beb3
0x0019beb9
0x00000000
0x00000000
0x00000000
0x0019beb9
0x0019be91
0x0019be95
0x0019be98
0x0019be98
0x0019be9e
0x00000000
0x00000000
0x00000000
0x0019be9e
0x0019be76
0x0019be7a
0x0019be7d
0x0019be7d
0x0019be83
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c201
0x0019c207
0x0019c27e
0x0019c280
0x0019c282
0x00000000
0x00000000
0x00000000
0x0019c282
0x0019c209
0x0019c20c
0x0019c210
0x0019c212
0x0019c227
0x0019c227
0x0019c22b
0x0019c22f
0x0019c231
0x0019c246
0x0019c246
0x0019c24a
0x0019c24e
0x0019c250
0x0019c265
0x0019c265
0x0019c269
0x0019c26d
0x0019c26f
0x0019c271
0x0019c278
0x0019c278
0x0019c278
0x00000000
0x0019c26f
0x0019c252
0x0019c256
0x0019c259
0x0019c259
0x0019c25f
0x00000000
0x00000000
0x00000000
0x0019c25f
0x0019c233
0x0019c237
0x0019c23a
0x0019c23a
0x0019c240
0x00000000
0x00000000
0x00000000
0x0019c240
0x0019c214
0x0019c218
0x0019c21b
0x0019c21b
0x0019c221
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c5d3
0x0019c5d9
0x0019c650
0x0019c652
0x0019c654
0x00000000
0x00000000
0x00000000
0x0019c654
0x0019c5db
0x0019c5de
0x0019c5e2
0x0019c5e4
0x0019c5f9
0x0019c5f9
0x0019c5fd
0x0019c601
0x0019c603
0x0019c618
0x0019c618
0x0019c61c
0x0019c620
0x0019c622
0x0019c637
0x0019c637
0x0019c63b
0x0019c63f
0x0019c641
0x0019c643
0x0019c64a
0x0019c64a
0x0019c64a
0x00000000
0x0019c641
0x0019c624
0x0019c628
0x0019c62b
0x0019c62b
0x0019c631
0x00000000
0x00000000
0x00000000
0x0019c631
0x0019c605
0x0019c609
0x0019c60c
0x0019c60c
0x0019c612
0x00000000
0x00000000
0x00000000
0x0019c612
0x0019c5e6
0x0019c5ea
0x0019c5ed
0x0019c5ed
0x0019c5f3
0x00000000
0x00000000
0x00000000
0x00000000
0x0019c9bb
0x0019c9c1
0x0019ca39
0x0019ca3b
0x0019ca3d
0x00000000
0x00000000
0x00000000
0x0019ca3d
0x0019c9c3
0x0019c9c7
0x0019c9cb
0x0019c9cd
0x0019c9e2
0x0019c9e2
0x0019c9e6
0x0019c9ea
0x0019c9ec
0x0019ca01
0x0019ca01
0x0019ca05
0x0019ca09
0x0019ca0b
0x0019ca20
0x0019ca20
0x0019ca24
0x0019ca28
0x0019ca2a
0x0019ca2c
0x0019ca33
0x0019ca33
0x0019ca33
0x00000000
0x0019ca2a
0x0019ca0d
0x0019ca11
0x0019ca14
0x0019ca14
0x0019ca1a
0x00000000
0x00000000
0x00000000
0x0019ca1a
0x0019c9ee
0x0019c9f2
0x0019c9f5
0x0019c9f5
0x0019c9fb
0x00000000
0x00000000
0x00000000
0x0019c9fb
0x0019c9cf
0x0019c9d3
0x0019c9d6
0x0019c9d6
0x0019c9dc
0x00000000
0x00000000
0x00000000
0x00000000
0x0019be55

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e16d9631d92bbd4e3af207b2877fdc6cc3522935bd80e8644a65cfd00ba5b5
Instruction ID: aa7c3ed2b7365ed8de270a9ef235c11414fec4b47c5d2e1068e13a1355a76ef9
Opcode Fuzzy Hash: 12e16d9631d92bbd4e3af207b2877fdc6cc3522935bd80e8644a65cfd00ba5b5
Instruction Fuzzy Hash: 9302C133D4D6B24B8F364EF955E02667FA09E01B5031F86A9DED43F196C312EE0696E0

Uniqueness

Uniqueness Score: -1.00%

Function 0019C9BB, Relevance: .4, Instructions: 355
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0019C9BB(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t205;
				signed char _t206;
				signed char _t207;
				signed char _t209;
				signed char _t210;
				signed int _t215;
				signed int _t291;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t326;
				void* _t328;
				void* _t330;
				void* _t333;
				void* _t335;
				void* _t337;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t291 = 0;
					L17:
					if(_t291 != 0) {
						goto L1;
					}
					_t205 =  *(_t196 - 0x1b);
					if(_t205 ==  *(_t200 - 0x1b)) {
						_t291 = 0;
						L28:
						if(_t291 != 0) {
							goto L1;
						}
						_t206 =  *(_t196 - 0x17);
						if(_t206 ==  *(_t200 - 0x17)) {
							_t291 = 0;
							L39:
							if(_t291 != 0) {
								goto L1;
							}
							_t207 =  *(_t196 - 0x13);
							if(_t207 ==  *(_t200 - 0x13)) {
								_t291 = 0;
								L50:
								if(_t291 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t291 = 0;
									L61:
									if(_t291 != 0) {
										goto L1;
									}
									_t209 =  *(_t196 - 0xb);
									if(_t209 ==  *(_t200 - 0xb)) {
										_t291 = 0;
										L72:
										if(_t291 != 0) {
											goto L1;
										}
										_t210 =  *(_t196 - 7);
										if(_t210 ==  *(_t200 - 7)) {
											_t291 = 0;
											L83:
											if(_t291 != 0) {
												goto L1;
											}
											_t294 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t294 == 0) {
												L5:
												_t296 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t296 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t8 = (0 | _t197 > 0x00000000) - 1; // -1
														_t197 = (_t197 > 0) + _t8;
													}
													L2:
													return _t197;
												}
												_t215 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												if(_t215 != 0) {
													L86:
													_t197 = _t215;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t215 = (0 | _t294 > 0x00000000) + (0 | _t294 > 0x00000000) - 1;
											if(_t215 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t298 = (_t210 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t298 == 0) {
											L76:
											_t300 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t300 == 0) {
												L78:
												_t302 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t302 == 0) {
													L80:
													_t291 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t291 != 0) {
														_t189 = (0 | _t291 > 0x00000000) - 1; // -1
														_t291 = (_t291 > 0) + _t189;
													}
													goto L83;
												}
												_t183 = (0 | _t302 > 0x00000000) - 1; // -1
												_t291 = (_t302 > 0) + _t183;
												if(_t291 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t177 = (0 | _t300 > 0x00000000) - 1; // -1
											_t291 = (_t300 > 0) + _t177;
											if(_t291 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t171 = (0 | _t298 > 0x00000000) - 1; // -1
										_t291 = (_t298 > 0) + _t171;
										if(_t291 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t305 = (_t209 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t305 == 0) {
										L65:
										_t307 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t307 == 0) {
											L67:
											_t309 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t309 == 0) {
												L69:
												_t291 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t291 != 0) {
													_t164 = (0 | _t291 > 0x00000000) - 1; // -1
													_t291 = (_t291 > 0) + _t164;
												}
												goto L72;
											}
											_t158 = (0 | _t309 > 0x00000000) - 1; // -1
											_t291 = (_t309 > 0) + _t158;
											if(_t291 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t152 = (0 | _t307 > 0x00000000) - 1; // -1
										_t291 = (_t307 > 0) + _t152;
										if(_t291 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t146 = (0 | _t305 > 0x00000000) - 1; // -1
									_t291 = (_t305 > 0) + _t146;
									if(_t291 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t312 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t312 == 0) {
									L54:
									_t314 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t314 == 0) {
										L56:
										_t316 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t316 == 0) {
											L58:
											_t291 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t291 != 0) {
												_t139 = (0 | _t291 > 0x00000000) - 1; // -1
												_t291 = (_t291 > 0) + _t139;
											}
											goto L61;
										}
										_t133 = (0 | _t316 > 0x00000000) - 1; // -1
										_t291 = (_t316 > 0) + _t133;
										if(_t291 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t127 = (0 | _t314 > 0x00000000) - 1; // -1
									_t291 = (_t314 > 0) + _t127;
									if(_t291 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t121 = (0 | _t312 > 0x00000000) - 1; // -1
								_t291 = (_t312 > 0) + _t121;
								if(_t291 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t319 = (_t207 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L43:
								_t321 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L45:
									_t323 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L47:
										_t291 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t291 != 0) {
											_t113 = (0 | _t291 > 0x00000000) - 1; // -1
											_t291 = (_t291 > 0) + _t113;
										}
										goto L50;
									}
									_t107 = (0 | _t323 > 0x00000000) - 1; // -1
									_t291 = (_t323 > 0) + _t107;
									if(_t291 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t101 = (0 | _t321 > 0x00000000) - 1; // -1
								_t291 = (_t321 > 0) + _t101;
								if(_t291 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t95 = (0 | _t319 > 0x00000000) - 1; // -1
							_t291 = (_t319 > 0) + _t95;
							if(_t291 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t326 = (_t206 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t326 == 0) {
							L32:
							_t328 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t328 == 0) {
								L34:
								_t330 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t330 == 0) {
									L36:
									_t291 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t291 != 0) {
										_t88 = (0 | _t291 > 0x00000000) - 1; // -1
										_t291 = (_t291 > 0) + _t88;
									}
									goto L39;
								}
								_t82 = (0 | _t330 > 0x00000000) - 1; // -1
								_t291 = (_t330 > 0) + _t82;
								if(_t291 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t76 = (0 | _t328 > 0x00000000) - 1; // -1
							_t291 = (_t328 > 0) + _t76;
							if(_t291 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t70 = (0 | _t326 > 0x00000000) - 1; // -1
						_t291 = (_t326 > 0) + _t70;
						if(_t291 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t333 = (_t205 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t333 == 0) {
						L21:
						_t335 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t335 == 0) {
							L23:
							_t337 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t337 == 0) {
								L25:
								_t291 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t291 != 0) {
									_t63 = (0 | _t291 > 0x00000000) - 1; // -1
									_t291 = (_t291 > 0) + _t63;
								}
								goto L28;
							}
							_t57 = (0 | _t337 > 0x00000000) - 1; // -1
							_t291 = (_t337 > 0) + _t57;
							if(_t291 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t51 = (0 | _t335 > 0x00000000) - 1; // -1
						_t291 = (_t335 > 0) + _t51;
						if(_t291 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t45 = (0 | _t333 > 0x00000000) - 1; // -1
					_t291 = (_t333 > 0) + _t45;
					if(_t291 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t38 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t38;
								}
								goto L17;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t32 = __edx - 1; // -1
							__esi = __edx + _t32;
							if(__edx + _t32 != 0) {
								goto L1;
							}
							goto L14;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t26 = __edx - 1; // -1
						__esi = __edx + _t26;
						if(__edx + _t26 != 0) {
							goto L1;
						}
						goto L12;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t20 = __edx - 1; // -1
					__esi = __edx + _t20;
					if(__edx + _t20 != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t291;
				goto L2;
			}

0x0019c9bb
0x0019c9bb
0x0019c9c1
0x0019ca39
0x0019ca3b
0x0019ca3d
0x00000000
0x00000000
0x0019ca43
0x0019ca49
0x0019cac0
0x0019cac2
0x0019cac4
0x00000000
0x00000000
0x0019caca
0x0019cad0
0x0019cb47
0x0019cb49
0x0019cb4b
0x00000000
0x00000000
0x0019cb51
0x0019cb57
0x0019cbce
0x0019cbd0
0x0019cbd2
0x00000000
0x00000000
0x0019cbde
0x0019cc56
0x0019cc58
0x0019cc5a
0x00000000
0x00000000
0x0019cc60
0x0019cc66
0x0019ccdd
0x0019ccdf
0x0019cce1
0x00000000
0x00000000
0x0019cce7
0x0019cced
0x0019cd64
0x0019cd66
0x0019cd68
0x00000000
0x00000000
0x0019cd76
0x0019cd78
0x0019c993
0x0019c99b
0x0019c99d
0x0019c5b3
0x0019c5bb
0x0019c5bd
0x0019c5ca
0x0019c5ca
0x0019c5ca
0x0019c1fb
0x0019ce9f
0x0019ce9f
0x0019c9aa
0x0019c9b0
0x0019cd91
0x0019cd91
0x00000000
0x0019c9b6
0x00000000
0x0019c9b6
0x0019c9b0
0x0019cd85
0x0019cd8b
0x00000000
0x00000000
0x00000000
0x0019cd8b
0x0019ccf6
0x0019ccf8
0x0019cd0d
0x0019cd15
0x0019cd17
0x0019cd2c
0x0019cd34
0x0019cd36
0x0019cd4b
0x0019cd53
0x0019cd55
0x0019cd5e
0x0019cd5e
0x0019cd5e
0x00000000
0x0019cd55
0x0019cd3f
0x0019cd3f
0x0019cd45
0x00000000
0x00000000
0x00000000
0x0019cd45
0x0019cd20
0x0019cd20
0x0019cd26
0x00000000
0x00000000
0x00000000
0x0019cd26
0x0019cd01
0x0019cd01
0x0019cd07
0x00000000
0x00000000
0x00000000
0x0019cd07
0x0019cc6f
0x0019cc71
0x0019cc86
0x0019cc8e
0x0019cc90
0x0019cca5
0x0019ccad
0x0019ccaf
0x0019ccc4
0x0019cccc
0x0019ccce
0x0019ccd7
0x0019ccd7
0x0019ccd7
0x00000000
0x0019ccce
0x0019ccb8
0x0019ccb8
0x0019ccbe
0x00000000
0x00000000
0x00000000
0x0019ccbe
0x0019cc99
0x0019cc99
0x0019cc9f
0x00000000
0x00000000
0x00000000
0x0019cc9f
0x0019cc7a
0x0019cc7a
0x0019cc80
0x00000000
0x00000000
0x00000000
0x0019cc80
0x0019cbe8
0x0019cbea
0x0019cbff
0x0019cc07
0x0019cc09
0x0019cc1e
0x0019cc26
0x0019cc28
0x0019cc3d
0x0019cc45
0x0019cc47
0x0019cc50
0x0019cc50
0x0019cc50
0x00000000
0x0019cc47
0x0019cc31
0x0019cc31
0x0019cc37
0x00000000
0x00000000
0x00000000
0x0019cc37
0x0019cc12
0x0019cc12
0x0019cc18
0x00000000
0x00000000
0x00000000
0x0019cc18
0x0019cbf3
0x0019cbf3
0x0019cbf9
0x00000000
0x00000000
0x00000000
0x0019cbf9
0x0019cb60
0x0019cb62
0x0019cb77
0x0019cb7f
0x0019cb81
0x0019cb96
0x0019cb9e
0x0019cba0
0x0019cbb5
0x0019cbbd
0x0019cbbf
0x0019cbc8
0x0019cbc8
0x0019cbc8
0x00000000
0x0019cbbf
0x0019cba9
0x0019cba9
0x0019cbaf
0x00000000
0x00000000
0x00000000
0x0019cbaf
0x0019cb8a
0x0019cb8a
0x0019cb90
0x00000000
0x00000000
0x00000000
0x0019cb90
0x0019cb6b
0x0019cb6b
0x0019cb71
0x00000000
0x00000000
0x00000000
0x0019cb71
0x0019cad9
0x0019cadb
0x0019caf0
0x0019caf8
0x0019cafa
0x0019cb0f
0x0019cb17
0x0019cb19
0x0019cb2e
0x0019cb36
0x0019cb38
0x0019cb41
0x0019cb41
0x0019cb41
0x00000000
0x0019cb38
0x0019cb22
0x0019cb22
0x0019cb28
0x00000000
0x00000000
0x00000000
0x0019cb28
0x0019cb03
0x0019cb03
0x0019cb09
0x00000000
0x00000000
0x00000000
0x0019cb09
0x0019cae4
0x0019cae4
0x0019caea
0x00000000
0x00000000
0x00000000
0x0019caea
0x0019ca52
0x0019ca54
0x0019ca69
0x0019ca71
0x0019ca73
0x0019ca88
0x0019ca90
0x0019ca92
0x0019caa7
0x0019caaf
0x0019cab1
0x0019caba
0x0019caba
0x0019caba
0x00000000
0x0019cab1
0x0019ca9b
0x0019ca9b
0x0019caa1
0x00000000
0x00000000
0x00000000
0x0019caa1
0x0019ca7c
0x0019ca7c
0x0019ca82
0x00000000
0x00000000
0x00000000
0x0019ca82
0x0019ca5d
0x0019ca5d
0x0019ca63
0x00000000
0x00000000
0x00000000
0x0019c9c3
0x0019c9c3
0x0019c9c7
0x0019c9cb
0x0019c9cd
0x0019c9e2
0x0019c9e2
0x0019c9e6
0x0019c9ea
0x0019c9ec
0x0019ca01
0x0019ca01
0x0019ca05
0x0019ca09
0x0019ca0b
0x0019ca20
0x0019ca20
0x0019ca24
0x0019ca28
0x0019ca2a
0x0019ca2c
0x0019ca33
0x0019ca33
0x0019ca33
0x00000000
0x0019ca2a
0x0019ca0d
0x0019ca11
0x0019ca14
0x0019ca14
0x0019ca1a
0x00000000
0x00000000
0x00000000
0x0019ca1a
0x0019c9ee
0x0019c9f2
0x0019c9f5
0x0019c9f5
0x0019c9fb
0x00000000
0x00000000
0x00000000
0x0019c9fb
0x0019c9cf
0x0019c9d3
0x0019c9d6
0x0019c9d6
0x0019c9dc
0x00000000
0x00000000
0x00000000
0x0019c9dc
0x0019be5c
0x0019be5c
0x00000000

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 365024c3778016da5caa06c917f53bc2fce9821c3b483ffd2597d5559a15bd4f
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: D0C19173D0E5B2058F36862E156827FFEA26E91B8131FC3A5DCD43F289D3226D0596D0

Uniqueness

Uniqueness Score: -1.00%

Function 0019C5D3, Relevance: .3, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0019C5D3(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t200;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t205;
				signed int _t210;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t324;
				void* _t326;
				void* _t328;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t284 = 0;
					L15:
					if(_t284 != 0) {
						goto L1;
					}
					_t200 =  *(_t191 - 0x1a);
					if(_t200 ==  *(_t195 - 0x1a)) {
						_t284 = 0;
						L26:
						if(_t284 != 0) {
							goto L1;
						}
						_t201 =  *(_t191 - 0x16);
						if(_t201 ==  *(_t195 - 0x16)) {
							_t284 = 0;
							L37:
							if(_t284 != 0) {
								goto L1;
							}
							_t202 =  *(_t191 - 0x12);
							if(_t202 ==  *(_t195 - 0x12)) {
								_t284 = 0;
								L48:
								if(_t284 != 0) {
									goto L1;
								}
								_t203 =  *(_t191 - 0xe);
								if(_t203 ==  *(_t195 - 0xe)) {
									_t284 = 0;
									L59:
									if(_t284 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t284 = 0;
										L70:
										if(_t284 != 0) {
											goto L1;
										}
										_t205 =  *(_t191 - 6);
										if(_t205 ==  *(_t195 - 6)) {
											_t284 = 0;
											L81:
											if(_t284 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t287 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t287 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t8 = (0 | _t192 > 0x00000000) - 1; // -1
													_t192 = (_t192 > 0) + _t8;
												}
												goto L3;
											}
											_t210 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
											if(_t210 != 0) {
												_t192 = _t210;
												goto L3;
											}
											goto L4;
										}
										_t289 = (_t205 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t289 == 0) {
											L74:
											_t291 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t291 == 0) {
												L76:
												_t293 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t293 == 0) {
													L78:
													_t284 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t284 != 0) {
														_t182 = (0 | _t284 > 0x00000000) - 1; // -1
														_t284 = (_t284 > 0) + _t182;
													}
													goto L81;
												}
												_t176 = (0 | _t293 > 0x00000000) - 1; // -1
												_t284 = (_t293 > 0) + _t176;
												if(_t284 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t170 = (0 | _t291 > 0x00000000) - 1; // -1
											_t284 = (_t291 > 0) + _t170;
											if(_t284 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t164 = (0 | _t289 > 0x00000000) - 1; // -1
										_t284 = (_t289 > 0) + _t164;
										if(_t284 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t296 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t296 == 0) {
										L63:
										_t298 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t298 == 0) {
											L65:
											_t300 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t300 == 0) {
												L67:
												_t284 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t284 != 0) {
													_t157 = (0 | _t284 > 0x00000000) - 1; // -1
													_t284 = (_t284 > 0) + _t157;
												}
												goto L70;
											}
											_t151 = (0 | _t300 > 0x00000000) - 1; // -1
											_t284 = (_t300 > 0) + _t151;
											if(_t284 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t145 = (0 | _t298 > 0x00000000) - 1; // -1
										_t284 = (_t298 > 0) + _t145;
										if(_t284 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t139 = (0 | _t296 > 0x00000000) - 1; // -1
									_t284 = (_t296 > 0) + _t139;
									if(_t284 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t303 = (_t203 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t303 == 0) {
									L52:
									_t305 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t305 == 0) {
										L54:
										_t307 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t307 == 0) {
											L56:
											_t284 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t284 != 0) {
												_t131 = (0 | _t284 > 0x00000000) - 1; // -1
												_t284 = (_t284 > 0) + _t131;
											}
											goto L59;
										}
										_t125 = (0 | _t307 > 0x00000000) - 1; // -1
										_t284 = (_t307 > 0) + _t125;
										if(_t284 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t119 = (0 | _t305 > 0x00000000) - 1; // -1
									_t284 = (_t305 > 0) + _t119;
									if(_t284 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t113 = (0 | _t303 > 0x00000000) - 1; // -1
								_t284 = (_t303 > 0) + _t113;
								if(_t284 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t310 = (_t202 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t284 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t284 != 0) {
											_t106 = (0 | _t284 > 0x00000000) - 1; // -1
											_t284 = (_t284 > 0) + _t106;
										}
										goto L48;
									}
									_t100 = (0 | _t314 > 0x00000000) - 1; // -1
									_t284 = (_t314 > 0) + _t100;
									if(_t284 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t94 = (0 | _t312 > 0x00000000) - 1; // -1
								_t284 = (_t312 > 0) + _t94;
								if(_t284 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t88 = (0 | _t310 > 0x00000000) - 1; // -1
							_t284 = (_t310 > 0) + _t88;
							if(_t284 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t317 = (_t201 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t317 == 0) {
							L30:
							_t319 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t319 == 0) {
								L32:
								_t321 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t321 == 0) {
									L34:
									_t284 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t284 != 0) {
										_t81 = (0 | _t284 > 0x00000000) - 1; // -1
										_t284 = (_t284 > 0) + _t81;
									}
									goto L37;
								}
								_t75 = (0 | _t321 > 0x00000000) - 1; // -1
								_t284 = (_t321 > 0) + _t75;
								if(_t284 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t69 = (0 | _t319 > 0x00000000) - 1; // -1
							_t284 = (_t319 > 0) + _t69;
							if(_t284 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t63 = (0 | _t317 > 0x00000000) - 1; // -1
						_t284 = (_t317 > 0) + _t63;
						if(_t284 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t324 = (_t200 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t324 == 0) {
						L19:
						_t326 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t326 == 0) {
							L21:
							_t328 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t328 == 0) {
								L23:
								_t284 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t284 != 0) {
									_t56 = (0 | _t284 > 0x00000000) - 1; // -1
									_t284 = (_t284 > 0) + _t56;
								}
								goto L26;
							}
							_t50 = (0 | _t328 > 0x00000000) - 1; // -1
							_t284 = (_t328 > 0) + _t50;
							if(_t284 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t44 = (0 | _t326 > 0x00000000) - 1; // -1
						_t284 = (_t326 > 0) + _t44;
						if(_t284 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t38 = (0 | _t324 > 0x00000000) - 1; // -1
					_t284 = (_t324 > 0) + _t38;
					if(_t284 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t31 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t31;
								}
								goto L15;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t25 = __edx - 1; // -1
							__esi = __edx + _t25;
							if(__edx + _t25 != 0) {
								goto L1;
							}
							goto L12;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t19 = __edx - 1; // -1
						__esi = __edx + _t19;
						if(__edx + _t19 != 0) {
							goto L1;
						}
						goto L10;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t13 = __edx - 1; // -1
					__esi = __edx + _t13;
					if(__edx + _t13 != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t284;
				goto L3;
			}

0x0019c5d3
0x0019c5d3
0x0019c5d9
0x0019c650
0x0019c652
0x0019c654
0x00000000
0x00000000
0x0019c65a
0x0019c660
0x0019c6d7
0x0019c6d9
0x0019c6db
0x00000000
0x00000000
0x0019c6e1
0x0019c6e7
0x0019c75e
0x0019c760
0x0019c762
0x00000000
0x00000000
0x0019c768
0x0019c76e
0x0019c7e5
0x0019c7e7
0x0019c7e9
0x00000000
0x00000000
0x0019c7ef
0x0019c7f5
0x0019c86c
0x0019c86e
0x0019c870
0x00000000
0x00000000
0x0019c87c
0x0019c8f4
0x0019c8f6
0x0019c8f8
0x00000000
0x00000000
0x0019c8fe
0x0019c904
0x0019c97b
0x0019c97d
0x0019c97f
0x00000000
0x00000000
0x0019c98d
0x0019c1f9
0x0019c1fb
0x0019ce9f
0x0019ce9f
0x0019c99b
0x0019c99d
0x0019c5b3
0x0019c5bb
0x0019c5bd
0x0019c5ca
0x0019c5ca
0x0019c5ca
0x00000000
0x0019c5bd
0x0019c9aa
0x0019c9b0
0x0019cd91
0x00000000
0x0019cd91
0x00000000
0x0019c9b6
0x0019c90d
0x0019c90f
0x0019c924
0x0019c92c
0x0019c92e
0x0019c943
0x0019c94b
0x0019c94d
0x0019c962
0x0019c96a
0x0019c96c
0x0019c975
0x0019c975
0x0019c975
0x00000000
0x0019c96c
0x0019c956
0x0019c956
0x0019c95c
0x00000000
0x00000000
0x00000000
0x0019c95c
0x0019c937
0x0019c937
0x0019c93d
0x00000000
0x00000000
0x00000000
0x0019c93d
0x0019c918
0x0019c918
0x0019c91e
0x00000000
0x00000000
0x00000000
0x0019c91e
0x0019c886
0x0019c888
0x0019c89d
0x0019c8a5
0x0019c8a7
0x0019c8bc
0x0019c8c4
0x0019c8c6
0x0019c8db
0x0019c8e3
0x0019c8e5
0x0019c8ee
0x0019c8ee
0x0019c8ee
0x00000000
0x0019c8e5
0x0019c8cf
0x0019c8cf
0x0019c8d5
0x00000000
0x00000000
0x00000000
0x0019c8d5
0x0019c8b0
0x0019c8b0
0x0019c8b6
0x00000000
0x00000000
0x00000000
0x0019c8b6
0x0019c891
0x0019c891
0x0019c897
0x00000000
0x00000000
0x00000000
0x0019c897
0x0019c7fe
0x0019c800
0x0019c815
0x0019c81d
0x0019c81f
0x0019c834
0x0019c83c
0x0019c83e
0x0019c853
0x0019c85b
0x0019c85d
0x0019c866
0x0019c866
0x0019c866
0x00000000
0x0019c85d
0x0019c847
0x0019c847
0x0019c84d
0x00000000
0x00000000
0x00000000
0x0019c84d
0x0019c828
0x0019c828
0x0019c82e
0x00000000
0x00000000
0x00000000
0x0019c82e
0x0019c809
0x0019c809
0x0019c80f
0x00000000
0x00000000
0x00000000
0x0019c80f
0x0019c777
0x0019c779
0x0019c78e
0x0019c796
0x0019c798
0x0019c7ad
0x0019c7b5
0x0019c7b7
0x0019c7cc
0x0019c7d4
0x0019c7d6
0x0019c7df
0x0019c7df
0x0019c7df
0x00000000
0x0019c7d6
0x0019c7c0
0x0019c7c0
0x0019c7c6
0x00000000
0x00000000
0x00000000
0x0019c7c6
0x0019c7a1
0x0019c7a1
0x0019c7a7
0x00000000
0x00000000
0x00000000
0x0019c7a7
0x0019c782
0x0019c782
0x0019c788
0x00000000
0x00000000
0x00000000
0x0019c788
0x0019c6f0
0x0019c6f2
0x0019c707
0x0019c70f
0x0019c711
0x0019c726
0x0019c72e
0x0019c730
0x0019c745
0x0019c74d
0x0019c74f
0x0019c758
0x0019c758
0x0019c758
0x00000000
0x0019c74f
0x0019c739
0x0019c739
0x0019c73f
0x00000000
0x00000000
0x00000000
0x0019c73f
0x0019c71a
0x0019c71a
0x0019c720
0x00000000
0x00000000
0x00000000
0x0019c720
0x0019c6fb
0x0019c6fb
0x0019c701
0x00000000
0x00000000
0x00000000
0x0019c701
0x0019c669
0x0019c66b
0x0019c680
0x0019c688
0x0019c68a
0x0019c69f
0x0019c6a7
0x0019c6a9
0x0019c6be
0x0019c6c6
0x0019c6c8
0x0019c6d1
0x0019c6d1
0x0019c6d1
0x00000000
0x0019c6c8
0x0019c6b2
0x0019c6b2
0x0019c6b8
0x00000000
0x00000000
0x00000000
0x0019c6b8
0x0019c693
0x0019c693
0x0019c699
0x00000000
0x00000000
0x00000000
0x0019c699
0x0019c674
0x0019c674
0x0019c67a
0x00000000
0x00000000
0x00000000
0x0019c5db
0x0019c5db
0x0019c5de
0x0019c5e2
0x0019c5e4
0x0019c5f9
0x0019c5f9
0x0019c5fd
0x0019c601
0x0019c603
0x0019c618
0x0019c618
0x0019c61c
0x0019c620
0x0019c622
0x0019c637
0x0019c637
0x0019c63b
0x0019c63f
0x0019c641
0x0019c643
0x0019c64a
0x0019c64a
0x0019c64a
0x00000000
0x0019c641
0x0019c624
0x0019c628
0x0019c62b
0x0019c62b
0x0019c631
0x00000000
0x00000000
0x00000000
0x0019c631
0x0019c605
0x0019c609
0x0019c60c
0x0019c60c
0x0019c612
0x00000000
0x00000000
0x00000000
0x0019c612
0x0019c5e6
0x0019c5ea
0x0019c5ed
0x0019c5ed
0x0019c5f3
0x00000000
0x00000000
0x00000000
0x0019c5f3
0x0019be5c
0x0019be5c
0x00000000

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: ffca410cc543948a321009edcd0d0ec11c4ce7678cbc40fc81421955422c9f5c
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 41C18E73D0E5B2498F36862D556827FFEA26E91B4031FC3A5DCE43F289D722AD0196D0

Uniqueness

Uniqueness Score: -1.00%

Function 0019C201, Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: ee8c02991bb847a7fd1f3b1b8fe6b3e0c82b69c8adc3207777613586ad933e9d
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 1EC19273D0E5B20A8F36862D156827FFEA26E91B4031FC3A5DCD43F289D326AD0596D0

Uniqueness

Uniqueness Score: -1.00%

Function 0019BE63, Relevance: .3, Instructions: 326
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0019BE63(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed char _t191;
				signed int _t197;
				signed int _t263;
				void* _t266;
				void* _t268;
				void* _t270;
				void* _t272;
				void* _t274;
				void* _t276;
				void* _t279;
				void* _t281;
				void* _t283;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t263 = 0;
					L11:
					if(_t263 != 0) {
						goto L1;
					}
					_t186 =  *(_t177 - 0x18);
					if(_t186 ==  *(_t181 - 0x18)) {
						_t263 = 0;
						L22:
						if(_t263 != 0) {
							goto L1;
						}
						_t187 =  *(_t177 - 0x14);
						if(_t187 ==  *(_t181 - 0x14)) {
							_t263 = 0;
							L33:
							if(_t263 != 0) {
								goto L1;
							}
							_t188 =  *(_t177 - 0x10);
							if(_t188 ==  *(_t181 - 0x10)) {
								_t263 = 0;
								L44:
								if(_t263 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t263 = 0;
									L55:
									if(_t263 != 0) {
										goto L1;
									}
									_t190 =  *(_t177 - 8);
									if(_t190 ==  *(_t181 - 8)) {
										_t263 = 0;
										L66:
										if(_t263 != 0) {
											goto L1;
										}
										_t191 =  *(_t177 - 4);
										if(_t191 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t266 = (_t191 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t266 == 0) {
											L70:
											_t268 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t268 == 0) {
												L72:
												_t270 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t270 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t176 = (0 | _t178 > 0x00000000) - 1; // -1
														_t178 = (_t178 > 0) + _t176;
													}
													goto L78;
												}
												_t197 = (0 | _t270 > 0x00000000) + (0 | _t270 > 0x00000000) - 1;
												if(_t197 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t197;
												goto L78;
											}
											_t197 = (0 | _t268 > 0x00000000) + (0 | _t268 > 0x00000000) - 1;
											if(_t197 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t197 = (0 | _t266 > 0x00000000) + (0 | _t266 > 0x00000000) - 1;
										if(_t197 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t272 = (_t190 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t272 == 0) {
										L59:
										_t274 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t274 == 0) {
											L61:
											_t276 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t276 == 0) {
												L63:
												_t263 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t263 != 0) {
													_t151 = (0 | _t263 > 0x00000000) - 1; // -1
													_t263 = (_t263 > 0) + _t151;
												}
												goto L66;
											}
											_t145 = (0 | _t276 > 0x00000000) - 1; // -1
											_t263 = (_t276 > 0) + _t145;
											if(_t263 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t139 = (0 | _t274 > 0x00000000) - 1; // -1
										_t263 = (_t274 > 0) + _t139;
										if(_t263 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t133 = (0 | _t272 > 0x00000000) - 1; // -1
									_t263 = (_t272 > 0) + _t133;
									if(_t263 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t279 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t279 == 0) {
									L48:
									_t281 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t281 == 0) {
										L50:
										_t283 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t283 == 0) {
											L52:
											_t263 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t263 != 0) {
												_t126 = (0 | _t263 > 0x00000000) - 1; // -1
												_t263 = (_t263 > 0) + _t126;
											}
											goto L55;
										}
										_t120 = (0 | _t283 > 0x00000000) - 1; // -1
										_t263 = (_t283 > 0) + _t120;
										if(_t263 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t114 = (0 | _t281 > 0x00000000) - 1; // -1
									_t263 = (_t281 > 0) + _t114;
									if(_t263 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t108 = (0 | _t279 > 0x00000000) - 1; // -1
								_t263 = (_t279 > 0) + _t108;
								if(_t263 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t286 = (_t188 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t286 == 0) {
								L37:
								_t288 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t288 == 0) {
									L39:
									_t290 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t290 == 0) {
										L41:
										_t263 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t263 != 0) {
											_t100 = (0 | _t263 > 0x00000000) - 1; // -1
											_t263 = (_t263 > 0) + _t100;
										}
										goto L44;
									}
									_t94 = (0 | _t290 > 0x00000000) - 1; // -1
									_t263 = (_t290 > 0) + _t94;
									if(_t263 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t88 = (0 | _t288 > 0x00000000) - 1; // -1
								_t263 = (_t288 > 0) + _t88;
								if(_t263 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t82 = (0 | _t286 > 0x00000000) - 1; // -1
							_t263 = (_t286 > 0) + _t82;
							if(_t263 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t293 = (_t187 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t293 == 0) {
							L26:
							_t295 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t295 == 0) {
								L28:
								_t297 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t297 == 0) {
									L30:
									_t263 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t263 != 0) {
										_t75 = (0 | _t263 > 0x00000000) - 1; // -1
										_t263 = (_t263 > 0) + _t75;
									}
									goto L33;
								}
								_t69 = (0 | _t297 > 0x00000000) - 1; // -1
								_t263 = (_t297 > 0) + _t69;
								if(_t263 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t63 = (0 | _t295 > 0x00000000) - 1; // -1
							_t263 = (_t295 > 0) + _t63;
							if(_t263 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t57 = (0 | _t293 > 0x00000000) - 1; // -1
						_t263 = (_t293 > 0) + _t57;
						if(_t263 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t300 = (_t186 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t300 == 0) {
						L15:
						_t302 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t302 == 0) {
							L17:
							_t304 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t304 == 0) {
								L19:
								_t263 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t263 != 0) {
									_t50 = (0 | _t263 > 0x00000000) - 1; // -1
									_t263 = (_t263 > 0) + _t50;
								}
								goto L22;
							}
							_t44 = (0 | _t304 > 0x00000000) - 1; // -1
							_t263 = (_t304 > 0) + _t44;
							if(_t263 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t38 = (0 | _t302 > 0x00000000) - 1; // -1
						_t263 = (_t302 > 0) + _t38;
						if(_t263 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t32 = (0 | _t300 > 0x00000000) - 1; // -1
					_t263 = (_t300 > 0) + _t32;
					if(_t263 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t25 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t25;
								}
								goto L11;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t19 = __edx - 1; // -1
							__esi = __edx + _t19;
							if(__edx + _t19 != 0) {
								goto L1;
							}
							goto L8;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t13 = __edx - 1; // -1
						__esi = __edx + _t13;
						if(__edx + _t13 != 0) {
							goto L1;
						}
						goto L6;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t7 = __edx - 1; // -1
					__esi = __edx + _t7;
					if(__edx + _t7 != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t263;
				goto L80;
			}

0x0019be63
0x0019be63
0x0019be69
0x0019bed4
0x0019bed6
0x0019bed8
0x00000000
0x00000000
0x0019beda
0x0019bee0
0x0019bf57
0x0019bf59
0x0019bf5b
0x00000000
0x00000000
0x0019bf61
0x0019bf67
0x0019bfde
0x0019bfe0
0x0019bfe2
0x00000000
0x00000000
0x0019bfe8
0x0019bfee
0x0019c065
0x0019c067
0x0019c069
0x00000000
0x00000000
0x0019c075
0x0019c0ed
0x0019c0ef
0x0019c0f1
0x00000000
0x00000000
0x0019c0f7
0x0019c0fd
0x0019c174
0x0019c176
0x0019c178
0x00000000
0x00000000
0x0019c17e
0x0019c184
0x0019c1f3
0x0019c1f5
0x0019c1f7
0x0019c1f9
0x0019c1f9
0x0019c1fb
0x0019ce9f
0x0019ce9f
0x0019c18d
0x0019c18f
0x0019c1a0
0x0019c1a8
0x0019c1aa
0x0019c1bb
0x0019c1c3
0x0019c1c5
0x0019c1da
0x0019c1e2
0x0019c1e4
0x0019c1ed
0x0019c1ed
0x0019c1ed
0x00000000
0x0019c1e4
0x0019c1ce
0x0019c1d4
0x00000000
0x00000000
0x0019c1d6
0x0019c1d6
0x00000000
0x0019c1d6
0x0019c1b3
0x0019c1b9
0x00000000
0x00000000
0x00000000
0x0019c1b9
0x0019c198
0x0019c19e
0x00000000
0x00000000
0x00000000
0x0019c19e
0x0019c106
0x0019c108
0x0019c11d
0x0019c125
0x0019c127
0x0019c13c
0x0019c144
0x0019c146
0x0019c15b
0x0019c163
0x0019c165
0x0019c16e
0x0019c16e
0x0019c16e
0x00000000
0x0019c165
0x0019c14f
0x0019c14f
0x0019c155
0x00000000
0x00000000
0x00000000
0x0019c155
0x0019c130
0x0019c130
0x0019c136
0x00000000
0x00000000
0x00000000
0x0019c136
0x0019c111
0x0019c111
0x0019c117
0x00000000
0x00000000
0x00000000
0x0019c117
0x0019c07f
0x0019c081
0x0019c096
0x0019c09e
0x0019c0a0
0x0019c0b5
0x0019c0bd
0x0019c0bf
0x0019c0d4
0x0019c0dc
0x0019c0de
0x0019c0e7
0x0019c0e7
0x0019c0e7
0x00000000
0x0019c0de
0x0019c0c8
0x0019c0c8
0x0019c0ce
0x00000000
0x00000000
0x00000000
0x0019c0ce
0x0019c0a9
0x0019c0a9
0x0019c0af
0x00000000
0x00000000
0x00000000
0x0019c0af
0x0019c08a
0x0019c08a
0x0019c090
0x00000000
0x00000000
0x00000000
0x0019c090
0x0019bff7
0x0019bff9
0x0019c00e
0x0019c016
0x0019c018
0x0019c02d
0x0019c035
0x0019c037
0x0019c04c
0x0019c054
0x0019c056
0x0019c05f
0x0019c05f
0x0019c05f
0x00000000
0x0019c056
0x0019c040
0x0019c040
0x0019c046
0x00000000
0x00000000
0x00000000
0x0019c046
0x0019c021
0x0019c021
0x0019c027
0x00000000
0x00000000
0x00000000
0x0019c027
0x0019c002
0x0019c002
0x0019c008
0x00000000
0x00000000
0x00000000
0x0019c008
0x0019bf70
0x0019bf72
0x0019bf87
0x0019bf8f
0x0019bf91
0x0019bfa6
0x0019bfae
0x0019bfb0
0x0019bfc5
0x0019bfcd
0x0019bfcf
0x0019bfd8
0x0019bfd8
0x0019bfd8
0x00000000
0x0019bfcf
0x0019bfb9
0x0019bfb9
0x0019bfbf
0x00000000
0x00000000
0x00000000
0x0019bfbf
0x0019bf9a
0x0019bf9a
0x0019bfa0
0x00000000
0x00000000
0x00000000
0x0019bfa0
0x0019bf7b
0x0019bf7b
0x0019bf81
0x00000000
0x00000000
0x00000000
0x0019bf81
0x0019bee9
0x0019beeb
0x0019bf00
0x0019bf08
0x0019bf0a
0x0019bf1f
0x0019bf27
0x0019bf29
0x0019bf3e
0x0019bf46
0x0019bf48
0x0019bf51
0x0019bf51
0x0019bf51
0x00000000
0x0019bf48
0x0019bf32
0x0019bf32
0x0019bf38
0x00000000
0x00000000
0x00000000
0x0019bf38
0x0019bf13
0x0019bf13
0x0019bf19
0x00000000
0x00000000
0x00000000
0x0019bf19
0x0019bef4
0x0019bef4
0x0019befa
0x00000000
0x00000000
0x00000000
0x0019be6b
0x0019be6b
0x0019be6e
0x0019be72
0x0019be74
0x0019be85
0x0019be85
0x0019be89
0x0019be8d
0x0019be8f
0x0019bea0
0x0019bea0
0x0019bea4
0x0019bea8
0x0019beaa
0x0019bebb
0x0019bebb
0x0019bebf
0x0019bec3
0x0019bec5
0x0019bec7
0x0019bece
0x0019bece
0x0019bece
0x00000000
0x0019bec5
0x0019beac
0x0019beb0
0x0019beb3
0x0019beb3
0x0019beb9
0x00000000
0x00000000
0x00000000
0x0019beb9
0x0019be91
0x0019be95
0x0019be98
0x0019be98
0x0019be9e
0x00000000
0x00000000
0x00000000
0x0019be9e
0x0019be76
0x0019be7a
0x0019be7d
0x0019be7d
0x0019be83
0x00000000
0x00000000
0x00000000
0x0019be83
0x0019be5c
0x0019be5c
0x00000000

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 4f1cf7d202db3bdbf34214db40056d3eb8c366fbce91ee4dea7ce3dbf82cc506
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 03B19173D0E5B3498F36852D59A827BEEA26E91B4031FC3A5DCD43F289D722AD0196D0

Uniqueness

Uniqueness Score: -1.00%

Function 001A28BD, Relevance: 54.3, APIs: 36, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001A28BD(void* __edx, void* __edi, void* __esi, signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				char _v60;
				intOrPtr* _t131;
				intOrPtr* _t132;
				signed char _t137;
				signed int _t141;
				void* _t145;
				signed char _t158;
				signed int* _t163;
				intOrPtr* _t183;
				void* _t189;
				void* _t191;
				signed int _t213;
				signed int _t215;
				void* _t222;
				signed int* _t224;
				void* _t227;
				signed int* _t238;
				signed char _t243;
				void* _t285;
				void* _t286;
				signed int _t288;
				void* _t290;
				signed int* _t291;
				signed int _t292;

				_t290 = __esi;
				_t286 = __edi;
				_t285 = __edx;
				_t131 =  *0x1c6060;
				_t247 =  *_t131;
				if(_t247 != 0) {
					__eflags = _t247 - 0x36;
					if(_t247 < 0x36) {
						L4:
						__eflags = _t247 - 0x5f;
						if(_t247 == 0x5f) {
							goto L6;
						} else {
							_t238 = _a4;
							_t238[1] = _t238[1] & 0xffff00ff;
							 *_t238 =  *_t238 & 0x00000000;
							__eflags =  *_t238;
							_t238[1] = 2;
							return _t238;
						}
					} else {
						__eflags = _t247 - 0x39;
						if(_t247 <= 0x39) {
							L6:
							_t243 = _t247 - 0x36;
							_t132 = _t131 + 1;
							 *0x1c6060 = _t132;
							__eflags = _t243 - 0x29;
							if(_t243 != 0x29) {
								__eflags = _t243;
								if(_t243 < 0) {
									goto L14;
								} else {
									__eflags = _t243 - 3;
									goto L13;
								}
								goto L15;
							} else {
								_t247 =  *_t132;
								__eflags = _t247;
								if(_t247 == 0) {
									E0019F9E7(_t247, _a4, 1, _a8);
									_t163 = _a4;
								} else {
									_t243 = _t247 - 0x3d;
									 *0x1c6060 = _t132 + 1;
									__eflags = _t243 - 4;
									if(_t243 < 4) {
										L14:
										_t243 = _t243 | 0xffffffff;
										__eflags = _t243;
									} else {
										__eflags = _t243 - 7;
										L13:
										if(__eflags > 0) {
											goto L14;
										}
									}
									L15:
									__eflags = _t243 - 0xffffffff;
									if(_t243 != 0xffffffff) {
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 & 0xffff0000;
										_push(_t290);
										_t291 = _a8;
										_push(_t286);
										_v12 =  *_t291;
										_t288 = _t243 & 0x00000002;
										__eflags = _t288;
										_v8 = _t291[1];
										if(_t288 == 0) {
											L25:
											__eflags = _t243 & 0x00000004;
											if((_t243 & 0x00000004) != 0) {
												__eflags =  !( *0x1c6070 >> 1) & 0x00000001;
												_push( &_v60);
												if(__eflags == 0) {
													_t189 = E001A1642(_t285, __eflags);
													_t247 =  &_v12;
													E0019EB14( &_v12, _t189);
												} else {
													_t191 = E001A1642(_t285, __eflags);
													E0019F76B(E0019F2F6( &_v52, 0x20),  &_v36, _t191);
													_v28 = _v36;
													_v24 = _v32;
													_t247 =  &_v28;
													E0019F54C( &_v28,  &_v12);
													_v12 = _v28;
													_v8 = _v24;
												}
											}
											_t137 =  !( *0x1c6070 >> 1);
											__eflags = _t137 & 0x00000001;
											if((_t137 & 0x00000001) == 0) {
												E0019EB14( &_v12, E0019F658(_t247,  &_v60));
											} else {
												_t183 = E0019F76B(E0019F658(_t247,  &_v52),  &_v60,  &_v12);
												_v12 =  *_t183;
												_v8 =  *((intOrPtr*)(_t183 + 4));
											}
											__eflags =  *_t291;
											if( *_t291 != 0) {
												E0019F76B(E0019F2F6( &_v60, 0x28),  &_v36,  &_v12);
												_v28 = _v36;
												_v24 = _v32;
												E0019F7B3( &_v28, 0x29);
												_v12 = _v28;
												_v8 = _v24;
											}
											_t141 = E0019E97C(0x1c6040, 8, 0);
											__eflags = _t141;
											if(_t141 == 0) {
												_t292 = 0;
												__eflags = 0;
											} else {
												 *(_t141 + 4) = 0;
												 *(_t141 + 4) =  *(_t141 + 4) & 0xffff00ff;
												 *_t141 = 0;
												_t292 = _t141;
											}
											E0019F1ED(_t285, _t288,  &_v44, _t292);
											_t145 = E0019FCA9(0x1c6040, _t285,  &_v60);
											E0019F76B(E0019F2F6( &_v52, 0x28),  &_v36, _t145);
											_v28 = _v36;
											_v24 = _v32;
											E0019F7B3( &_v28, 0x29);
											E0019F54C( &_v12,  &_v28);
											__eflags = ( *0x1c6070 & 0x00000060) - 0x60;
											if(( *0x1c6070 & 0x00000060) != 0x60) {
												__eflags = _t288;
												if(_t288 != 0) {
													E0019F54C( &_v12,  &_v20);
												}
											}
											_t158 =  !( *0x1c6070 >> 8);
											__eflags = _t158 & 0x00000001;
											_push( &_v60);
											if((_t158 & 0x00000001) == 0) {
												E0019EB14( &_v12, E0019FD89());
											} else {
												E0019F54C( &_v12, E0019FD89());
											}
											__eflags = _t292;
											if(_t292 == 0) {
												E0019EF31(_a4, 3);
												goto L49;
											} else {
												 *_t292 = _v12;
												 *((intOrPtr*)(_t292 + 4)) = _v8;
												_t163 = _a4;
												 *_t163 = _v44;
												_t163[1] = _v40;
											}
										} else {
											E0019F76B(E0019F323( &_v36, "::"),  &_v28,  &_v12);
											_v12 = _v28;
											_v8 = _v24;
											__eflags =  *((char*)( *0x1c6060));
											if( *((char*)( *0x1c6060)) == 0) {
												E0019F76B(E0019EF31( &_v60, 1),  &_v36,  &_v12);
												_v12 = _v36;
												_t213 = _v32;
											} else {
												_push( &_v52);
												_t227 = E001A2606(_t285);
												E0019F76B(E0019F2F6( &_v60, 0x20),  &_v36, _t227);
												_v28 = _v36;
												_v24 = _v32;
												E0019F54C( &_v28,  &_v12);
												_v12 = _v28;
												_t213 = _v24;
											}
											_v8 = _t213;
											_t215 =  *((intOrPtr*)( *0x1c6060));
											__eflags = _t215;
											if(_t215 == 0) {
												E0019F76B(E0019EF31( &_v60, 1), _a4,  &_v12);
												L49:
												_t163 = _a4;
											} else {
												__eflags = _t215 - 0x40;
												if(_t215 != 0x40) {
													_t163 = _a4;
													_t163[1] = _t163[1] & 0xffff00ff;
													 *_t163 =  *_t163 & 0x00000000;
													_t163[1] = 2;
												} else {
													 *0x1c6060 =  *0x1c6060 + 1;
													__eflags = ( *0x1c6070 & 0x00000060) - 0x60;
													_push( &_v60);
													if(( *0x1c6070 & 0x00000060) == 0x60) {
														_t222 = E0019EE56();
														_t247 =  &_v20;
														E0019EB14( &_v20, _t222);
													} else {
														_t224 = E0019EE56();
														_t247 =  *_t224;
														_v20 =  *_t224;
														_v16 = _t224[1];
													}
													goto L25;
												}
											}
										}
									} else {
										_t163 = _a4;
										_t163[1] = _t163[1] & 0xffff00ff;
										 *_t163 =  *_t163 & 0x00000000;
										_t163[1] = 2;
									}
								}
							}
							return _t163;
						} else {
							goto L4;
						}
					}
				} else {
					E0019F9E7(_t247, _a4, 1, _a8);
					return _a4;
				}
			}

0x001a28bd
0x001a28bd
0x001a28bd
0x001a28c2
0x001a28c7
0x001a28ce
0x001a28e5
0x001a28e8
0x001a28ef
0x001a28ef
0x001a28f2
0x00000000
0x001a28f4
0x001a28f4
0x001a28f7
0x001a28fe
0x001a28fe
0x001a2901
0x001a2906
0x001a2906
0x001a28ea
0x001a28ea
0x001a28ed
0x001a2907
0x001a290b
0x001a290e
0x001a290f
0x001a2914
0x001a2917
0x001a294d
0x001a294f
0x00000000
0x001a2951
0x001a2951
0x00000000
0x001a2951
0x00000000
0x001a2919
0x001a2919
0x001a291b
0x001a291d
0x001a293d
0x001a2942
0x001a291f
0x001a2922
0x001a2926
0x001a292b
0x001a292e
0x001a2956
0x001a2956
0x001a2956
0x001a2930
0x001a2930
0x001a2954
0x001a2954
0x00000000
0x00000000
0x001a2954
0x001a2959
0x001a2959
0x001a295c
0x001a2974
0x001a2978
0x001a297f
0x001a2980
0x001a2985
0x001a2986
0x001a298e
0x001a298e
0x001a2991
0x001a2994
0x001a2a72
0x001a2a72
0x001a2a75
0x001a2a84
0x001a2a89
0x001a2a8a
0x001a2b16
0x001a2b1d
0x001a2b20
0x001a2a90
0x001a2a90
0x001a2aa7
0x001a2aaf
0x001a2ab5
0x001a2abc
0x001a2abf
0x001a2ac7
0x001a2acd
0x001a2acd
0x001a2a8a
0x001a2b2c
0x001a2b2e
0x001a2b30
0x001a2b66
0x001a2b32
0x001a2b46
0x001a2b50
0x001a2b53
0x001a2b53
0x001a2b6d
0x001a2b6f
0x001a2b85
0x001a2b8d
0x001a2b98
0x001a2b9b
0x001a2ba3
0x001a2ba9
0x001a2ba9
0x001a2bb4
0x001a2bb9
0x001a2bbb
0x001a2bcd
0x001a2bcd
0x001a2bbd
0x001a2bbd
0x001a2bc0
0x001a2bc7
0x001a2bc9
0x001a2bc9
0x001a2bd4
0x001a2bdd
0x001a2bf6
0x001a2bfe
0x001a2c09
0x001a2c0c
0x001a2c18
0x001a2c25
0x001a2c27
0x001a2c29
0x001a2c2b
0x001a2c34
0x001a2c34
0x001a2c2b
0x001a2c41
0x001a2c43
0x001a2c48
0x001a2c49
0x001a2c66
0x001a2c4b
0x001a2c55
0x001a2c55
0x001a2c6b
0x001a2c6d
0x001a2c8f
0x00000000
0x001a2c6f
0x001a2c72
0x001a2c77
0x001a2c7d
0x001a2c80
0x001a2c85
0x001a2c85
0x001a299a
0x001a29b1
0x001a29b9
0x001a29bf
0x001a29c7
0x001a29ca
0x001a2a23
0x001a2a2b
0x001a2a2e
0x001a29cc
0x001a29cf
0x001a29d0
0x001a29e7
0x001a29ef
0x001a29f5
0x001a29ff
0x001a2a07
0x001a2a0a
0x001a2a0a
0x001a2a31
0x001a2a39
0x001a2a3b
0x001a2a3d
0x001a2b0c
0x001a2c94
0x001a2c94
0x001a2a43
0x001a2a43
0x001a2a45
0x001a2ae3
0x001a2ae6
0x001a2aed
0x001a2af0
0x001a2a4b
0x001a2a50
0x001a2a59
0x001a2a5e
0x001a2a5f
0x001a2ad2
0x001a2ad9
0x001a2adc
0x001a2a61
0x001a2a61
0x001a2a67
0x001a2a6c
0x001a2a6f
0x001a2a6f
0x00000000
0x001a2a5f
0x001a2a45
0x001a2a3d
0x001a295e
0x001a295e
0x001a2961
0x001a2968
0x001a296b
0x001a296b
0x001a295c
0x001a291d
0x001a2c9b
0x00000000
0x00000000
0x00000000
0x001a28ed
0x001a28d0
0x001a28d8
0x001a28e4
0x001a28e4

APIs

operator+.LIBCMT ref: 001A28D8

Part of subcall function 0019F9E7: DName::DName.LIBCMT ref: 0019F9FA
Part of subcall function 0019F9E7: DName::operator+.LIBCMT ref: 0019FA01

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: d91096fbde8c73cd8b9eb26692475f45dcccfa6043fd98332bd170588617192c
Instruction ID: a116cac40468498b68f2a22e1aecb4374ac77e5fec2f6aeea1bdf4cc83b6b49e
Opcode Fuzzy Hash: d91096fbde8c73cd8b9eb26692475f45dcccfa6043fd98332bd170588617192c
Instruction Fuzzy Hash: 34D12C75900209AFDF14DFA8C995EEEBBF8AF19310F10406AF506E7291EB34DA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001927B2, Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E001927B2(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t9;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x1c53fc = GetProcAddress(_t35, "FlsAlloc");
					 *0x1c5400 = GetProcAddress(_t35, "FlsGetValue");
					 *0x1c5404 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x1c53fc;
					_t39 = TlsSetValue;
					 *0x1c5408 = _t7;
					if( *0x1c53fc == 0) {
						L6:
						 *0x1c5400 = TlsGetValue;
						_t9 = __imp__TlsFree; // 0x74786560
						 *0x1c53fc = E0019240B;
						 *0x1c5404 = _t39;
						 *0x1c5408 = _t9;
					} else {
						__eflags =  *0x1c5400;
						if( *0x1c5400 == 0) {
							goto L6;
						} else {
							__eflags =  *0x1c5404;
							if( *0x1c5404 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x1c4258 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1c5400);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00192BA3();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x1c53fc);
							 *0x1c53fc = _t14;
							_t15 =  *_t41( *0x1c5400);
							 *0x1c5400 = _t15;
							_t16 =  *_t41( *0x1c5404);
							 *0x1c5404 = _t16;
							 *0x1c5408 =  *_t41( *0x1c5408);
							_t18 = E00197554();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00192485();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x1c53fc, E00192609);
								 *0x1c4254 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E0018FF87(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x1c5404,  *0x1c4254, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E001924C2(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00192485();
					return 0;
				}
			}

0x001927b2
0x001927c0
0x001927c4
0x001927e4
0x001927f1
0x001927fe
0x00192803
0x00192805
0x0019280c
0x00192812
0x00192817
0x0019282f
0x00192834
0x00192839
0x0019283e
0x00192848
0x0019284e
0x00192819
0x00192819
0x00192820
0x00000000
0x00192822
0x00192822
0x00192829
0x00000000
0x0019282b
0x0019282b
0x0019282d
0x00000000
0x00000000
0x0019282d
0x00192829
0x00192820
0x00192853
0x00192859
0x0019285e
0x00192861
0x00192928
0x00192928
0x00192928
0x00192867
0x0019286e
0x00192870
0x00192872
0x00000000
0x00192878
0x00192878
0x00192883
0x00192889
0x00192891
0x00192896
0x0019289e
0x001928a3
0x001928ab
0x001928b2
0x001928b7
0x001928bc
0x001928be
0x00192923
0x00192923
0x00000000
0x001928c0
0x001928c0
0x001928d3
0x001928d5
0x001928da
0x001928dd
0x00000000
0x001928df
0x001928eb
0x001928ef
0x001928f1
0x00000000
0x001928f3
0x00192904
0x00192906
0x00000000
0x00192908
0x00192908
0x0019290a
0x0019290b
0x00192912
0x00192918
0x0019291c
0x00192920
0x00192920
0x00192906
0x001928f1
0x001928dd
0x001928be
0x00192872
0x0019292c
0x001927c6
0x001927c6
0x001927ce
0x001927ce

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0018CF0B), ref: 001927BA
__mtterm.LIBCMT ref: 001927C6

Part of subcall function 00192485: DecodePointer.KERNEL32(00000005,00192928,?,0018CF0B), ref: 00192496
Part of subcall function 00192485: TlsFree.KERNEL32(00000019,00192928,?,0018CF0B), ref: 001924B0
Part of subcall function 00192485: DeleteCriticalSection.KERNEL32(00000000,00000000,77E4F3A0,?,00192928,?,0018CF0B), ref: 001975BB
Part of subcall function 00192485: _free.LIBCMT ref: 001975BE
Part of subcall function 00192485: DeleteCriticalSection.KERNEL32(00000019,77E4F3A0,?,00192928,?,0018CF0B), ref: 001975E5

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 001927DC
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 001927E9
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 001927F6
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00192803
TlsAlloc.KERNEL32(?,0018CF0B), ref: 00192853
TlsSetValue.KERNEL32(00000000,?,0018CF0B), ref: 0019286E
__init_pointers.LIBCMT ref: 00192878
EncodePointer.KERNEL32(?,0018CF0B), ref: 00192889
EncodePointer.KERNEL32(?,0018CF0B), ref: 00192896
EncodePointer.KERNEL32(?,0018CF0B), ref: 001928A3
EncodePointer.KERNEL32(?,0018CF0B), ref: 001928B0
DecodePointer.KERNEL32(Function_00012609,?,0018CF0B), ref: 001928D1
__calloc_crt.LIBCMT ref: 001928E6
DecodePointer.KERNEL32(00000000,?,0018CF0B), ref: 00192900
GetCurrentThreadId.KERNEL32 ref: 00192912

Strings

KERNEL32.DLL, xrefs: 001927B5
FlsSetValue, xrefs: 001927EB
FlsFree, xrefs: 001927F8
FlsGetValue, xrefs: 001927DE
FlsAlloc, xrefs: 001927D6
`ext, xrefs: 00192839

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$`ext
API String ID: 3698121176-3547465748
Opcode ID: eb236c6d4b898dce605f08c5f02d0928ff397e09d2ede76c1a51585e81fc83d2
Instruction ID: 3f76972b0470fd465309cf71573532421b2a3f3f7c3acf079f0a01a47e0ff892
Opcode Fuzzy Hash: eb236c6d4b898dce605f08c5f02d0928ff397e09d2ede76c1a51585e81fc83d2
Instruction Fuzzy Hash: C8319031804A51AFCB15AF74BC09E1A3FE6FB95765B20512AE414D3AB0EB74E4C2CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0018EF48, Relevance: 24.1, APIs: 16, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0018EF48(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t19;
				void* _t42;
				intOrPtr* _t50;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t50 = E0018FF87(8, 1);
					_t56 = _t50;
					if(_t50 != 0) {
						_t13 = E0018FF87(0xd8, 1);
						 *_t50 = _t13;
						__eflags = _t13;
						if(_t13 != 0) {
							_t14 = E0018FF87(0x220, 1);
							 *((intOrPtr*)(_t50 + 4)) = _t14;
							__eflags = _t14;
							if(_t14 != 0) {
								E0018E270( *_t50, 0x1c4170);
								_t47 =  *_t50;
								_t17 = E0018ED2C(_a4,  *_t50, _a8);
								_pop(_t42);
								__eflags = _t17;
								if(__eflags != 0) {
									_t19 = E00191CEA(_t42, _t47, __eflags,  *((intOrPtr*)( *_t50 + 4)),  *((intOrPtr*)(_t50 + 4)));
									__eflags = _t19;
									if(_t19 == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t50 + 4)))) = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t50 + 4)))) = 1;
										L17:
										return _t50;
									}
									E0018C63F( *((intOrPtr*)(_t50 + 4)));
									E00192158( *_t50);
									E001921F1( *_t50);
									E0018C63F(_t50);
									L15:
									_t50 = 0;
									goto L17;
								}
								E00192158( *_t50);
								E001921F1( *_t50);
								E0018C63F(_t50);
								goto L15;
							}
							E0018C63F( *_t50);
							E0018C63F(_t50);
							L8:
							goto L3;
						}
						E0018C63F(_t50);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E001912E2(_t56))) = 0xc;
					goto L4;
				}
			}

0x0018ef53
0x0018ef79
0x00000000
0x0018ef5b
0x0018ef66
0x0018ef6a
0x0018ef6c
0x0018ef85
0x0018ef8c
0x0018ef8e
0x0018ef90
0x0018efa1
0x0018efa8
0x0018efab
0x0018efad
0x0018efc6
0x0018efd1
0x0018efd3
0x0018efd8
0x0018efd9
0x0018efdb
0x0018effe
0x0018f005
0x0018f007
0x0018f02f
0x0018f034
0x0018f036
0x00000000
0x0018f036
0x0018f00c
0x0018f013
0x0018f01a
0x0018f020
0x0018f028
0x0018f028
0x00000000
0x0018f028
0x0018efdf
0x0018efe6
0x0018efec
0x00000000
0x0018eff1
0x0018efb1
0x0018efb7
0x0018ef98
0x00000000
0x0018ef98
0x0018ef93
0x00000000
0x0018ef93
0x0018ef6e
0x0018ef73
0x00000000
0x0018ef73

APIs

__calloc_crt.LIBCMT ref: 0018EF61

Part of subcall function 0018FF87: Sleep.KERNEL32(00000000,?,?,?,00000000,00000000,00000000), ref: 0018FFAF

__calloc_crt.LIBCMT ref: 0018EF85
_free.LIBCMT ref: 0018EF93
__calloc_crt.LIBCMT ref: 0018EFA1
_free.LIBCMT ref: 0018EFB1
_free.LIBCMT ref: 0018EFB7
__copytlocinfo_nolock.LIBCMT ref: 0018EFC6
__setlocale_nolock.LIBCMT ref: 0018EFD3
___removelocaleref.LIBCMT ref: 0018EFDF
___freetlocinfo.LIBCMT ref: 0018EFE6
_free.LIBCMT ref: 0018EFEC
__setmbcp_nolock.LIBCMT ref: 0018EFFE
_free.LIBCMT ref: 0018F00C
___removelocaleref.LIBCMT ref: 0018F013
___freetlocinfo.LIBCMT ref: 0018F01A
_free.LIBCMT ref: 0018F020

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 888903860-0
Opcode ID: 2cfd2cc44b16a6596a28bfcd3b983aa45cca4c31c15aa6d7b888832379f6f5e6
Instruction ID: 35b5af938b3c08ba9cced48658b23a6b5add8396f4b26603b8dbea1dbd1fd5ac
Opcode Fuzzy Hash: 2cfd2cc44b16a6596a28bfcd3b983aa45cca4c31c15aa6d7b888832379f6f5e6
Instruction Fuzzy Hash: E721F436108601EFDB257F24DC02D1ABBE5EF61760B21443EFA8496261EF329E518FA5

Uniqueness

Uniqueness Score: -1.00%

Function 001A39C8, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E001A39C8(void* __edx, void* __edi, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				char _v20;
				char _v28;
				void* __esi;
				char _t36;
				void* _t39;
				intOrPtr _t41;
				char _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t58;
				void* _t65;
				intOrPtr* _t77;

				_t76 = __edi;
				_t75 = __edx;
				_t71 = 0xffff0000;
				_v8 = _v8 & 0xffff0000;
				_t36 =  *((char*)( *0x1c6060));
				_v12 = 0;
				if(_t36 == 0) {
					L31:
					_push(_a8);
					L32:
					_push(1);
					_push(_a4);
					E0019F9E7(_t71);
					L33:
					L34:
					return _a4;
				}
				_t39 = _t36 - 0x24;
				if(_t39 == 0) {
					_t41 =  *((intOrPtr*)( *0x1c6060 + 1));
					__eflags = _t41 - 0x24;
					if(_t41 == 0x24) {
						 *0x1c6060 =  *0x1c6060 + 2;
						_t43 =  *((char*)( *0x1c6060));
						_t77 = _a8;
						__eflags = _t43 - 0x51;
						if(__eflags > 0) {
							_t44 = _t43 - 0x52;
							__eflags = _t44;
							if(_t44 == 0) {
								_t71 =  &_v12;
								E0019F623( &_v12, "volatile");
								__eflags =  *_t77;
								if( *_t77 != 0) {
									_t71 =  &_v12;
									E0019F7B3( &_v12, 0x20);
								}
								L30:
								_push("&&");
								L9:
								 *0x1c6060 =  *0x1c6060 + 1;
								_v20 =  *_t77;
								_push( &_v20);
								_push( &_v12);
								_push(_a4);
								_v16 =  *(_t77 + 4) | 0x00000100;
								E001A337A(_t71, _t75, _t76);
								goto L34;
							}
							_t51 = _t44 - 1;
							__eflags = _t51;
							if(_t51 == 0) {
								 *0x1c6060 =  *0x1c6060 + 1;
								L12:
								_t52 = _a4;
								 *(_t52 + 4) =  *(_t52 + 4) & 0xffff00ff;
								 *(_t52 + 4) = 2;
								 *_t52 = 0;
								return _t52;
							}
							__eflags = _t51 != 1;
							if(_t51 != 1) {
								goto L12;
							}
							 *0x1c6060 =  *0x1c6060 + 1;
							E0019F323(_a4, "std::nullptr_t");
							goto L34;
						}
						if(__eflags == 0) {
							goto L30;
						}
						_t55 = _t43;
						__eflags = _t55;
						if(_t55 == 0) {
							_push(_t77);
							goto L32;
						}
						_t56 = _t55 - 0x41;
						__eflags = _t56;
						if(_t56 == 0) {
							 *0x1c6060 =  *0x1c6060 + 1;
							E001A28BD(__edx, __edi, _t77, _a4, _t77);
							L5:
							goto L34;
						}
						_t58 = _t56 - 1;
						__eflags = _t58;
						if(_t58 == 0) {
							 *0x1c6060 =  *0x1c6060 + 1;
							E001A07A4(__edx, _t77, _a4, _t77, 1);
							goto L33;
						}
						__eflags = _t58 != 1;
						if(_t58 != 1) {
							goto L12;
						}
						 *0x1c6060 =  *0x1c6060 + 1;
						_v8 = _v8 & 0xffff0000;
						_v12 = 0;
						E001A3605(0xffff0000, _t75, _a4, E001A2C9C(0xffff0000,  &_v28, _t77, 0x1bb6a1,  &_v12, 0));
						goto L34;
					}
					__eflags = _t41;
					if(_t41 == 0) {
						goto L31;
					}
					goto L12;
				}
				_t65 = _t39 - 0x1d;
				_t77 = _a8;
				if(_t65 == 0) {
					L8:
					_push("&");
					goto L9;
				}
				if(_t65 == 1) {
					_t71 =  &_v12;
					E0019F623( &_v12, "volatile");
					__eflags =  *_t77;
					if( *_t77 != 0) {
						_t71 =  &_v12;
						E0019F7B3( &_v12, 0x20);
					}
					goto L8;
				} else {
					E001A3605(0xffff0000, __edx, _a4, _t77);
					goto L5;
				}
			}

0x001a39c8
0x001a39c8
0x001a39db
0x001a39e0
0x001a39e3
0x001a39e6
0x001a39e9
0x001a3b62
0x001a3b62
0x001a3b65
0x001a3b65
0x001a3b67
0x001a3b6a
0x001a3b6f
0x001a3b72
0x00000000
0x001a3b72
0x001a39ef
0x001a39f2
0x001a3a63
0x001a3a66
0x001a3a68
0x001a3a87
0x001a3a93
0x001a3a96
0x001a3a99
0x001a3a9c
0x001a3b0e
0x001a3b0e
0x001a3b11
0x001a3b42
0x001a3b45
0x001a3b4a
0x001a3b4c
0x001a3b50
0x001a3b53
0x001a3b53
0x001a3b58
0x001a3b58
0x001a3a2f
0x001a3a34
0x001a3a3a
0x001a3a40
0x001a3a44
0x001a3a45
0x001a3a4e
0x001a3a51
0x00000000
0x001a3a56
0x001a3b13
0x001a3b13
0x001a3b14
0x001a3b32
0x001a3a72
0x001a3a72
0x001a3a75
0x001a3a7c
0x001a3a80
0x00000000
0x001a3a80
0x001a3b16
0x001a3b17
0x00000000
0x00000000
0x001a3b20
0x001a3b2b
0x00000000
0x001a3b2b
0x001a3a9e
0x00000000
0x00000000
0x001a3aa4
0x001a3aa4
0x001a3aa6
0x001a3b0b
0x00000000
0x001a3b0b
0x001a3aa8
0x001a3aa8
0x001a3aab
0x001a3af7
0x001a3b01
0x001a3a08
0x00000000
0x001a3a09
0x001a3aad
0x001a3aad
0x001a3aae
0x001a3ae4
0x001a3af0
0x00000000
0x001a3af0
0x001a3ab0
0x001a3ab1
0x00000000
0x00000000
0x001a3ab3
0x001a3ab9
0x001a3acb
0x001a3ad7
0x00000000
0x001a3adc
0x001a3a6a
0x001a3a6c
0x00000000
0x00000000
0x00000000
0x001a3a6c
0x001a39f4
0x001a39f7
0x001a39fa
0x001a3a2a
0x001a3a2a
0x00000000
0x001a3a2a
0x001a39fd
0x001a3a14
0x001a3a17
0x001a3a1c
0x001a3a1e
0x001a3a22
0x001a3a25
0x001a3a25
0x00000000
0x001a39ff
0x001a3a03
0x00000000
0x001a3a03

APIs

UnDecorator::getBasicDataType.LIBCMT ref: 001A3A03
DName::operator=.LIBCMT ref: 001A3A17
DName::operator+=.LIBCMT ref: 001A3A25
UnDecorator::getPtrRefType.LIBCMT ref: 001A3A51
UnDecorator::getDataIndirectType.LIBCMT ref: 001A3ACE
UnDecorator::getBasicDataType.LIBCMT ref: 001A3AD7
operator+.LIBCMT ref: 001A3B6A

Strings

volatile, xrefs: 001A3A0F, 001A3B3D
std::nullptr_t, xrefs: 001A3B26

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: Decorator::getType$Data$Basic$IndirectName::operator+=Name::operator=operator+
String ID: std::nullptr_t$volatile
API String ID: 2203807771-3726895890
Opcode ID: 5513aa9ef8cf26f3510bbcab5beee31f3606633781cf115aa7a670afaecf546e
Instruction ID: 32bdc9bd0b5dead286dd1b4d077aba49a13e4632565948bfc371fce36323d1a4
Opcode Fuzzy Hash: 5513aa9ef8cf26f3510bbcab5beee31f3606633781cf115aa7a670afaecf546e
Instruction Fuzzy Hash: 9A41CD79404218BFCB159F94C986AE97FB5FB13310F14406AF866AB562D730DF81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00190B65, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00190B65(signed int* _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t32;
				void* _t33;
				void* _t34;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t39;
				signed int* _t41;
				signed int _t44;
				signed int _t51;
				signed int _t54;
				void* _t55;
				signed int _t57;
				signed int _t59;
				signed int _t61;
				void* _t63;
				void* _t64;

				_t32 = _a4;
				_t64 = _t63 - 0x10;
				if(_t32 != 0) {
					_t51 = _a12;
					_t61 =  *_t32;
					_t57 = _a8;
					__eflags = _t57;
					if(_t57 == 0) {
						L4:
						_t33 =  *_t61;
						__eflags = _t33 - 0xe0434f4d;
						if(_t33 == 0xe0434f4d) {
							L22:
							__eflags = _t33 - 0xe06d7363;
							if(__eflags != 0) {
								L30:
								_t34 = E001925EF(_t51, _t55, __eflags);
								_t30 = _t34 + 0x90;
								 *_t30 =  *(_t34 + 0x90) + 1;
								__eflags =  *_t30;
								goto L31;
							} else {
								__eflags =  *((intOrPtr*)(_t61 + 0x10)) - 3;
								if(__eflags != 0) {
									goto L30;
								} else {
									_t37 =  *((intOrPtr*)(_t61 + 0x14));
									__eflags = _t37 - 0x19930520;
									if(_t37 == 0x19930520) {
										L27:
										__eflags =  *(_t61 + 0x1c);
										if(__eflags != 0) {
											goto L30;
										} else {
											__eflags =  *(E001925EF(_t51, _t55, __eflags) + 0x88);
											if(__eflags != 0) {
												goto L30;
											} else {
												goto L29;
											}
										}
									} else {
										__eflags = _t37 - 0x19930521;
										if(_t37 == 0x19930521) {
											goto L27;
										} else {
											__eflags = _t37 - 0x19930522;
											if(__eflags != 0) {
												goto L30;
											} else {
												goto L27;
											}
										}
									}
								}
							}
						} else {
							__eflags = _t33 - 0xe0434352;
							if(_t33 == 0xe0434352) {
								goto L22;
							} else {
								__eflags = _t51 & 0x00000040;
								if((_t51 & 0x00000040) == 0) {
									goto L22;
								} else {
									goto L7;
								}
							}
						}
					} else {
						__eflags =  *((char*)(_t57 + 8));
						if( *((char*)(_t57 + 8)) != 0) {
							L7:
							__eflags =  *_t61 - 0xe06d7363;
							if( *_t61 != 0xe06d7363) {
								L29:
								_t36 = 0;
							} else {
								__eflags =  *((intOrPtr*)(_t61 + 0x10)) - 3;
								if( *((intOrPtr*)(_t61 + 0x10)) != 3) {
									goto L29;
								} else {
									_t39 =  *((intOrPtr*)(_t61 + 0x14));
									__eflags = _t39 - 0x19930520;
									if(_t39 == 0x19930520) {
										L12:
										__eflags =  *(_t61 + 0x1c);
										if(__eflags != 0) {
											L15:
											_t41 =  *( *(_t61 + 0x1c) + 0xc);
											_v16 = _t57;
											_t59 =  *_t41;
											_v20 = _t51 | 0x80000000;
											_t54 =  &(_t41[1]);
											while(1) {
												__eflags = _t59;
												if(_t59 <= 0) {
													break;
												}
												_a4 =  *_t54;
												_t44 = E001900C3( &_v20,  *_t54,  *(_t61 + 0x1c));
												_t64 = _t64 + 0xc;
												__eflags = _t44;
												if(__eflags != 0) {
													 *((intOrPtr*)(E001925EF(_t54, _t55, __eflags) + 0x90)) =  *((intOrPtr*)(_t45 + 0x90)) + 1;
													__eflags = _a16;
													if(__eflags != 0) {
														_push(_a4);
														_push( &_v20);
														_push(_a16);
														_push(_t61);
														E00190AD3(_t54, _t59, _t61, __eflags);
													}
													L31:
													_t36 = 1;
													__eflags = 1;
												} else {
													_t59 = _t59 - 1;
													_t54 = _t54 + 4;
													__eflags = _t54;
													continue;
												}
												goto L32;
											}
											goto L29;
										} else {
											__eflags =  *(E001925EF(_t51, _t55, __eflags) + 0x88);
											if(__eflags == 0) {
												goto L29;
											} else {
												_t61 =  *(E001925EF(_t51, _t55, __eflags) + 0x88);
												goto L15;
											}
										}
									} else {
										__eflags = _t39 - 0x19930521;
										if(_t39 == 0x19930521) {
											goto L12;
										} else {
											__eflags = _t39 - 0x19930522;
											if(_t39 != 0x19930522) {
												goto L29;
											} else {
												goto L12;
											}
										}
									}
								}
							}
						} else {
							goto L4;
						}
					}
					L32:
					return _t36;
				} else {
					return _t32;
				}
			}

0x00190b6a
0x00190b6d
0x00190b72
0x00190b77
0x00190b7b
0x00190b7e
0x00190b81
0x00190b83
0x00190b8b
0x00190b8b
0x00190b8d
0x00190b92
0x00190c63
0x00190c63
0x00190c68
0x00190ca0
0x00190ca0
0x00190ca5
0x00190ca5
0x00190ca5
0x00000000
0x00190c6a
0x00190c6a
0x00190c6e
0x00000000
0x00190c70
0x00190c70
0x00190c73
0x00190c78
0x00190c88
0x00190c88
0x00190c8c
0x00000000
0x00190c8e
0x00190c93
0x00190c9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00190c9a
0x00190c7a
0x00190c7a
0x00190c7f
0x00000000
0x00190c81
0x00190c81
0x00190c86
0x00000000
0x00000000
0x00000000
0x00000000
0x00190c86
0x00190c7f
0x00190c78
0x00190c6e
0x00190b98
0x00190b98
0x00190b9d
0x00000000
0x00190ba3
0x00190ba3
0x00190ba6
0x00000000
0x00000000
0x00000000
0x00000000
0x00190ba6
0x00190b9d
0x00190b85
0x00190b85
0x00190b89
0x00190bac
0x00190bac
0x00190bb2
0x00190c9c
0x00190c9c
0x00190bb8
0x00190bb8
0x00190bbc
0x00000000
0x00190bc2
0x00190bc2
0x00190bc5
0x00190bca
0x00190bde
0x00190bde
0x00190be2
0x00190c01
0x00190c04
0x00190c0d
0x00190c10
0x00190c12
0x00190c15
0x00190c37
0x00190c37
0x00190c39
0x00000000
0x00000000
0x00190c1f
0x00190c27
0x00190c2c
0x00190c2f
0x00190c31
0x00190c42
0x00190c48
0x00190c4c
0x00190c4e
0x00190c54
0x00190c55
0x00190c58
0x00190c59
0x00190c5e
0x00190cab
0x00190cad
0x00190cad
0x00190c33
0x00190c33
0x00190c34
0x00190c34
0x00000000
0x00190c34
0x00000000
0x00190c31
0x00000000
0x00190be4
0x00190be9
0x00190bf0
0x00000000
0x00190bf6
0x00190bfb
0x00000000
0x00190bfb
0x00190bf0
0x00190bcc
0x00190bcc
0x00190bd1
0x00000000
0x00190bd3
0x00190bd3
0x00190bd8
0x00000000
0x00000000
0x00000000
0x00000000
0x00190bd8
0x00190bd1
0x00190bca
0x00190bbc
0x00000000
0x00000000
0x00000000
0x00190b89
0x00190cae
0x00190cb2
0x00190b75
0x00190b75
0x00190b75

APIs

__getptd.LIBCMT ref: 00190BE4
__getptd.LIBCMT ref: 00190BF6

Strings

MOC, xrefs: 00190B8D
csm, xrefs: 00190BAC
csm, xrefs: 00190C63
RCC, xrefs: 00190B98

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd
String ID: MOC$RCC$csm$csm
API String ID: 3384420010-1441736206
Opcode ID: 98a5439129e9ef4270c57213aff1b705869e225d736cf2621624b2416f04fa37
Instruction ID: b3615b833cd04b056e46401aad50e46eb0a04c83865cd9766f7bedc225240836
Opcode Fuzzy Hash: 98a5439129e9ef4270c57213aff1b705869e225d736cf2621624b2416f04fa37
Instruction Fuzzy Hash: 9331D4354002059FDF369F68C8847AA73E8FF58315F694AAAD889C7111D730ED84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0018B333, Relevance: 18.1, APIs: 12, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0018B333(short* _a4, int _a8, intOrPtr _a12, char* _a16, char _a20) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t35;
				int _t36;
				char _t37;
				char _t40;
				signed int _t46;
				void* _t48;
				void* _t49;
				char _t54;
				void* _t56;
				void* _t60;
				char _t63;
				char _t64;
				short* _t66;
				void* _t67;
				char _t68;
				char* _t79;
				void* _t80;
				char _t81;
				char* _t82;

				_t79 = _a8;
				if(_t79 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t79 != 0) {
						_t35 = _a20;
						__eflags = _t35;
						if(__eflags != 0) {
							_t81 =  *_t35;
							_t36 =  *((intOrPtr*)(_t35 + 4));
						} else {
							_t81 =  *(E0018FEE1(_t67, _t79, _t80, __eflags) + 8);
							_t36 = E0018FE95(_t67, _t79, _t81, __eflags);
						}
						_a8 = _t36;
						__eflags = _t81;
						if(_t81 != 0) {
							_t37 = E0018B245(_a8);
							_t82 = _a16;
							__eflags =  *_t82;
							_t68 = _t37;
							if( *_t82 == 0) {
								__eflags = _t68;
								if(__eflags != 0) {
									_t40 =  *( *((intOrPtr*)(_t68 + 4)) + ( *_t79 & 0x000000ff) + 0x1d) & 4;
									__eflags = _t40;
								} else {
									_t40 =  *(E0018F443(_t68, _t79, _t82, __eflags) + ( *_t79 & 0x000000ff) * 2) & 0x8000;
								}
								__eflags = _t40;
								if(_t40 == 0) {
									__eflags = _a4;
									__eflags = MultiByteToWideChar(_a8, 9, _t79, 1, _a4, 0 | _a4 != 0x00000000);
									if(__eflags != 0) {
										goto L13;
									}
									goto L20;
								} else {
									_t48 = E0018FE79(_t68, _t79, _t82, _t68);
									__eflags = _a12 - _t48;
									if(_a12 >= _t48) {
										_t49 = E0018FE79(_t68, _t79, _t82, _t68);
										__eflags = _t49 - 1;
										if(_t49 <= 1) {
											L29:
											__eflags = _t79[1];
											if(_t79[1] != 0) {
												L18:
												return E0018FE79(_t68, _t79, _t82, _t68);
											}
											L19:
											 *_t82 =  *_t82 & 0x00000000;
											__eflags =  *_t82;
											L20:
											_t46 = E001912E2(__eflags);
											 *_t46 = 0x2a;
											return _t46 | 0xffffffff;
										}
										__eflags = _a4;
										_t54 = MultiByteToWideChar(_a8, 9, _t79, E0018FE79(_t68, _t79, _t82, _t68), _a4, 0 | _a4 != 0x00000000);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L18;
										}
										goto L29;
									}
									 *_t82 =  *_t79;
									_t56 = 0xfffffffe;
									return _t56;
								}
							}
							_t82[1] =  *_t79;
							_t60 = E0018FE79(_t68, _t79, _t82, _t68);
							__eflags = _t60 - 1;
							if(_t60 <= 1) {
								goto L19;
							}
							__eflags = _a4;
							_t63 = MultiByteToWideChar(_a8, 9, _t82, 2, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t63;
							if(_t63 == 0) {
								goto L19;
							}
							 *_t82 =  *_t82 & 0x00000000;
							__eflags =  *_t82;
							goto L18;
						} else {
							_t64 = _a4;
							__eflags = _t64;
							if(_t64 != 0) {
								 *_t64 =  *_t79 & 0x000000ff;
							}
							L13:
							return 1;
						}
					} else {
						_t66 = _a4;
						if(_t66 != 0) {
							 *_t66 = 0;
						}
						goto L5;
					}
				}
			}

0x0018b33b
0x0018b340
0x0018b359
0x00000000
0x0018b348
0x0018b34b
0x0018b360
0x0018b363
0x0018b365
0x0018b376
0x0018b378
0x0018b367
0x0018b36c
0x0018b36f
0x0018b36f
0x0018b37b
0x0018b37e
0x0018b380
0x0018b397
0x0018b39c
0x0018b39f
0x0018b3a3
0x0018b3a5
0x0018b3fb
0x0018b3fd
0x0018b41d
0x0018b41d
0x0018b3ff
0x0018b40b
0x0018b40b
0x0018b420
0x0018b422
0x0018b481
0x0018b499
0x0018b49b
0x00000000
0x00000000
0x00000000
0x0018b424
0x0018b425
0x0018b42b
0x0018b42e
0x0018b43d
0x0018b443
0x0018b446
0x0018b470
0x0018b470
0x0018b474
0x0018b3d9
0x00000000
0x0018b3df
0x0018b3e5
0x0018b3e5
0x0018b3e5
0x0018b3e8
0x0018b3e8
0x0018b3ed
0x00000000
0x0018b3f3
0x0018b44a
0x0018b462
0x0018b468
0x0018b46a
0x00000000
0x00000000
0x00000000
0x0018b46a
0x0018b434
0x0018b436
0x00000000
0x0018b436
0x0018b422
0x0018b3aa
0x0018b3ad
0x0018b3b3
0x0018b3b6
0x00000000
0x00000000
0x0018b3ba
0x0018b3cc
0x0018b3d2
0x0018b3d4
0x00000000
0x00000000
0x0018b3d6
0x0018b3d6
0x00000000
0x0018b382
0x0018b382
0x0018b385
0x0018b387
0x0018b38c
0x0018b38c
0x0018b38f
0x00000000
0x0018b391
0x0018b34d
0x0018b34d
0x0018b352
0x0018b356
0x0018b356
0x00000000
0x0018b352
0x0018b34b

APIs

____lc_handle_func.LIBCMT ref: 0018B367
____lc_codepage_func.LIBCMT ref: 0018B36F
__GetLocaleForCP.LIBCPMT ref: 0018B397
____mb_cur_max_l_func.LIBCMT ref: 0018B3AD
MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,?,00000000), ref: 0018B3CC
____mb_cur_max_l_func.LIBCMT ref: 0018B3DA
___pctype_func.LIBCMT ref: 0018B3FF
____mb_cur_max_l_func.LIBCMT ref: 0018B425
____mb_cur_max_l_func.LIBCMT ref: 0018B43D
____mb_cur_max_l_func.LIBCMT ref: 0018B455
MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,00000000), ref: 0018B462
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 0018B493

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
String ID:
API String ID: 3819326198-0
Opcode ID: 8a24ef2bcf92077e563e7e5cd93652e5e290d3d21870cc0cdd2372916f5ff1a4
Instruction ID: 7b6fd0fd8077fc77bdfe4187f96e171a6c90d5decff387e1f02cf9f08dd41104
Opcode Fuzzy Hash: 8a24ef2bcf92077e563e7e5cd93652e5e290d3d21870cc0cdd2372916f5ff1a4
Instruction Fuzzy Hash: B9418F7110C245AFDB207F3198D5B7A3BA8BF11351F298529FC56CA1A2EB34DA90DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0018E1A7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0018E1A7(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				char* _v16;
				intOrPtr _v20;
				char* _v32;
				char* _t12;
				char** _t14;
				char* _t16;
				char* _t21;
				char* _t22;
				void* _t35;
				char* _t36;
				char* _t37;
				char* _t38;
				void* _t42;
				void* _t46;

				_t42 = _t46;
				_push(__ebx);
				_t35 = E00192576(__ebx);
				if(_t35 != 0) {
					__eflags =  *(_t35 + 0x24);
					if( *(_t35 + 0x24) != 0) {
						L7:
						_t36 =  *(_t35 + 0x24);
						_t12 = E0019497A(_t36, 0x86, E0018E17F(_a4));
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00192A99();
							asm("int3");
							_push(_t42);
							_push(_t36);
							_push(0x86);
							__eflags = _v32;
							if(__eflags != 0) {
								_t37 = _v16;
								__eflags = _t37;
								if(__eflags <= 0) {
									goto L10;
								} else {
									_t7 = _t37 - 1; // -1
									_t16 = E00198874(_v20, _t37, E0018E17F(_v12), _t7);
									__eflags = _t16;
									if(_t16 == 0) {
										goto L11;
									} else {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00192A99();
										asm("int3");
										return  *0x1c622c;
									}
								}
							} else {
								L10:
								_t14 = E001912E2(__eflags);
								_t38 = 0x16;
								 *_t14 = _t38;
								E00192B05();
								_t16 = _t38;
								L11:
								return _t16;
							}
						} else {
							_t21 = _t36;
							goto L5;
						}
					} else {
						_t22 = E0018FF87(0x86, 1);
						 *(_t35 + 0x24) = _t22;
						__eflags = _t22;
						if(_t22 != 0) {
							goto L7;
						} else {
							_t21 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L5:
							goto L6;
						}
					}
				} else {
					_t21 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					L6:
					return _t21;
				}
			}

0x0018e1aa
0x0018e1ac
0x0018e1b3
0x0018e1b9
0x0018e1c8
0x0018e1cb
0x0018e1e8
0x0018e1eb
0x0018e1f6
0x0018e1fe
0x0018e200
0x0018e206
0x0018e207
0x0018e208
0x0018e209
0x0018e20a
0x0018e20b
0x0018e210
0x0018e213
0x0018e216
0x0018e217
0x0018e21a
0x0018e21d
0x0018e234
0x0018e237
0x0018e239
0x00000000
0x0018e23b
0x0018e23b
0x0018e24d
0x0018e255
0x0018e257
0x00000000
0x0018e259
0x0018e259
0x0018e25a
0x0018e25b
0x0018e25c
0x0018e25d
0x0018e25e
0x0018e263
0x0018e269
0x0018e269
0x0018e257
0x0018e21f
0x0018e21f
0x0018e21f
0x0018e226
0x0018e227
0x0018e229
0x0018e22e
0x0018e230
0x0018e233
0x0018e233
0x0018e202
0x0018e202
0x00000000
0x0018e202
0x0018e1cd
0x0018e1d0
0x0018e1d7
0x0018e1da
0x0018e1dc
0x00000000
0x0018e1de
0x0018e1de
0x0018e1e3
0x00000000
0x0018e1e3
0x0018e1dc
0x0018e1bb
0x0018e1bb
0x0018e1e4
0x0018e1e7
0x0018e1e7

APIs

__getptd_noexit.LIBCMT ref: 0018E1AE

Part of subcall function 00192576: GetLastError.KERNEL32(00000000,00000000,001925F7,00000000,0018B4BE,00000000,?,0018B596,?,?,?,?,00000000,00000000,00000000), ref: 0019257A
Part of subcall function 00192576: ___set_flsgetvalue.LIBCMT ref: 00192588
Part of subcall function 00192576: __calloc_crt.LIBCMT ref: 0019259C
Part of subcall function 00192576: DecodePointer.KERNEL32(00000000,?,0018B596,?,?,?,?,00000000,00000000,00000000), ref: 001925B6
Part of subcall function 00192576: GetCurrentThreadId.KERNEL32 ref: 001925CC
Part of subcall function 00192576: SetLastError.KERNEL32(00000000,?,0018B596,?,?,?,?,00000000,00000000,00000000), ref: 001925E4

__calloc_crt.LIBCMT ref: 0018E1D0
__get_sys_err_msg.LIBCMT ref: 0018E1EE
_strcpy_s.LIBCMT ref: 0018E1F6
__invoke_watson.LIBCMT ref: 0018E20B
__get_sys_err_msg.LIBCMT ref: 0018E242
__invoke_watson.LIBCMT ref: 0018E25E

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0018E1BB, 0018E1DE

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__calloc_crt__get_sys_err_msg__invoke_watson$CurrentDecodePointerThread___set_flsgetvalue__getptd_noexit_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 529621579-798102604
Opcode ID: dc593da12b980c3f7ce694c845c0d71820670def804437245c97eab1c6563bbe
Instruction ID: e97cfa7bfb571ce961f76ef1d638582a84f7d15ad50eaff1115d1ce69d83bffd
Opcode Fuzzy Hash: dc593da12b980c3f7ce694c845c0d71820670def804437245c97eab1c6563bbe
Instruction Fuzzy Hash: 661122736041193BAF217E6A9C859AF7BDDEBA5760B110036FA18D7601EB31DE008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019FCA9, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0019FCA9(void* __ecx, void* __edx, signed int* _a4) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				void* _t23;
				char* _t31;
				intOrPtr* _t34;
				intOrPtr _t36;
				char* _t40;
				intOrPtr* _t42;
				signed int* _t45;
				intOrPtr _t49;
				intOrPtr* _t51;

				_t23 =  *((char*)( *0x1c6060)) - 0x58;
				if(_t23 == 0) {
					 *0x1c6060 =  *0x1c6060 + 1;
					_push("void");
					goto L16;
				} else {
					if(_t23 == 0) {
						 *0x1c6060 =  *0x1c6060 + 1;
						_t31 = "...";
						if(( !( *0x1c6070 >> 0x12) & 0x00000001) == 0) {
							_t31 = "<ellipsis>";
						}
						_push(_t31);
						L16:
						E0019F323(_a4);
						return _a4;
					} else {
						E0019F869(__edx,  &_v12);
						_t49 = _v8;
						if(_t49 != 0) {
							L11:
							_t34 = _a4;
							 *_t34 = _v12;
							 *((intOrPtr*)(_t34 + 4)) = _t49;
							return _t34;
						} else {
							_t36 =  *((intOrPtr*)( *0x1c6060));
							if(_t36 == 0) {
								goto L11;
							} else {
								if(_t36 == 0x40) {
									 *0x1c6060 =  *0x1c6060 + 1;
									goto L11;
								} else {
									if(_t36 == 0x5a) {
										 *0x1c6060 =  *0x1c6060 + 1;
										_t40 = ",...";
										if(( !( *0x1c6070 >> 0x12) & 0x00000001) == 0) {
											_t40 = ",<ellipsis>";
										}
										_t42 = E0019FA53( &_v12,  &_v20, _t40);
										_t51 = _a4;
										 *_t51 =  *_t42;
										 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t42 + 4));
										return _t51;
									} else {
										_t45 = _a4;
										_t45[1] = _t45[1] & 0xffff00ff;
										 *_t45 =  *_t45 & 0x00000000;
										_t45[1] = 2;
										return _t45;
									}
								}
							}
						}
					}
				}
			}

0x0019fcb9
0x0019fcbc
0x0019fd71
0x0019fd77
0x00000000
0x0019fcc2
0x0019fcc4
0x0019fd55
0x0019fd62
0x0019fd67
0x0019fd69
0x0019fd69
0x0019fd6e
0x0019fd7c
0x0019fd7f
0x0019fd88
0x0019fcca
0x0019fcce
0x0019fcd4
0x0019fcd9
0x0019fd43
0x0019fd43
0x0019fd49
0x0019fd4b
0x0019fd4f
0x0019fcdb
0x0019fce0
0x0019fce4
0x00000000
0x0019fce6
0x0019fce8
0x0019fd3d
0x00000000
0x0019fcea
0x0019fcec
0x0019fd06
0x0019fd13
0x0019fd18
0x0019fd1a
0x0019fd1a
0x0019fd27
0x0019fd2e
0x0019fd31
0x0019fd36
0x0019fd3c
0x0019fcee
0x0019fcee
0x0019fcf1
0x0019fcf8
0x0019fcfb
0x0019fd00
0x0019fd00
0x0019fcec
0x0019fce8
0x0019fce4
0x0019fcd9
0x0019fcc4

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0019FCCE

Part of subcall function 0019F869: Replicator::operator[].LIBCMT ref: 0019F8EC
Part of subcall function 0019F869: DName::operator+=.LIBCMT ref: 0019F8F4

DName::operator+.LIBCMT ref: 0019FD27
DName::DName.LIBCMT ref: 0019FD7F

Strings

<ellipsis>, xrefs: 0019FD69, 0019FD6E
..., xrefs: 0019FD62
,..., xrefs: 0019FD13
,<ellipsis>, xrefs: 0019FD1A, 0019FD1F
void, xrefs: 0019FD77

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: 56a46a58a48fa07279ce465917d4f171cc6748b4683a2a321bc2084f1c5213e4
Instruction ID: 46bececa32367186f72d15351d0d1d0de2f9f674ea7b6623bdc6413c5211a98d
Opcode Fuzzy Hash: 56a46a58a48fa07279ce465917d4f171cc6748b4683a2a321bc2084f1c5213e4
Instruction Fuzzy Hash: B6213870600208AFCB15CF5CE944AE93BF4FB65749B1480A9E846EB662CB31ED43CB40

Uniqueness

Uniqueness Score: -1.00%

Function 001A1642, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A1642(void* __edx, void* __eflags, signed int* _a4) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char* _t17;
				intOrPtr* _t20;
				void* _t23;
				void* _t26;
				signed int* _t31;
				void* _t41;

				_t41 = __edx;
				E0019F323( &_v12, E0019E95D(0));
				_t17 =  *0x1c6060;
				if( *_t17 == 0) {
					E0019F231( &_v12, 1);
					goto L8;
				} else {
					 *0x1c6060 = _t17 + 1;
					_t23 =  *_t17 - 0x30;
					if(_t23 == 0) {
						E0019F805( &_v12, "void");
						goto L8;
					} else {
						_t26 = _t23;
						if(_t26 == 0) {
							E0019F54C( &_v12, E001A13F4(_t41, __eflags,  &_v20));
							goto L8;
						} else {
							if(_t26 != 3) {
								L8:
								E0019F805( &_v12, ") ");
								_t20 = _a4;
								 *_t20 = _v12;
								 *((intOrPtr*)(_t20 + 4)) = _v8;
								return _t20;
							} else {
								_t31 = _a4;
								_t31[1] = _t31[1] & 0xffff00ff;
								 *_t31 =  *_t31 & 0x00000000;
								_t31[1] = 2;
								return _t31;
							}
						}
					}
				}
			}

0x001a1642
0x001a1658
0x001a165d
0x001a1665
0x001a16bc
0x00000000
0x001a1667
0x001a166b
0x001a1672
0x001a1675
0x001a16b0
0x00000000
0x001a1677
0x001a1678
0x001a1679
0x001a16a1
0x00000000
0x001a167b
0x001a167e
0x001a16c1
0x001a16c9
0x001a16d1
0x001a16d4
0x001a16d9
0x001a16dd
0x001a1680
0x001a1680
0x001a1683
0x001a168a
0x001a168d
0x001a1692
0x001a1692
0x001a167e
0x001a1679
0x001a1675

APIs

UnDecorator::UScore.LIBCMT ref: 001A164C
DName::DName.LIBCMT ref: 001A1658

Part of subcall function 0019F323: DName::doPchar.LIBCMT ref: 0019F354

UnDecorator::getScopedName.LIBCMT ref: 001A1697
DName::operator+=.LIBCMT ref: 001A16A1
DName::operator+=.LIBCMT ref: 001A16B0
DName::operator+=.LIBCMT ref: 001A16BC
DName::operator+=.LIBCMT ref: 001A16C9

Strings

void, xrefs: 001A16A8

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 8672f003d7ef6f79d6420151afa9569dc41433f4ed178fe3a3142678c965b616
Instruction ID: 2efad4d516b8622366ab8dd5e6b4fdd48d2f74d9321cf103f5d5edee8f6bd010
Opcode Fuzzy Hash: 8672f003d7ef6f79d6420151afa9569dc41433f4ed178fe3a3142678c965b616
Instruction Fuzzy Hash: 2E113075904104BFDB09EF64C856BED7BB4AB21700F0940A9E446EB2A2DBB0DE55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0018EA95, Relevance: 13.7, APIs: 9, Instructions: 181
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0018EA95(long __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v4;
				signed int _v8;
				long _v16;
				long _v28;
				char _v136;
				char _v140;
				long _v144;
				signed int _v148;
				signed int _v152;
				long _v156;
				long _v176;
				char _v392;
				signed int _v396;
				signed int _v400;
				long _v404;
				long _v408;
				signed int _v412;
				long _v420;
				signed int* _v424;
				signed int _v432;
				long _v436;
				long _v440;
				signed int _v448;
				char _v456;
				void* _t141;
				void* _t145;
				void* _t147;
				void* _t148;
				signed int _t149;

				_t148 = __esi;
				asm("adc al, 0x0");
				 *((intOrPtr*)(__ecx + 0x59)) =  *((intOrPtr*)(__ecx + 0x59)) + __ebx;
				_v404 = __eax;
				if(__eax == 0) {
					L1:
					goto L2;
				} else {
					__eax =  *(__ebx + 0x48);
					__ecx = _v400;
					_v408 =  *(__ebx + 0x48);
					__eax = __esi + 0xc + __ecx * 4;
					_v424 = __eax;
					_v440 = __eax;
					__ecx + 6 = (__ecx + 6) * 6;
					__eax = (__ecx + 6) * 6 + __esi;
					_v412 = (__ecx + 6) * 6 + __esi;
					 &_v456 = E0018BF90( &_v456,  &_v456, 6);
					__eax =  *(__esi + 4);
					 &_v136 = _v396;
					_v436 =  *(__esi + 4);
					__eax = _v404;
					__ecx = _v396 + 0xfffffffc;
					__eax = _v404 + 4;
					__eax = E0019497A(_v404 + 4, _v396 + 0xfffffffc,  &_v136);
					__eflags = __eax;
					if(__eax != 0) {
						__eax = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						__eax = E00192A99();
						asm("int3");
						_push(__ebp);
						__ebp = __esp;
						__esp = __esp - 0x98;
						__eax =  *0x1c3ad4; // 0x384a8d02
						_v28 = __eax;
						__eax = _v16;
						_push(__ebx);
						_push(__esi);
						__ebx = 0;
						__esi = __edx;
						_push(__edi);
						_v176 = __esi;
						__eflags = __ecx;
						if(__ecx == 0) {
							_v148 = 1;
							_v144 = 0;
							__eflags = __eax;
							if(__eax == 0) {
								L69:
								__eax = E0018E66C(__esi);
							} else {
								__eflags =  *__eax - 0x4c;
								if(__eflags != 0) {
									L59:
									_push(__ebx);
									__ecx =  &_v140;
									__eax = E0018E7D1(__edx, __eflags, __eax,  &_v140, 0x83, __ebx, __ebx);
									__eflags = __eax - __ebx;
									if(__eax != __ebx) {
										_t127 = __esi + 0x48; // 0x48
										__edi = _t127;
										do {
											__eflags = __ebx;
											if(__ebx != 0) {
												__eax =  &_v140;
												__eax = E001935D0( &_v140,  *__edi);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax == 0) {
													L65:
													_t132 =  &_v144;
													 *_t132 = _v144 + 1;
													__eflags =  *_t132;
												} else {
													__eax =  &_v140;
													__ecx = __ebx;
													__eax = L0018E9F2(__ebx, __edx, __esi,  &_v140);
													__eflags = __eax;
													if(__eax != 0) {
														goto L65;
													} else {
														_v148 = _v148 & __eax;
													}
												}
											}
											__ebx = __ebx + 1;
											__edi = __edi + 0x10;
											__eflags = __ebx - 5;
										} while (__ebx <= 5);
										__eax = 0;
										__eflags = _v148;
										if(_v148 != 0) {
											goto L69;
										} else {
											__eflags = _v144;
											if(_v144 != 0) {
												goto L69;
											}
										}
									}
								} else {
									__eflags =  *(__eax + 1) - 0x43;
									if(__eflags != 0) {
										goto L59;
									} else {
										__eflags =  *((char*)(__eax + 2)) - 0x5f;
										if(__eflags != 0) {
											goto L59;
										} else {
											__edi = __eax;
											while(1) {
												L39:
												__eax = E0019D110(__edi, 0x1bbb4c);
												__ebx = __eax;
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __ebx;
												if(__ebx == 0) {
													break;
												}
												__eax = __eax - __edi;
												__eflags = __eax;
												_v148 = __eax;
												if(__eax == 0) {
													break;
												} else {
													__eflags =  *__ebx - 0x3b;
													if( *__ebx == 0x3b) {
														break;
													} else {
														_v152 = 1;
														__esi = 0x1bba7c;
														while(1) {
															__eax = E0019D049(__ecx,  *__esi, __edi, __eax);
															__eflags = __eax;
															if(__eax != 0) {
																goto L46;
															}
															L45:
															__eax = E0018C680( *__esi);
															__eflags = _v148 - __eax;
															if(_v148 != __eax) {
																goto L46;
															}
															L47:
															__ebx = __ebx + 1;
															__edi = E00199CB0(__ecx, __ebx, 0x1bbb44);
															__esi = 0;
															_pop(__ecx);
															_pop(__ecx);
															__eflags = __edi;
															if(__edi != 0) {
																L49:
																__eflags = _v152 - 5;
																if(_v152 > 5) {
																	L53:
																	__edi = __edi + __ebx;
																	__eflags =  *__edi;
																	if( *__edi == 0) {
																		L55:
																		__eax = 0;
																		__eflags = _v144;
																		if(_v144 != 0) {
																			__esi = _v156;
																			goto L69;
																		}
																	} else {
																		__edi = __edi + 1;
																		__eflags =  *__edi;
																		if( *__edi != 0) {
																			goto L39;
																		} else {
																			goto L55;
																		}
																	}
																} else {
																	__eax =  &_v140;
																	__eax = E00198874( &_v140, 0x83, __ebx, __edi);
																	__eflags = __eax;
																	if(__eax != 0) {
																		_push(__esi);
																		_push(__esi);
																		_push(__esi);
																		_push(__esi);
																		_push(__esi);
																		__eax = E00192A99();
																		goto L58;
																	} else {
																		__ecx = _v152;
																		__esi = _v156;
																		 *((char*)(__ebp + __edi - 0x88)) = __al;
																		__eax =  &_v140;
																		__eax = L0018E9F2(_v152, __edx, _v156,  &_v140);
																		__eflags = __eax;
																		if(__eax != 0) {
																			_t122 =  &_v144;
																			 *_t122 = _v144 + 1;
																			__eflags =  *_t122;
																		}
																		goto L53;
																	}
																}
															} else {
																__eflags =  *__ebx - 0x3b;
																if( *__ebx != 0x3b) {
																	goto L58;
																} else {
																	goto L49;
																}
															}
															goto L70;
															L46:
															_v152 = _v152 + 1;
															__esi = __esi + 0xc;
															__eflags = __esi - 0x1bbaac;
															if(__esi <= 0x1bbaac) {
																__eax = _v148;
																__eax = E0019D049(__ecx,  *__esi, __edi, __eax);
																__eflags = __eax;
																if(__eax != 0) {
																	goto L46;
																}
															}
															goto L47;
														}
													}
												}
												goto L70;
											}
											L58:
											__eax = 0;
										}
									}
								}
							}
						} else {
							__eflags = __eax;
							if(__eax == 0) {
								__eax =  *(__esi + 0x48 + __ecx * 8);
							} else {
								__eax = L0018E9F2(__ecx, __edx, __esi, __eax);
							}
						}
						L70:
						__ecx = _v8;
						_pop(__edi);
						_pop(__esi);
						__ecx = _v8 ^ __ebp;
						__eflags = __ecx;
						_pop(__ebx);
						__eax = E0018CFF8(__eax, __ebx, __ecx, __edx, __edi, __esi);
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
					} else {
						__eax = _v404;
						__ecx = _v424;
						__eax = _v404 + 4;
						 *(__ebx + 0x48) = _v404 + 4;
						__eax = _v432 & 0x0000ffff;
						 *_v424 = _v432 & 0x0000ffff;
						 &_v432 = E0018BF90(_v412,  &_v432, 6);
						__eflags = _v400 - 2;
						if(_v400 == 2) {
							__eax = _v420;
							_t30 =  &_v396;
							 *_t30 = _v396 & 0x00000000;
							__eflags =  *_t30;
							 *(__esi + 4) = _v420;
							__eax =  *(__edi + 0x1f4);
							__ecx =  *(__edi + 0x1f0);
							_v412 =  *(__edi + 0x1f4);
							__eax = __edi + 0x1d0;
							while(1) {
								__edx =  *(__esi + 4);
								__eflags = __edx -  *__eax;
								if(__edx ==  *__eax) {
									break;
								}
								__edx =  *__eax;
								_v396 = _v396 + 1;
								 *__eax = __ecx;
								__ecx = _v412;
								_v448 =  *__eax;
								__edx =  *(__eax + 4);
								 *(__eax + 4) = _v412;
								__ecx = _v448;
								__eax = __eax + 8;
								__eflags = _v396 - 5;
								_v412 = __edx;
								if(_v396 < 5) {
									continue;
								} else {
								}
								L12:
								__eflags = _v396 - 5;
								if(__eflags == 0) {
									__eax =  &_v392;
									__eax = E0019D009(__ebx, __edx, __edi, __eflags, 0, 1, 0x1bbab8, 0x7f,  &_v392,  *(__esi + 4),  *((intOrPtr*)(__esi + 0x14)), 1);
									__eflags = __eax;
									if(__eax == 0) {
										_t68 = __edi + 0x1d4;
										 *_t68 =  *(__edi + 0x1d4) & 0x00000000;
										__eflags =  *_t68;
									} else {
										__eax = 0;
										__eflags = 0;
										do {
											__ecx = 0x1ff;
											 *(__ebp + __eax * 2 - 0x188) =  *(__ebp + __eax * 2 - 0x188) & __cx;
											__eax = __eax + 1;
											__eflags = __eax - 0x7f;
										} while (__eax < 0x7f);
										__eax =  &_v392;
										__eax = E0019B9CE( &_v392,  *0x1c3928, 0xfe);
										__eax =  ~__eax;
										asm("sbb eax, eax");
										 *(__edi + 0x1d4) = __eax;
									}
									__eax =  *(__esi + 4);
									 *(__edi + 0x1d0) =  *(__esi + 4);
								}
								__eax =  *(__edi + 0x1d4);
								 *(__esi + 0xa8) =  *(__edi + 0x1d4);
								goto L20;
							}
							__eax = _v396;
							__eflags = __eax;
							if(__eax != 0) {
								__eax = __edi + 0x1d0 + __eax * 8;
								__edx =  *__eax;
								 *(__edi + 0x1d0) =  *__eax;
								__edx =  *(__eax + 4);
								 *(__edi + 0x1d4) = __edx;
								 *__eax = __ecx;
								__ecx = _v412;
								 *(__eax + 4) = _v412;
							}
							goto L12;
						}
						L20:
						__eflags = _v400 - 1;
						if(_v400 == 1) {
							__eax = _v420;
							 *(__esi + 8) = _v420;
						}
						_v400 = _v400 * 0xc;
						__eax =  *((intOrPtr*)(0x1bba78 + _v400 * 0xc))();
						__ecx = __esi;
						__eflags = __eax;
						if(__eax == 0) {
							__eflags = _v408 - 0x1c4004;
							if(_v408 != 0x1c4004) {
								_v400 = _v400 + 5;
								__edi = _v400 + 5 + _v400 + 5;
								__eax = InterlockedDecrement( *(__esi + __edi * 8));
								__eflags = __eax;
								if(__eax == 0) {
									E0018C63F( *(__esi + __edi * 8)) = E0018C63F( *((intOrPtr*)(__ebx + 0x54)));
									_t93 = __ebx + 0x4c;
									 *_t93 =  *(__ebx + 0x4c) & 0x00000000;
									__eflags =  *_t93;
								}
							}
							__ecx = _v400;
							__eax = _v404;
							__ecx = _v400 + 5;
							__ecx = _v400 + 5 + _v400 + 5;
							 *__eax = 1;
							 *(__esi + __ecx * 8) = __eax;
							__eax =  *(__ebx + 0x48);
						} else {
							__eax = _v408;
							 *(__ebx + 0x48) = _v408;
							E0018C63F(_v404) = _v440;
							__ecx = _v424;
							 *__ecx = _v440;
							__eax = _v436;
							 *(__esi + 4) = __eax;
							goto L1;
						}
						L2:
						_pop(_t147);
						_pop(_t141);
						return E0018CFF8(0, _t141, _v4 ^ _t149, _t145, _t147, _t148);
					}
				}
			}

0x0018ea95
0x0018ea95
0x0018ea97
0x0018ea9a
0x0018eaa2
0x0018ea4e
0x00000000
0x0018eaa4
0x0018eaa4
0x0018eaa7
0x0018eaad
0x0018eab3
0x0018eab7
0x0018eabf
0x0018eac8
0x0018eacb
0x0018ead0
0x0018eadd
0x0018eae2
0x0018eaec
0x0018eaf2
0x0018eaf8
0x0018eafe
0x0018eb01
0x0018eb06
0x0018eb0e
0x0018eb10
0x0018ed1f
0x0018ed21
0x0018ed22
0x0018ed23
0x0018ed24
0x0018ed25
0x0018ed26
0x0018ed2b
0x0018ed2e
0x0018ed2f
0x0018ed31
0x0018ed37
0x0018ed3e
0x0018ed41
0x0018ed44
0x0018ed45
0x0018ed46
0x0018ed48
0x0018ed4a
0x0018ed4b
0x0018ed51
0x0018ed53
0x0018ed70
0x0018ed7a
0x0018ed80
0x0018ed82
0x0018ef34
0x0018ef34
0x0018ed88
0x0018ed88
0x0018ed8b
0x0018eec1
0x0018eec1
0x0018eec9
0x0018eed1
0x0018eed9
0x0018eedb
0x0018eedd
0x0018eedd
0x0018eee0
0x0018eee0
0x0018eee2
0x0018eee6
0x0018eeed
0x0018eef2
0x0018eef3
0x0018eef4
0x0018eef6
0x0018ef13
0x0018ef13
0x0018ef13
0x0018ef13
0x0018eef8
0x0018eef8
0x0018eeff
0x0018ef01
0x0018ef07
0x0018ef09
0x00000000
0x0018ef0b
0x0018ef0b
0x0018ef0b
0x0018ef09
0x0018eef6
0x0018ef19
0x0018ef1a
0x0018ef1d
0x0018ef1d
0x0018ef22
0x0018ef24
0x0018ef2a
0x00000000
0x0018ef2c
0x0018ef2c
0x0018ef32
0x00000000
0x00000000
0x0018ef32
0x0018ef2a
0x0018ed91
0x0018ed91
0x0018ed95
0x00000000
0x0018ed9b
0x0018ed9b
0x0018ed9f
0x00000000
0x0018eda5
0x0018eda5
0x0018eda7
0x0018eda7
0x0018edad
0x0018edb2
0x0018edb4
0x0018edb5
0x0018edb6
0x0018edb8
0x00000000
0x00000000
0x0018edbe
0x0018edbe
0x0018edc0
0x0018edc6
0x00000000
0x0018edcc
0x0018edcc
0x0018edcf
0x00000000
0x0018edd5
0x0018edd5
0x0018eddf
0x0018edec
0x0018edf0
0x0018edf8
0x0018edfa
0x00000000
0x00000000
0x0018edfc
0x0018edfe
0x0018ee04
0x0018ee0a
0x00000000
0x00000000
0x0018ee1d
0x0018ee1d
0x0018ee29
0x0018ee2b
0x0018ee2d
0x0018ee2e
0x0018ee2f
0x0018ee31
0x0018ee3c
0x0018ee3c
0x0018ee43
0x0018ee89
0x0018ee89
0x0018ee8b
0x0018ee8e
0x0018ee9a
0x0018ee9a
0x0018ee9c
0x0018eea2
0x0018eea8
0x00000000
0x0018eea8
0x0018ee90
0x0018ee90
0x0018ee91
0x0018ee94
0x00000000
0x00000000
0x00000000
0x00000000
0x0018ee94
0x0018ee45
0x0018ee47
0x0018ee53
0x0018ee5b
0x0018ee5d
0x0018eeb3
0x0018eeb4
0x0018eeb5
0x0018eeb6
0x0018eeb7
0x0018eeb8
0x00000000
0x0018ee5f
0x0018ee5f
0x0018ee65
0x0018ee6b
0x0018ee72
0x0018ee79
0x0018ee7f
0x0018ee81
0x0018ee83
0x0018ee83
0x0018ee83
0x0018ee83
0x00000000
0x0018ee81
0x0018ee5d
0x0018ee33
0x0018ee33
0x0018ee36
0x00000000
0x00000000
0x00000000
0x00000000
0x0018ee36
0x00000000
0x0018ee0c
0x0018ee0c
0x0018ee12
0x0018ee15
0x0018ee1b
0x0018ede6
0x0018edf0
0x0018edf8
0x0018edfa
0x00000000
0x00000000
0x0018edfa
0x00000000
0x0018ee1b
0x0018edec
0x0018edcf
0x00000000
0x0018edc6
0x0018eebd
0x0018eebd
0x0018eebd
0x0018ed9f
0x0018ed95
0x0018ed8b
0x0018ed55
0x0018ed55
0x0018ed57
0x0018ed67
0x0018ed59
0x0018ed5a
0x0018ed5f
0x0018ed57
0x0018ef39
0x0018ef39
0x0018ef3c
0x0018ef3d
0x0018ef3e
0x0018ef3e
0x0018ef40
0x0018ef41
0x0018ef46
0x0018ef46
0x0018ef47
0x0018eb16
0x0018eb16
0x0018eb1c
0x0018eb22
0x0018eb25
0x0018eb28
0x0018eb2f
0x0018eb40
0x0018eb48
0x0018eb4f
0x0018eb55
0x0018eb5b
0x0018eb5b
0x0018eb5b
0x0018eb62
0x0018eb65
0x0018eb6b
0x0018eb71
0x0018eb77
0x0018eb7d
0x0018eb7d
0x0018eb80
0x0018eb82
0x00000000
0x00000000
0x0018eb84
0x0018eb86
0x0018eb8c
0x0018eb8e
0x0018eb94
0x0018eb9a
0x0018eb9d
0x0018eba0
0x0018eba6
0x0018eba9
0x0018ebb0
0x0018ebb6
0x00000000
0x00000000
0x0018ebb8
0x0018ebe7
0x0018ebe7
0x0018ebee
0x0018ebf5
0x0018ec0a
0x0018ec12
0x0018ec14
0x0018ec52
0x0018ec52
0x0018ec52
0x0018ec16
0x0018ec16
0x0018ec16
0x0018ec18
0x0018ec18
0x0018ec1d
0x0018ec25
0x0018ec26
0x0018ec26
0x0018ec36
0x0018ec3d
0x0018ec45
0x0018ec47
0x0018ec4a
0x0018ec4a
0x0018ec59
0x0018ec5c
0x0018ec5c
0x0018ec62
0x0018ec68
0x00000000
0x0018ec68
0x0018ebba
0x0018ebc0
0x0018ebc2
0x0018ebc4
0x0018ebcb
0x0018ebcd
0x0018ebd3
0x0018ebd6
0x0018ebdc
0x0018ebde
0x0018ebe4
0x0018ebe4
0x00000000
0x0018ebc2
0x0018ec6e
0x0018ec6e
0x0018ec75
0x0018ec77
0x0018ec7d
0x0018ec7d
0x0018ec86
0x0018ec8a
0x0018ec90
0x0018ec91
0x0018ec93
0x0018ecc6
0x0018ecd0
0x0018ecd8
0x0018ecdb
0x0018ece0
0x0018ece6
0x0018ece8
0x0018ecf5
0x0018ecfa
0x0018ecfa
0x0018ecfa
0x0018ecff
0x0018ece8
0x0018ed00
0x0018ed06
0x0018ed0c
0x0018ed0f
0x0018ed11
0x0018ed17
0x0018ea78
0x0018ec95
0x0018ec95
0x0018eca1
0x0018eca9
0x0018ecb0
0x0018ecb6
0x0018ecb8
0x0018ecbe
0x00000000
0x0018ecbe
0x0018ea50
0x0018ea53
0x0018ea56
0x0018ea5d
0x0018ea5d
0x0018eb10

APIs

_memmove.LIBCMT ref: 0018EADD
_strcpy_s.LIBCMT ref: 0018EB06
_memmove.LIBCMT ref: 0018EB40
___crtGetStringTypeA.LIBCMT ref: 0018EC0A
_free.LIBCMT ref: 0018ECA4
InterlockedDecrement.KERNEL32 ref: 0018ECE0
_free.LIBCMT ref: 0018ECED
_free.LIBCMT ref: 0018ECF5
__invoke_watson.LIBCMT ref: 0018ED26

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$_memmove$DecrementInterlockedStringType___crt__invoke_watson_strcpy_s
String ID:
API String ID: 1173673578-0
Opcode ID: dd6025f3ee746db3145f0228514d4b9f569b9ebce1cd6117d46716fb0d181720
Instruction ID: 526e2a91c78bb2e57a4bde2c678c5c48dba44b8c71df73ecf4bb50d6db5ce90d
Opcode Fuzzy Hash: dd6025f3ee746db3145f0228514d4b9f569b9ebce1cd6117d46716fb0d181720
Instruction Fuzzy Hash: 5E810771A00615AFDB29DF24C991BE9B7F1FF59304F1085E9E90EA7251EB31AA90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001827A0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001827A0(intOrPtr __ecx, signed int _a4, signed char _a8) {
				char _v24;
				char _v32;
				char _v52;
				char _v60;
				char _v80;
				char _v88;
				intOrPtr _v92;
				intOrPtr _t29;

				_v92 = __ecx;
				 *(_v92 + 0xc) = _a4 & 0x00000017;
				_t29 = _v92;
				if(( *(_v92 + 0xc) &  *(_t29 + 0x10)) != 0) {
					if((_a8 & 0x000000ff) == 0) {
						if(( *(_v92 + 0xc) &  *(_v92 + 0x10) & 0x00000004) == 0) {
							if(( *(_v92 + 0xc) &  *(_v92 + 0x10) & 0x00000002) == 0) {
								L001813A2( &_v80, "ios_base::eofbit set", L00181177( &_v88, 1));
								return E0018BD5F( &_v80, 0x1c0d28);
							}
							L001813A2( &_v52, "ios_base::failbit set", L00181177( &_v60, 1));
							return E0018BD5F( &_v52, 0x1c0d28);
						}
						L001813A2( &_v24, "ios_base::badbit set", L00181177( &_v32, 1));
						return E0018BD5F( &_v24, 0x1c0d28);
					}
					return E0018BD5F(0, 0);
				}
				return _t29;
			}

0x001827a6
0x001827b2
0x001827b8
0x001827c1
0x001827ce
0x001827ed
0x0018282a
0x0018286f
0x00000000
0x0018287d
0x00182843
0x00000000
0x00182851
0x00182806
0x00000000
0x00182814
0x00000000
0x001827d4
0x00000000

APIs

__CxxThrowException@8.LIBCMT ref: 001827D4

Strings

ios_base::eofbit set, xrefs: 00182867
ios_base::failbit set, xrefs: 0018283B
ios_base::badbit set, xrefs: 001827FE

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 34515e90387d5d7b72363dad008f0f306a88e5eff0ebd72dcab308bdba33a3b0
Instruction ID: 05ee6429f35e9be4561db03ee0d687fb9e491c865590b25e7f60db07ecc5baf1
Opcode Fuzzy Hash: 34515e90387d5d7b72363dad008f0f306a88e5eff0ebd72dcab308bdba33a3b0
Instruction Fuzzy Hash: 03219132E04248ABCB09FBD0CC82EADB379BF65710F148508F5056F28AD771AA45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00189311, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00189311(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t42;
				void* _t43;

				_push(0x14);
				E0018D007(0x1b5d22, __ebx, __edi, __esi);
				E00189BEC(_t43 - 0x14, 0);
				_t42 =  *0x1c5024; // 0x0
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				 *((intOrPtr*)(_t43 - 0x10)) = _t42;
				_t18 = L0018124E( *((intOrPtr*)(_t43 + 8)), L001812B2(0x1c50d8));
				_t40 = _t18;
				if(_t18 == 0) {
					if(_t42 == 0) {
						_push( *((intOrPtr*)(_t43 + 8)));
						_push(_t43 - 0x10);
						_t23 = E00189206(__ebx, _t40, _t42, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E0018C3F1(_t43 - 0x20, "bad cast");
							E0018BD5F(_t43 - 0x20, 0x1c0e34);
						}
						_t40 =  *((intOrPtr*)(_t43 - 0x10));
						 *0x1c5024 =  *((intOrPtr*)(_t43 - 0x10));
						L00181032( *((intOrPtr*)(_t43 - 0x10)));
						E00189F2A(__eflags, _t40);
					} else {
						_t40 = _t42;
					}
				}
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				E00189C14(_t43 - 0x14);
				return E0018D0DF(_t40);
			}

0x00189311
0x00189318
0x00189322
0x00189327
0x0018932d
0x00189336
0x00189342
0x00189347
0x0018934b
0x0018934f
0x00189355
0x0018935b
0x0018935c
0x00189363
0x00189366
0x00189370
0x0018937e
0x0018937e
0x00189383
0x00189388
0x0018938e
0x00189394
0x00189351
0x00189351
0x00189351
0x0018934f
0x0018939a
0x001893a1
0x001893ad

APIs

__EH_prolog3.LIBCMT ref: 00189318
std::_Lockit::_Lockit.LIBCPMT ref: 00189322
messages.LIBCPMT ref: 0018935C
std::bad_exception::bad_exception.LIBCMT ref: 00189370
__CxxThrowException@8.LIBCMT ref: 0018937E
std::locale::facet::_Facet_Register.LIBCPMT ref: 00189394

Strings

bad cast, xrefs: 00189368

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Facet_H_prolog3LockitLockit::_RegisterThrowmessagesstd::_std::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 151228797-3145022300
Opcode ID: 8428b196c11b25b711f506fba87b5b5791208e2f54463ecd9d8d0b0a1f5d8793
Instruction ID: dc464cd076a1442b95ec50bc88767cc8ec7140c4bf2871eec7b3a084b486e55d
Opcode Fuzzy Hash: 8428b196c11b25b711f506fba87b5b5791208e2f54463ecd9d8d0b0a1f5d8793
Instruction Fuzzy Hash: A1015B32900619A7CB05FBA0DC42ABD773ABB64720F280208F520AB2D1DF34AB418F50

Uniqueness

Uniqueness Score: -1.00%

Function 0019FD89, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0019FD89(intOrPtr* _a4) {
				signed int _v8;
				char _v12;
				char _v20;
				char _v28;
				intOrPtr _t14;
				void* _t21;
				intOrPtr* _t25;
				void* _t26;
				char* _t29;
				void* _t34;

				_t14 =  *((intOrPtr*)( *0x1c6060));
				if(_t14 == 0) {
					_push(0x29);
					_push(_a4);
					_t29 = E0019F528(E0019F323( &_v20, " throw("),  &_v28, 1);
					goto L5;
				} else {
					if(_t14 != 0x5a) {
						_t21 = E0019FCA9(_t26, _t34,  &_v20);
						E0019F76B(E0019F323( &_v28, " throw("),  &_v12, _t21);
						_push(0x29);
						_push(_a4);
						_t29 =  &_v12;
						L5:
						E0019FA2F(_t29);
						return _a4;
					} else {
						 *0x1c6060 =  *0x1c6060 + 1;
						_t25 = _a4;
						 *_t25 = 0;
						 *(_t25 + 4) = _v8 & 0xffff0000;
						return _t25;
					}
				}
			}

0x0019fd93
0x0019fd9a
0x0019fde8
0x0019fdea
0x0019fe07
0x00000000
0x0019fd9c
0x0019fd9e
0x0019fdbf
0x0019fdd9
0x0019fdde
0x0019fde0
0x0019fde3
0x0019fe09
0x0019fe09
0x0019fe12
0x0019fda0
0x0019fda0
0x0019fda9
0x0019fdb4
0x0019fdb6
0x0019fdba
0x0019fdba
0x0019fd9e

APIs

DName::DName.LIBCMT ref: 0019FDD2
DName::operator+.LIBCMT ref: 0019FDD9
DName::DName.LIBCMT ref: 0019FDFB
DName::operator+.LIBCMT ref: 0019FE02
DName::operator+.LIBCMT ref: 0019FE09

Strings

throw(, xrefs: 0019FDCA, 0019FDF3

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: 909d95221c13ac96788dad6d3cd70352c5f91f661aa35a09b333a3f4a9a41d74
Instruction ID: 6e78a6c1ece1fffc4f1df693f5e9660c742804178c5fd3b41f688a660d97fe6e
Opcode Fuzzy Hash: 909d95221c13ac96788dad6d3cd70352c5f91f661aa35a09b333a3f4a9a41d74
Instruction Fuzzy Hash: 58015275640209BFCF04EFA4E856EEE3BB5EB54304F004069F901EB291DB74EA46C780

Uniqueness

Uniqueness Score: -1.00%

Function 001924C2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E001924C2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0x1c18b8);
				E001943E0(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x1bd270;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x1c3ae0;
				E001976E6(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E00192564();
				E001976E6(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x1c4248; // 0xb214c8
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E001920C9( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E00194425(E0019256D());
			}

0x001924c2
0x001924c2
0x001924c4
0x001924c9
0x001924d3
0x001924d9
0x001924dc
0x001924e3
0x001924ea
0x001924ed
0x001924f0
0x001924f7
0x001924fe
0x00192507
0x0019250d
0x00192514
0x0019251a
0x00192521
0x00192528
0x0019252e
0x00192531
0x00192534
0x00192539
0x0019253b
0x00192540
0x00192540
0x00192546
0x0019254c
0x0019255d

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,001C18B8,00000008,001925CA,00000000,00000000,?,0018B596,?,?,?,?,00000000,00000000,00000000), ref: 001924D3
__lock.LIBCMT ref: 00192507

Part of subcall function 001976E6: __mtinitlocknum.LIBCMT ref: 001976FC
Part of subcall function 001976E6: __amsg_exit.LIBCMT ref: 00197708
Part of subcall function 001976E6: EnterCriticalSection.KERNEL32(?,?,?,0019250C,0000000D), ref: 00197710

InterlockedIncrement.KERNEL32(001C3AE0), ref: 00192514
__lock.LIBCMT ref: 00192528
___addlocaleref.LIBCMT ref: 00192546

Strings

KERNEL32.DLL, xrefs: 001924CE

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: d73cab976d49244ae23fa0050e6b775fea1240bcc64de1e525f7a3f68980aa23
Instruction ID: 30f15101a77181764d53bb8ba556d97db31b8c5e6194bdc18bab8995f6193aad
Opcode Fuzzy Hash: d73cab976d49244ae23fa0050e6b775fea1240bcc64de1e525f7a3f68980aa23
Instruction Fuzzy Hash: A9015E71805B00EBEB20EF69D806B49BBE0EF60324F10890DE495576A1CBB0E644CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00181C00, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00181C00(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* __ebp;
				void* _t10;
				char _t13;
				void* _t24;
				void* _t25;
				void* _t26;

				_t23 = __esi;
				_t22 = __edi;
				_t15 = __ebx;
				_v16 = __ecx;
				_v8 = _v16;
				_push(0);
				_push(_v16 + 4);
				_t10 = E0018BF10(__ebx, __edi, __esi, _t24);
				_t26 = _t25 + 8;
				_t29 = _t10;
				if(_t10 != 0) {
					_push(_v8);
					_push("Alarm fired: %p\n");
					E0018BDAB(__ebx, _v8, __edi, __esi, _t29);
					_t26 = _t26 + 8;
					_t13 =  *0x1c5004; // 0x0
					_v12 = _t13;
					E0018BD5F( &_v12, 0x1c0c24);
				}
				_push(_v8);
				_push("Alarm set: %p\n");
				return E0018BDAB(_t15, _v8, _t22, _t23, _t29);
			}

0x00181c00
0x00181c00
0x00181c00
0x00181c06
0x00181c0c
0x00181c15
0x00181c17
0x00181c18
0x00181c1d
0x00181c20
0x00181c22
0x00181c27
0x00181c28
0x00181c2d
0x00181c32
0x00181c35
0x00181c3a
0x00181c46
0x00181c46
0x00181c4e
0x00181c4f
0x00181c5f

APIs

__setjmp3.LIBCMT ref: 00181C18
_wprintf.LIBCMT ref: 00181C2D
__CxxThrowException@8.LIBCMT ref: 00181C46

Part of subcall function 0018BD5F: RaiseException.KERNEL32(?,?,?,00181BAF,?,?,?,?,?,00181BAF,Timeout already in use,001C0BC0), ref: 0018BDA1

_wprintf.LIBCMT ref: 00181C54

Strings

Alarm fired: %p, xrefs: 00181C28
Alarm set: %p, xrefs: 00181C4F

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: _wprintf$ExceptionException@8RaiseThrow__setjmp3
String ID: Alarm fired: %p$Alarm set: %p
API String ID: 4112112686-1996224522
Opcode ID: d433f7bdb687a46b33f28509e17c9a43c0c0b66f5b2cfb969e6a82e9e840080d
Instruction ID: 2946f5565b420e57c542f84335585e077aaacf9bc018f9c0d6f441e484c024bc
Opcode Fuzzy Hash: d433f7bdb687a46b33f28509e17c9a43c0c0b66f5b2cfb969e6a82e9e840080d
Instruction Fuzzy Hash: 9AF0B471D04208BBD700FBE49C82EAD7774EB54704F004298F90967341E770AB148FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0019CF22, Relevance: 9.1, APIs: 6, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0019CF22(void* __ecx, void* __edx, intOrPtr* _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t33;
				int _t37;
				void* _t40;
				short* _t41;
				short* _t47;
				void* _t48;
				void* _t54;
				int _t56;
				void* _t57;
				void* _t60;
				signed int _t61;
				short* _t62;

				_t54 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t27 =  *0x1c3ad4; // 0x384a8d02
				_v8 = _t27 ^ _t61;
				_t47 = 0;
				_v12 = 0;
				if(_a24 == 0) {
					_a24 =  *((intOrPtr*)( *_a4 + 4));
				}
				_t56 = MultiByteToWideChar(_a24, 1 + (0 | _a28 != _t47) * 8, _a12, _a16, _t47, _t47);
				if(_t56 != _t47) {
					if(__eflags > 0) {
						__eflags = _t56 - 0x7ffffff0;
						if(_t56 <= 0x7ffffff0) {
							_t16 = _t56 + 8; // 0x8
							_t40 = _t56 + _t16;
							__eflags = _t40 - 0x400;
							if(_t40 > 0x400) {
								_t41 = E0018B772(_t54, _t56, MultiByteToWideChar, _t40);
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xdddd;
									goto L11;
								}
							} else {
								E0019D150(_t40);
								_t41 = _t62;
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xcccc;
									L11:
									_t41 =  &(_t41[4]);
									__eflags = _t41;
								}
							}
							_t47 = _t41;
						}
					}
					__eflags = _t47;
					if(_t47 == 0) {
						goto L3;
					} else {
						E0018CA30(_t47, 0, _t56 + _t56);
						_t37 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t47, _t56);
						__eflags = _t37;
						if(_t37 != 0) {
							_v12 = GetStringTypeW(_a8, _t47, _t37, _a20);
						}
						E0018F1D2(_t47);
						_t33 = _v12;
					}
				} else {
					L3:
					_t33 = 0;
				}
				_pop(_t57);
				_pop(_t60);
				_pop(_t48);
				return E0018CFF8(_t33, _t48, _v8 ^ _t61, _t54, _t57, _t60);
			}

0x0019cf22
0x0019cf27
0x0019cf28
0x0019cf29
0x0019cf30
0x0019cf34
0x0019cf38
0x0019cf3e
0x0019cf48
0x0019cf48
0x0019cf6e
0x0019cf72
0x0019cf78
0x0019cf7a
0x0019cf80
0x0019cf82
0x0019cf82
0x0019cf86
0x0019cf8b
0x0019cfa1
0x0019cfa7
0x0019cfa9
0x0019cfab
0x00000000
0x0019cfab
0x0019cf8d
0x0019cf8d
0x0019cf92
0x0019cf94
0x0019cf96
0x0019cf98
0x0019cfb1
0x0019cfb1
0x0019cfb1
0x0019cfb1
0x0019cf96
0x0019cfb4
0x0019cfb4
0x0019cf80
0x0019cfb6
0x0019cfb8
0x00000000
0x0019cfba
0x0019cfc1
0x0019cfd6
0x0019cfd8
0x0019cfda
0x0019cfea
0x0019cfea
0x0019cfee
0x0019cff3
0x0019cff6
0x0019cf74
0x0019cf74
0x0019cf74
0x0019cf74
0x0019cffa
0x0019cffb
0x0019cffc
0x0019d008

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,0000009C,00000000,00000000,00000003,00000001,00000000,?,?,?,0019D037,?,00000001,?), ref: 0019CF6C
_malloc.LIBCMT ref: 0019CFA1
_memset.LIBCMT ref: 0019CFC1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,0000009C,?,00000001,0000009C,?,00000008,0018E91A,0000009C), ref: 0019CFD6
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0019CFE4
__freea.LIBCMT ref: 0019CFEE

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$StringType__freea_malloc_memset
String ID:
API String ID: 525495869-0
Opcode ID: 80225692282347fb7ca784991c271331f4cd5ed7d2010c3fcd6d0794b6c18d7f
Instruction ID: 5c6f14ed7b4df7a5f58833245e00a8565a7386b103c6a1922ec974a56db1e8b4
Opcode Fuzzy Hash: 80225692282347fb7ca784991c271331f4cd5ed7d2010c3fcd6d0794b6c18d7f
Instruction Fuzzy Hash: 9E315C7160020AAFEF10AFA4DCC1DAFBBAAEB48354F114426F915D7261DB34DD60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00191BCA, Relevance: 9.0, APIs: 6, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00191BCA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1c1858);
				E001943E0(__ebx, __edi, __esi);
				_t31 = E001925EF(__ebx, __edx, _t35);
				_t15 =  *0x1c4000; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E001976E6(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x1c3f08; // 0xb21620
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x1c3ae0;
								if(__eflags != 0) {
									E0018C63F(_t33);
								}
							}
						}
						_t21 =  *0x1c3f08; // 0xb21620
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x1c3f08; // 0xb21620
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00191C65();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E00192E98(_t29, _t38);
				}
				return E00194425(_t33);
			}

0x00191bca
0x00191bca
0x00191bca
0x00191bca
0x00191bcc
0x00191bd1
0x00191bdb
0x00191bdd
0x00191be5
0x00191c06
0x00191c0c
0x00191c10
0x00191c13
0x00191c16
0x00191c1c
0x00191c1e
0x00191c20
0x00191c29
0x00191c2b
0x00191c2d
0x00191c33
0x00191c36
0x00191c3b
0x00191c33
0x00191c2b
0x00191c3c
0x00191c41
0x00191c44
0x00191c4a
0x00191c4e
0x00191c4e
0x00191c54
0x00191c5b
0x00191bed
0x00191bed
0x00191bed
0x00191bf0
0x00191bf2
0x00191bf4
0x00191bf6
0x00191bfb
0x00191c03

APIs

__getptd.LIBCMT ref: 00191BD6

Part of subcall function 001925EF: __getptd_noexit.LIBCMT ref: 001925F2
Part of subcall function 001925EF: __amsg_exit.LIBCMT ref: 001925FF

__amsg_exit.LIBCMT ref: 00191BF6
__lock.LIBCMT ref: 00191C06
InterlockedDecrement.KERNEL32(?), ref: 00191C23
_free.LIBCMT ref: 00191C36
InterlockedIncrement.KERNEL32(00B21620), ref: 00191C4E

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: c095e1b613f2681e464a425e944ac33c7d44edd27199a03eb45004d8991df498
Instruction ID: 06af302606390076511ab5564388260f975eb21de3cc890c362f91f885a33d40
Opcode Fuzzy Hash: c095e1b613f2681e464a425e944ac33c7d44edd27199a03eb45004d8991df498
Instruction Fuzzy Hash: 9201C031941626BBDF21BB299845F9EBB70AF10761F004009E810A7691CB34EAD2CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 001A753A, Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E001A753A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t27;
				signed int _t34;
				signed int _t36;
				signed char _t42;
				intOrPtr* _t46;
				void* _t49;
				signed int _t56;
				void* _t57;

				_t55 = __esi;
				_t49 = __edx;
				_push(0xc);
				_push(0x1c1c70);
				E001943E0(__ebx, __edi, __esi);
				 *(_t57 - 0x1c) = 0;
				_t42 = 0;
				if(( *(_t57 + 0xc) & 0x00000008) != 0) {
					_t42 = 0x20;
				}
				if(( *(_t57 + 0xc) & 0x00004000) != 0) {
					_t42 = _t42 | 0x00000080;
				}
				if(( *(_t57 + 0xc) & 0x00000080) != 0) {
					_t42 = _t42 | 0x00000010;
				}
				_t27 = GetFileType( *(_t57 + 8));
				if(_t27 != 0) {
					__eflags = _t27 - 2;
					if(__eflags != 0) {
						__eflags = _t27 - 3;
						if(__eflags == 0) {
							_t42 = _t42 | 0x00000008;
							__eflags = _t42;
						}
					} else {
						_t42 = _t42 | 0x00000040;
					}
					_t56 = E001A73A1(_t42, _t49, 0, _t55, __eflags);
					 *(_t57 + 0xc) = _t56;
					__eflags = _t56 - 0xffffffff;
					if(__eflags != 0) {
						 *((intOrPtr*)(_t57 - 4)) = 0;
						E001A716B(_t42, _t56,  *(_t57 + 8));
						_t46 = 0x1c6100 + (_t56 >> 5) * 4;
						_t34 = (_t56 & 0x0000001f) << 6;
						 *( *_t46 + _t34 + 4) = _t42 | 0x00000001;
						 *( *_t46 + _t34 + 0x24) =  *( *_t46 + _t34 + 0x24) & 0x00000080;
						 *( *_t46 + _t34 + 0x24) =  *( *_t46 + _t34 + 0x24) & 0x0000007f;
						 *(_t57 - 0x1c) = 1;
						 *((intOrPtr*)(_t57 - 4)) = 0xfffffffe;
						_t36 = E001A7628(0, _t56);
						__eflags =  *(_t57 - 0x1c);
						if( *(_t57 - 0x1c) == 0) {
							goto L8;
						}
						_t37 = _t56;
						goto L9;
					} else {
						 *((intOrPtr*)(E001912E2(__eflags))) = 0x18;
						_t36 = E001912F5(__eflags);
						 *_t36 = 0;
						goto L8;
					}
				} else {
					_t36 = E00191308(GetLastError());
					L8:
					_t37 = _t36 | 0xffffffff;
					L9:
					return E00194425(_t37);
				}
			}

0x001a753a
0x001a753a
0x001a753a
0x001a753c
0x001a7541
0x001a7548
0x001a754b
0x001a7551
0x001a7553
0x001a7553
0x001a755d
0x001a755f
0x001a755f
0x001a7566
0x001a7568
0x001a7568
0x001a756e
0x001a7576
0x001a758e
0x001a7591
0x001a7598
0x001a759b
0x001a759d
0x001a759d
0x001a759d
0x001a7593
0x001a7593
0x001a7593
0x001a75a5
0x001a75a7
0x001a75aa
0x001a75ad
0x001a75c3
0x001a75ca
0x001a75d9
0x001a75e5
0x001a75ea
0x001a75f4
0x001a75fd
0x001a7600
0x001a7607
0x001a760e
0x001a7613
0x001a7616
0x00000000
0x00000000
0x001a761c
0x00000000
0x001a75af
0x001a75b4
0x001a75ba
0x001a75bf
0x00000000
0x001a75bf
0x001a7578
0x001a757f
0x001a7585
0x001a7585
0x001a7588
0x001a758d
0x001a758d

APIs

GetFileType.KERNEL32(?,?,?,001C1C70,0000000C), ref: 001A756E
GetLastError.KERNEL32(?,?,001C1C70,0000000C), ref: 001A7578
__dosmaperr.LIBCMT ref: 001A757F
__alloc_osfhnd.LIBCMT ref: 001A75A0
__set_osfhnd.LIBCMT ref: 001A75CA

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
String ID:
API String ID: 43408053-0
Opcode ID: 60bf5541ed3074300ce7fdb509ff9cd8707bb9a279e440e372671fac3c4365b9
Instruction ID: 460e0cc2f5e0c543f7895143e92d68f84aed921e3df818dec9f0c3e7762e9c93
Opcode Fuzzy Hash: 60bf5541ed3074300ce7fdb509ff9cd8707bb9a279e440e372671fac3c4365b9
Instruction Fuzzy Hash: A321D335949605AFDF12AF78CC457997BA0AF53324F288244E4648B2D2DB749781DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0019D2E8, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0019D2E8(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x1c5a70, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x1c5a78 - _t7;
								if(__eflags == 0) {
									_t9 = E001912E2(__eflags);
									 *_t9 = E001912A0(GetLastError());
									goto L17;
								} else {
									__eflags = E00193158(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E001912E2(__eflags);
										 *_t12 = E001912A0(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00193158(_t6, _t30);
						 *((intOrPtr*)(E001912E2(__eflags))) = 0xc;
						goto L12;
					} else {
						E0018C63F(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0018B772(__edx, __edi, __esi, _a8);
				}
			}

0x0019d2f1
0x0019d2fe
0x0019d2ff
0x0019d302
0x0019d304
0x0019d313
0x0019d346
0x0019d346
0x0019d349
0x00000000
0x00000000
0x0019d316
0x0019d318
0x0019d31a
0x0019d31a
0x0019d31a
0x0019d327
0x0019d32d
0x0019d32f
0x0019d331
0x0019d391
0x0019d391
0x0019d333
0x0019d333
0x0019d339
0x0019d37b
0x0019d38f
0x00000000
0x0019d33b
0x0019d342
0x0019d344
0x0019d363
0x0019d377
0x0019d35d
0x0019d35d
0x0019d35d
0x00000000
0x00000000
0x00000000
0x0019d344
0x0019d339
0x00000000
0x0019d35f
0x0019d34c
0x0019d357
0x00000000
0x0019d306
0x0019d309
0x0019d30f
0x0019d30f
0x0019d360
0x0019d362
0x0019d2f3
0x0019d2fd
0x0019d2fd

APIs

_malloc.LIBCMT ref: 0019D2F6

Part of subcall function 0018B772: __FF_MSGBANNER.LIBCMT ref: 0018B78B
Part of subcall function 0018B772: __NMSG_WRITE.LIBCMT ref: 0018B792
Part of subcall function 0018B772: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0018FF53,?,00000001,?,?,00197671,00000018,001C1A68,0000000C,00197701), ref: 0018B7B7

_free.LIBCMT ref: 0019D309

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 599b5e9d19d2302fda5d41f92fe64b750b4fdfcaee551005209f298eee20a8fd
Instruction ID: c99b00eae4448bacfd2a922ea001be121cb51ba2983769209cad32ed530bdcd5
Opcode Fuzzy Hash: 599b5e9d19d2302fda5d41f92fe64b750b4fdfcaee551005209f298eee20a8fd
Instruction Fuzzy Hash: BE110672504616BBCF213FB4BC05A5D3B99BF913A1B314525F849DB1A0DF34CAC08795

Uniqueness

Uniqueness Score: -1.00%

Function 00192389, Relevance: 7.5, APIs: 5, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00192389(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x1c1898);
				E001943E0(__ebx, __edi, __esi);
				_t28 = E001925EF(__ebx, __edx, _t31);
				_t12 =  *0x1c4000; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E001976E6(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E0019233C(_t29,  *0x1c4248);
					 *(_t30 - 4) = 0xfffffffe;
					E001923F6();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E001925EF(_t20, __edx, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E00192E98(_t25, _t34);
				}
				return E00194425(_t29);
			}

0x00192389
0x00192389
0x00192389
0x00192389
0x00192389
0x0019238b
0x00192390
0x0019239a
0x0019239c
0x001923a4
0x001923c8
0x001923ca
0x001923d0
0x001923da
0x001923e5
0x001923e8
0x001923ef
0x001923a6
0x001923a6
0x001923aa
0x00000000
0x001923ac
0x001923b1
0x001923b1
0x001923aa
0x001923b4
0x001923b6
0x001923b8
0x001923ba
0x001923bf
0x001923c7

APIs

__getptd.LIBCMT ref: 00192395

Part of subcall function 001925EF: __getptd_noexit.LIBCMT ref: 001925F2
Part of subcall function 001925EF: __amsg_exit.LIBCMT ref: 001925FF

__getptd.LIBCMT ref: 001923AC
__amsg_exit.LIBCMT ref: 001923BA
__lock.LIBCMT ref: 001923CA
__updatetlocinfoEx_nolock.LIBCMT ref: 001923DE

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 02e8539a2c3cdbd9293a60acd5006e813bfbd6ccb9264a7a6cb64815d8bde92a
Instruction ID: dadeadcfb84db01127e63fb7e1e23293ed16e991fff63fc6af4bda451b1c1b80
Opcode Fuzzy Hash: 02e8539a2c3cdbd9293a60acd5006e813bfbd6ccb9264a7a6cb64815d8bde92a
Instruction Fuzzy Hash: 54F03032945714FBEF25BB79A803B9E36A0BF14724F114209F501A72D2CB78AA419AA5

Uniqueness

Uniqueness Score: -1.00%

Function 001878D0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001878D0(void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v36;
				intOrPtr _v40;
				char _t27;

				E00189BEC( &_v16, 0);
				_t27 =  *0x1c5014; // 0x0
				_v20 = _t27;
				_v12 = L001812B2(0x1c5018);
				_v8 = L0018124E(_a4, _v12);
				if(_v8 == 0) {
					if(_v20 == 0) {
						if(L00181334(__edi, __esi,  &_v20, _a4) != 0xffffffff) {
							_v8 = _v20;
							 *0x1c5014 = _v20;
							_v24 = _v20;
							L00181032(_v24);
							L00181136(_v24);
						} else {
							E0018C3F1( &_v36, "bad cast");
							E0018BD5F( &_v36, 0x1c0e34);
						}
					} else {
						_v8 = _v20;
					}
				}
				_v40 = _v8;
				E00189C14( &_v16);
				return _v40;
			}

0x001878db
0x001878e0
0x001878e5
0x001878f2
0x00187901
0x00187908
0x00187910
0x0018792d
0x0018794f
0x00187955
0x0018795e
0x00187964
0x0018796c
0x0018792f
0x00187937
0x00187945
0x00187945
0x00187912
0x00187915
0x00187915
0x00187910
0x00187974
0x0018797a
0x00187985

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001878DB

Strings

bad cast, xrefs: 0018792F

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_
String ID: bad cast
API String ID: 3382485803-3145022300
Opcode ID: ce1514e971a520b1a3a6897598bdf7e3778538421ad8a64890858a9f1e85e659
Instruction ID: f256e638d99a197b0df4e9837529c04164dee1fd6af8fc41358483f1a885c818
Opcode Fuzzy Hash: ce1514e971a520b1a3a6897598bdf7e3778538421ad8a64890858a9f1e85e659
Instruction Fuzzy Hash: A0211D75D04209EBCB04FFA4D9819EEB7B5BF58310F204659E415A7290DB30AF45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00183420, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00183420(void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v36;
				intOrPtr _v40;
				char _t27;

				E00189BEC( &_v16, 0);
				_t27 =  *0x1c500c; // 0xb210d0
				_v20 = _t27;
				_v12 = L001812B2(0x1c520c);
				_v8 = L0018124E(_a4, _v12);
				if(_v8 == 0) {
					if(_v20 == 0) {
						if(L001812F3(__edi, __esi,  &_v20, _a4) != 0xffffffff) {
							_v8 = _v20;
							 *0x1c500c = _v20;
							_v24 = _v20;
							L00181032(_v24);
							L00181136(_v24);
						} else {
							E0018C3F1( &_v36, "bad cast");
							E0018BD5F( &_v36, 0x1c0e34);
						}
					} else {
						_v8 = _v20;
					}
				}
				_v40 = _v8;
				E00189C14( &_v16);
				return _v40;
			}

0x0018342b
0x00183430
0x00183435
0x00183442
0x00183451
0x00183458
0x00183460
0x0018347d
0x0018349f
0x001834a5
0x001834ae
0x001834b4
0x001834bc
0x0018347f
0x00183487
0x00183495
0x00183495
0x00183462
0x00183465
0x00183465
0x00183460
0x001834c4
0x001834ca
0x001834d5

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0018342B

Strings

bad cast, xrefs: 0018347F

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_
String ID: bad cast
API String ID: 3382485803-3145022300
Opcode ID: ff3a12cf628387743ff78845da3b653e96e79ef5672757f93d4b6dd50aa8ff64
Instruction ID: 8cf2ebc7b2d1b1db093f200ed39bce81bc35b6ba84913a866056a63146c5241d
Opcode Fuzzy Hash: ff3a12cf628387743ff78845da3b653e96e79ef5672757f93d4b6dd50aa8ff64
Instruction Fuzzy Hash: 44211DB1D00219EBCB04FFA4D9819EEB7B5BB58700F248659E815A7291DB306F45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00184520, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00184520(void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v36;
				intOrPtr _v40;
				char _t27;

				E00189BEC( &_v16, 0);
				_t27 =  *0x1c5010; // 0x0
				_v20 = _t27;
				_v12 = L001812B2(0x1c501c);
				_v8 = L0018124E(_a4, _v12);
				if(_v8 == 0) {
					if(_v20 == 0) {
						if(L0018110E(__edi, __esi,  &_v20, _a4) != 0xffffffff) {
							_v8 = _v20;
							 *0x1c5010 = _v20;
							_v24 = _v20;
							L00181032(_v24);
							L00181136(_v24);
						} else {
							E0018C3F1( &_v36, "bad cast");
							E0018BD5F( &_v36, 0x1c0e34);
						}
					} else {
						_v8 = _v20;
					}
				}
				_v40 = _v8;
				E00189C14( &_v16);
				return _v40;
			}

0x0018452b
0x00184530
0x00184535
0x00184542
0x00184551
0x00184558
0x00184560
0x0018457d
0x0018459f
0x001845a5
0x001845ae
0x001845b4
0x001845bc
0x0018457f
0x00184587
0x00184595
0x00184595
0x00184562
0x00184565
0x00184565
0x00184560
0x001845c4
0x001845ca
0x001845d5

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0018452B

Strings

bad cast, xrefs: 0018457F

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_
String ID: bad cast
API String ID: 3382485803-3145022300
Opcode ID: da7e45dba8564a3fbc15627a59d226af18887c06257da026ee5a1979351df673
Instruction ID: 663288fa0b13ee261529f30c7f4c6d8a06a4d99b31d081739a835cdccd7e271b
Opcode Fuzzy Hash: da7e45dba8564a3fbc15627a59d226af18887c06257da026ee5a1979351df673
Instruction Fuzzy Hash: 22211AB5D00209EBCB08FFE4D991AEEB7B5BB58300F204659E415A7290DB30AF45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001836F0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001836F0(intOrPtr __ecx, intOrPtr _a4) {
				char _v16;
				intOrPtr _v20;
				void* _t23;
				void* _t37;
				void* _t38;

				_v20 = __ecx;
				E00189BEC(_v20, 0);
				L00181348(_v20 + 4);
				L00181348(_v20 + 0xc);
				L00181348(_v20 + 0x14);
				L00181348(_v20 + 0x1c);
				_t41 = _a4;
				if(_a4 == 0) {
					L001811E5( &_v16, "bad locale name");
					E0018BD5F( &_v16, 0x1c0e78);
				}
				E0018A152(_t23, _t37, _t38, _t41, _v20, _a4);
				return _v20;
			}

0x001836f6
0x001836fe
0x00183709
0x00183714
0x0018371f
0x0018372a
0x0018372f
0x00183733
0x0018373d
0x0018374b
0x0018374b
0x00183758
0x00183766

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001836FE
__CxxThrowException@8.LIBCMT ref: 0018374B

Part of subcall function 0018BD5F: RaiseException.KERNEL32(?,?,?,00181BAF,?,?,?,?,?,00181BAF,Timeout already in use,001C0BC0), ref: 0018BDA1

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00183758

Strings

bad locale name, xrefs: 00183735

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$ExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow
String ID: bad locale name
API String ID: 1915927752-1405518554
Opcode ID: 152f762edd7141382f7c5e93c6aecfc7381f9d513158eed11a6a3b60ee375408
Instruction ID: 4b77a787dd50af9ea8ab147e7f034ea791a7b8c594f802f998f9d62fe230fcc6
Opcode Fuzzy Hash: 152f762edd7141382f7c5e93c6aecfc7381f9d513158eed11a6a3b60ee375408
Instruction Fuzzy Hash: 01F0E1B5D40219ABDF08FBD4CC96ABE7739BF60304F444558F51227682DB70AA11CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0018DB63, Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0018DB63(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t60;
				void* _t65;
				signed int _t66;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t81;
				signed int _t85;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t97;

				_t92 = _a8;
				if(_t92 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t96 = _a16;
					_t100 = _t96;
					if(_t96 != 0) {
						_t79 = _a4;
						__eflags = _t79;
						if(__eflags == 0) {
							goto L3;
						}
						_t60 = _t56 | 0xffffffff;
						_t88 = _t60 % _t92;
						__eflags = _a12 - _t60 / _t92;
						if(__eflags > 0) {
							goto L3;
						}
						_t93 = _t92 * _a12;
						__eflags =  *(_t96 + 0xc) & 0x0000010c;
						_v8 = _t79;
						_v16 = _t93;
						_t78 = _t93;
						if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t96 + 0x18);
						}
						__eflags = _t93;
						if(_t93 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t81 =  *(_t96 + 0xc) & 0x00000108;
								__eflags = _t81;
								if(_t81 == 0) {
									L18:
									__eflags = _t78 - _v12;
									if(_t78 < _v12) {
										_t65 = E0019730B(_t88, _t93,  *_v8, _t96);
										__eflags = _t65 - 0xffffffff;
										if(_t65 == 0xffffffff) {
											L34:
											_t66 = _t93;
											L35:
											return (_t66 - _t78) / _a8;
										}
										_v8 = _v8 + 1;
										_t69 =  *(_t96 + 0x18);
										_t78 = _t78 - 1;
										_v12 = _t69;
										__eflags = _t69;
										if(_t69 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t81;
									if(_t81 == 0) {
										L21:
										__eflags = _v12;
										_t94 = _t78;
										if(_v12 != 0) {
											_t72 = _t78;
											_t88 = _t72 % _v12;
											_t94 = _t94 - _t72 % _v12;
											__eflags = _t94;
										}
										_push(_t94);
										_push(_v8);
										_push(E001972E5(_t96));
										_t71 = E00197E16(_t78, _t88, _t94, _t96, __eflags);
										_t97 = _t97 + 0xc;
										__eflags = _t71 - 0xffffffff;
										if(_t71 == 0xffffffff) {
											L36:
											 *(_t96 + 0xc) =  *(_t96 + 0xc) | 0x00000020;
											_t66 = _v16;
											goto L35;
										} else {
											_t85 = _t94;
											__eflags = _t71 - _t94;
											if(_t71 <= _t94) {
												_t85 = _t71;
											}
											_v8 = _v8 + _t85;
											_t78 = _t78 - _t85;
											__eflags = _t71 - _t94;
											if(_t71 < _t94) {
												goto L36;
											} else {
												L27:
												_t93 = _v16;
												goto L31;
											}
										}
									}
									_t74 = E0018D812(_t88, _t96);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t75 =  *(_t96 + 4);
								__eflags = _t75;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t45 = _t96 + 0xc;
									 *_t45 =  *(_t96 + 0xc) | 0x00000020;
									__eflags =  *_t45;
									goto L34;
								}
								_t95 = _t78;
								__eflags = _t78 - _t75;
								if(_t78 >= _t75) {
									_t95 = _t75;
								}
								E0018BF90( *_t96, _v8, _t95);
								 *(_t96 + 4) =  *(_t96 + 4) - _t95;
								 *_t96 =  *_t96 + _t95;
								_t97 = _t97 + 0xc;
								_t78 = _t78 - _t95;
								_v8 = _v8 + _t95;
								goto L27;
								L31:
								__eflags = _t78;
							} while (_t78 != 0);
							goto L32;
						}
					}
					L3:
					 *((intOrPtr*)(E001912E2(_t100))) = 0x16;
					E00192B05();
					goto L4;
				}
			}

0x0018db6e
0x0018db73
0x0018db92
0x00000000
0x0018db7b
0x0018db7b
0x0018db7e
0x0018db80
0x0018db99
0x0018db9c
0x0018db9e
0x00000000
0x00000000
0x0018dba0
0x0018dba5
0x0018dba7
0x0018dbaa
0x00000000
0x00000000
0x0018dbac
0x0018dbb0
0x0018dbb7
0x0018dbba
0x0018dbbd
0x0018dbbf
0x0018dbc9
0x0018dbc1
0x0018dbc4
0x0018dbc4
0x0018dbd0
0x0018dbd2
0x0018dc97
0x00000000
0x0018dbd8
0x0018dbd8
0x0018dbdb
0x0018dbdb
0x0018dbe1
0x0018dc12
0x0018dc12
0x0018dc15
0x0018dc6e
0x0018dc75
0x0018dc78
0x0018dca3
0x0018dca3
0x0018dca5
0x00000000
0x0018dca9
0x0018dc7a
0x0018dc7d
0x0018dc80
0x0018dc81
0x0018dc84
0x0018dc86
0x0018dc88
0x0018dc88
0x00000000
0x0018dc86
0x0018dc17
0x0018dc19
0x0018dc26
0x0018dc26
0x0018dc2a
0x0018dc2c
0x0018dc30
0x0018dc32
0x0018dc35
0x0018dc35
0x0018dc35
0x0018dc37
0x0018dc38
0x0018dc42
0x0018dc43
0x0018dc48
0x0018dc4b
0x0018dc4e
0x0018dcb1
0x0018dcb1
0x0018dcb5
0x00000000
0x0018dc50
0x0018dc50
0x0018dc52
0x0018dc54
0x0018dc56
0x0018dc56
0x0018dc58
0x0018dc5b
0x0018dc5d
0x0018dc5f
0x00000000
0x0018dc61
0x0018dc61
0x0018dc61
0x00000000
0x0018dc61
0x0018dc5f
0x0018dc4e
0x0018dc1c
0x0018dc22
0x0018dc24
0x00000000
0x00000000
0x00000000
0x0018dc24
0x0018dbe3
0x0018dbe6
0x0018dbe8
0x00000000
0x00000000
0x0018dbea
0x0018dc9f
0x0018dc9f
0x0018dc9f
0x00000000
0x0018dc9f
0x0018dbf0
0x0018dbf2
0x0018dbf4
0x0018dbf6
0x0018dbf6
0x0018dbfe
0x0018dc03
0x0018dc06
0x0018dc08
0x0018dc0b
0x0018dc0d
0x00000000
0x0018dc8f
0x0018dc8f
0x0018dc8f
0x00000000
0x0018dbd8
0x0018dbd2
0x0018db82
0x0018db87
0x0018db8d
0x00000000
0x0018db8d

APIs

_memmove.LIBCMT ref: 0018DBFE
__flush.LIBCMT ref: 0018DC1C
__write.LIBCMT ref: 0018DC43
__flsbuf.LIBCMT ref: 0018DC6E

Part of subcall function 001912E2: __getptd_noexit.LIBCMT ref: 001912E2

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 06cdf159057e7eb5a759d2de64e8405853a942c1db12aa03ff2217bf00524714
Instruction ID: 9782ec8e2426d183ff6bf132c44e9148d337cad4e5934ba9dfb2737f3a4e985e
Opcode Fuzzy Hash: 06cdf159057e7eb5a759d2de64e8405853a942c1db12aa03ff2217bf00524714
Instruction Fuzzy Hash: B341A431A00704ABDF29BFA9A8456AEB7B5AF81360F25852DE415971C0E7B0DF41DF40

Uniqueness

Uniqueness Score: -1.00%

Function 001A700C, Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A700C(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				void* __ebx;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E0018B4A6(0,  &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0019D439( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E001912E2(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x001a7016
0x001a701d
0x001a7034
0x00000000
0x001a7024
0x001a7026
0x001a7040
0x001a7045
0x001a7048
0x001a704b
0x001a7073
0x001a707a
0x001a707c
0x001a70fd
0x001a7118
0x001a711a
0x001a705a
0x001a705a
0x001a705d
0x001a705f
0x001a7062
0x001a7062
0x001a7062
0x001a7062
0x00000000
0x001a7068
0x001a70dc
0x001a70dc
0x001a70e1
0x001a70e7
0x001a70ea
0x001a70ec
0x001a70ef
0x001a70ef
0x001a70ef
0x001a70ef
0x00000000
0x001a70f3
0x001a707e
0x001a7081
0x001a7087
0x001a708a
0x001a70b1
0x001a70b4
0x001a70ba
0x00000000
0x00000000
0x001a70bc
0x001a70bf
0x00000000
0x00000000
0x001a70c1
0x001a70c1
0x001a70c7
0x001a70ca
0x001a7039
0x001a7039
0x001a70d3
0x00000000
0x001a70d3
0x001a708c
0x001a708f
0x00000000
0x00000000
0x001a7093
0x001a70a4
0x001a70aa
0x001a70ac
0x001a70af
0x00000000
0x00000000
0x00000000
0x001a70af
0x001a704d
0x001a7050
0x001a7052
0x001a7057
0x001a7057
0x00000000
0x001a7028
0x001a7028
0x001a702d
0x001a7031
0x001a7031
0x00000000
0x001a702d
0x001a7026

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001A7040
__isleadbyte_l.LIBCMT ref: 001A7073
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,?,?,0000000C,00000000,00000000), ref: 001A70A4
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,?,?,0000000C,00000000,00000000), ref: 001A7112

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 01529cb4e194c70ff0ab78ebe3f01b5ab78a53913cadbb0d21c9ef9e4099a2a4
Instruction ID: 5c7c6f8d5c4c9a30ad32a29196e91456566371706cd5e3ad3b49896a7d692bfe
Opcode Fuzzy Hash: 01529cb4e194c70ff0ab78ebe3f01b5ab78a53913cadbb0d21c9ef9e4099a2a4
Instruction Fuzzy Hash: CD319C35A09246EFDB20DF68CE949BA7BA5BF03310F1585A9F4A18B1D1E731DE80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00195463, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00195463(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00194CF8(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00194DDF(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00195356(__ebx, __edx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00195278(__ebx, __edx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00195463
0x00195468
0x0019546e
0x001954e1
0x00000000
0x00195475
0x00195475
0x00195478
0x00195493
0x00195496
0x001954b6
0x001954c8
0x00195498
0x00195498
0x0019549b
0x00000000
0x0019549d
0x001954af
0x001954af
0x0019549b
0x001954e6
0x001954ea
0x0019547a
0x00195492
0x00195492
0x00195478

APIs

__cftof_l.LIBCMT ref: 00195489

Part of subcall function 00195278: __fltout2.LIBCMT ref: 001952A3

__cftog_l.LIBCMT ref: 001954AF
__cftoe_l.LIBCMT ref: 001954E1

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction ID: 96cd6b517d19cef4764be5e2b911bcc5fe6779f667f85dce2842bfdd3a18c933
Opcode Fuzzy Hash: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction Fuzzy Hash: 33118C3240054ABBCF675E84DC01CEE3F63BB18395F198415FE186A031D736CAB2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 0018C5B4, Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0018C5B4(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v16;
				char _v20;
				void* _t12;
				signed int _t13;
				int _t16;
				intOrPtr* _t17;
				intOrPtr _t19;
				void* _t29;
				void* _t30;
				void* _t32;
				void* _t36;
				void* _t38;
				void* _t40;

				_t32 = __esi;
				_t30 = __edi;
				_t29 = __edx;
				while(1) {
					_t12 = E0018B772(_t29, _t30, _t32, _a4);
					if(_t12 != 0) {
						break;
					}
					_t13 = E00193158(_t12, _a4);
					__eflags = _t13;
					if(_t13 == 0) {
						__eflags =  *0x1c53b8 & 0x00000001;
						if(( *0x1c53b8 & 0x00000001) == 0) {
							 *0x1c53b8 =  *0x1c53b8 | 0x00000001;
							__eflags =  *0x1c53b8;
							_push(1);
							_v8 = "bad allocation";
							E0018C302(0x1c53ac,  &_v8);
							 *0x1c53ac = 0x1bb674;
							E0018E0E9( *0x1c53b8, 0x1b827f);
						}
						E0018C492( &_v20, 0x1c53ac);
						_v20 = 0x1bb674;
						_t16 = E0018BD5F( &_v20, 0x1c0ff8);
						asm("int3");
						_t38 = _t36;
						_t40 = _t38;
						_push(_t40);
						__eflags = _v16;
						if(_v16 != 0) {
							_t16 = HeapFree( *0x1c5a70, 0, _v8);
							__eflags = _t16;
							if(__eflags == 0) {
								_push(0x1bb674);
								_t17 = E001912E2(__eflags);
								_t19 = E001912A0(GetLastError());
								 *_t17 = _t19;
								return _t19;
							}
						}
						return _t16;
					} else {
						continue;
					}
					L13:
				}
				return _t12;
				goto L13;
			}

0x0018c5b4
0x0018c5b4
0x0018c5b4
0x0018c5cb
0x0018c5ce
0x0018c5d6
0x00000000
0x00000000
0x0018c5c1
0x0018c5c7
0x0018c5c9
0x0018c5da
0x0018c5eb
0x0018c5ed
0x0018c5ed
0x0018c5f4
0x0018c5fc
0x0018c603
0x0018c60d
0x0018c613
0x0018c618
0x0018c61d
0x0018c62b
0x0018c62e
0x0018c633
0x0018c639
0x0018c588
0x0018c641
0x0018c644
0x0018c648
0x0018c655
0x0018c65b
0x0018c65d
0x0018c65f
0x0018c660
0x0018c66e
0x0018c674
0x00000000
0x0018c676
0x0018c65d
0x0018c678
0x00000000
0x00000000
0x00000000
0x00000000
0x0018c5c9
0x0018c5d9
0x00000000

APIs

_malloc.LIBCMT ref: 0018C5CE

Part of subcall function 0018B772: __FF_MSGBANNER.LIBCMT ref: 0018B78B
Part of subcall function 0018B772: __NMSG_WRITE.LIBCMT ref: 0018B792
Part of subcall function 0018B772: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0018FF53,?,00000001,?,?,00197671,00000018,001C1A68,0000000C,00197701), ref: 0018B7B7

std::exception::exception.LIBCMT ref: 0018C603
std::exception::exception.LIBCMT ref: 0018C61D
__CxxThrowException@8.LIBCMT ref: 0018C62E

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 99c99ca447dbba90329a89837a35dadaf340787267b39bdb4747089c4cdd3dd3
Instruction ID: 2835b54866e638ede14bf47c8528ea9453648bdd06141a04df644960962b55d0
Opcode Fuzzy Hash: 99c99ca447dbba90329a89837a35dadaf340787267b39bdb4747089c4cdd3dd3
Instruction Fuzzy Hash: 61F0F931604609AACF00FB94CC42E9E7BA96B60744F144029F800A54E1DBF0DF81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001908DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E001908DE(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E0018BBD1(__ebx, __edx, __edi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E001925EF(__ebx, __edx, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E001925EF(_t19, _t26, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E0018BBAA(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E00190292(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x001908de
0x001908de
0x001908de
0x001908de
0x001908e1
0x001908e7
0x001908f5
0x001908fb
0x00190903
0x0019090f
0x00190917
0x0019091f
0x00190933
0x00190935
0x00190939
0x0019093e
0x00190944
0x00190946
0x00190948
0x0019094b
0x00000000
0x00190952
0x00190946
0x00190939
0x00190933
0x0019091f
0x00190953

APIs

Part of subcall function 0018BBD1: __getptd.LIBCMT ref: 0018BBD7
Part of subcall function 0018BBD1: __getptd.LIBCMT ref: 0018BBE7

__getptd.LIBCMT ref: 001908ED

Part of subcall function 001925EF: __getptd_noexit.LIBCMT ref: 001925F2
Part of subcall function 001925EF: __amsg_exit.LIBCMT ref: 001925FF

__getptd.LIBCMT ref: 001908FB

Strings

csm, xrefs: 00190909

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: ae35b392561e598eecfd69cb23ac29b4f863154fa5a499a38f1803c5a82e0dff
Instruction ID: 8392d1f0ec1f07d39479ac9c157b94a4e4b7fd3b3d31f2f3fb86a8a81f2adaa6
Opcode Fuzzy Hash: ae35b392561e598eecfd69cb23ac29b4f863154fa5a499a38f1803c5a82e0dff
Instruction Fuzzy Hash: 7101AD318002069FEF36AF25C464BACB3B5AF28315F14C42DE84896252CF31DA85DF01

Uniqueness

Uniqueness Score: -1.00%

Function 0019F720, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0019F720(signed int* _a4) {
				intOrPtr _t9;
				signed int* _t13;

				_t9 =  *((intOrPtr*)( *0x1c6060));
				if(_t9 == 0) {
					E0019EF31(_a4, 1);
					goto L5;
				} else {
					if(_t9 == 0x41) {
						 *0x1c6060 =  *0x1c6060 + 1;
						E0019F323(_a4, "{flat}");
						L5:
						return _a4;
					} else {
						_t13 = _a4;
						_t13[1] = _t13[1] & 0xffff00ff;
						 *_t13 =  *_t13 & 0x00000000;
						_t13[1] = 2;
						return _t13;
					}
				}
			}

0x0019f72a
0x0019f72e
0x0019f761
0x00000000
0x0019f730
0x0019f732
0x0019f74a
0x0019f755
0x0019f766
0x0019f76a
0x0019f734
0x0019f734
0x0019f737
0x0019f73e
0x0019f741
0x0019f746
0x0019f746
0x0019f732

APIs

DName::DName.LIBCMT ref: 0019F755
DName::DName.LIBCMT ref: 0019F761

Strings

{flat}, xrefs: 0019F750

Memory Dump Source

Source File: 00000000.00000002.374056412.0000000000181000.00000020.00020000.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.374052202.0000000000180000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374078919.00000000001B5000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374083265.00000000001B7000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.374089840.00000000001BB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374097116.00000000001C3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374102209.00000000001C8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374105915.00000000001C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374140729.0000000000210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374145995.0000000000223000.00000002.00020000.sdmp Download File

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: 5087e8893ba9d61249e0afc4c5e3c1033c24f5061ecef6c58d943912c29da57d
Instruction ID: 662f4158583c04e3fec0232e1fa36316623f119a0510f4c749af87eebb57a00d
Opcode Fuzzy Hash: 5087e8893ba9d61249e0afc4c5e3c1033c24f5061ecef6c58d943912c29da57d
Instruction Fuzzy Hash: 32F03975184348AFCF18DFA8D945FE83FA1AB51B55F088089F94D4F692C770D982CB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wermgr.exe PID: 5784 Parent PID: 4872 wermgr.exeCOMMON

Executed Functions

Function 00000239A18CC750, Relevance: 7.0, APIs: 3, Instructions: 2472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75357d74cac5131e0bf0451a90af6121fb8df07fff4cca650f7d304324e675ae
Instruction ID: 7daed36c036e5c183198571906a506728fdc60878eb9ebb172d3a2614283cee0
Opcode Fuzzy Hash: 75357d74cac5131e0bf0451a90af6121fb8df07fff4cca650f7d304324e675ae
Instruction Fuzzy Hash: FC0325312146455BD79CEB2C84A937A76D2FBCA310FA4572EB443C36E4E77C99C28B42

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18CF3C0, Relevance: 4.6, APIs: 3, Instructions: 59COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00000239A18CF3F5
AdjustTokenPrivileges.KERNELBASE ref: 00000239A18CF43F
FindCloseChangeNotification.KERNELBASE ref: 00000239A18CF44C

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID: AdjustChangeCloseFindLookupNotificationPrivilegePrivilegesTokenValue
String ID:
API String ID: 3056834404-0
Opcode ID: e9b36a35a3c448a36f387f012faf343d857b101dff08fb70168d6390d88867fd
Instruction ID: b8a6fb6afa9340b71d4074ab418acd98888460fa99f60d3841c1192d8bcd7817
Opcode Fuzzy Hash: e9b36a35a3c448a36f387f012faf343d857b101dff08fb70168d6390d88867fd
Instruction Fuzzy Hash: AE118E312186044FE794EB28D84CB9ABBF5FBC8311F51492AB44AC7290EA39C945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18C2F30, Relevance: 3.4, APIs: 2, Instructions: 355timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32 ref: 00000239A18C38A2
RtlAddVectoredContinueHandler.NTDLL ref: 00000239A18C393F

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID: ContinueHandlerTimerVectored
String ID:
API String ID: 3914890296-0
Opcode ID: 9a7d9e9847bad63931659a6baccb9b9c4f2b667cf720499c013a88bec8d4516b
Instruction ID: 5ed70ca613372a27f89ec1ec1798f2f49b1dadf1bd99a8677c5bf30003cf4a5b
Opcode Fuzzy Hash: 9a7d9e9847bad63931659a6baccb9b9c4f2b667cf720499c013a88bec8d4516b
Instruction Fuzzy Hash: C3C1A530614A188FF7A4EB2CD8497AA76D1F786314F61422DD44AC32D1DFBC8A878F45

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18DFA20, Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI ref: 00000239A18DFA86

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: f1f25dc2e3e17231016315f359ff07299ae8ce12f6fd0aeab5a0e6b1e2b4ae19
Instruction ID: 672ca4dc6727bb5648db627894f76353628ea762ef4ea745bfc6f8b6723f5416
Opcode Fuzzy Hash: f1f25dc2e3e17231016315f359ff07299ae8ce12f6fd0aeab5a0e6b1e2b4ae19
Instruction Fuzzy Hash: 8C41C331218B094BF768AB2CD499B6AB3E1FBD5310F40162DE446C72D1DEBCD9878B41

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18DA280, Relevance: 1.6, APIs: 1, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 00000239A18DA2D4

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: d77d303e8ed3f4b4fe64f8d56b262d1db2384860e91cb61ded4e34c4881601ef
Instruction ID: b5a412c9afba7b0b80cc4e6b841562a30f4a5b9b01f4377d56d9aa1518e5eed3
Opcode Fuzzy Hash: d77d303e8ed3f4b4fe64f8d56b262d1db2384860e91cb61ded4e34c4881601ef
Instruction Fuzzy Hash: 0821C93061CB088FDBA8DB1CD8C876DB7D2E799710F78472AA049C7290D9ED89818B46

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18DC550, Relevance: 1.5, APIs: 1, Instructions: 35nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL(?,?,?,?,?,00000000,-00000001,00000239A18CCFBC), ref: 00000239A18DC585

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 09da9155a0873b4b70e38cf08078f09e032f2f4b90307a41db221d5fb8236607
Instruction ID: 74d6ecf51583c3148251f246f0a09b3579048930fa912daa274e5d27501d49ca
Opcode Fuzzy Hash: 09da9155a0873b4b70e38cf08078f09e032f2f4b90307a41db221d5fb8236607
Instruction Fuzzy Hash: 26E04831A14A1847D659523D5C0916A75E4FBCF361F51035BF459E21E4D75C8EC346C1

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18E39E0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 00000239A18E3A84

Strings

\, xrefs: 00000239A18E3A41
:, xrefs: 00000239A18E3A3A
C, xrefs: 00000239A18E3A2A

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: be9ba612be57e1abb8b1580c2eae4314cbd2f42ff8034b55fe33cb16688ab218
Instruction ID: 5f5e5044459cf4fb8a8ad3f27f302051fd633d86b2b80dca35edaee278b7316c
Opcode Fuzzy Hash: be9ba612be57e1abb8b1580c2eae4314cbd2f42ff8034b55fe33cb16688ab218
Instruction Fuzzy Hash: 94419630618B884BE749A76D844977FB6E2EFC6300F18461DF495C7392CBAC8A478757

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18C8B90, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

, xrefs: 00000239A18C8D46

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7215426629b18413c78e2fdc3ab35493e984523f88d32bcaa5df24da85beb6d7
Instruction ID: 123d56588907fab7ead8e0bac661356479c33f67679aedfd4d6f7e616fa354f5
Opcode Fuzzy Hash: 7215426629b18413c78e2fdc3ab35493e984523f88d32bcaa5df24da85beb6d7
Instruction Fuzzy Hash: 34514A31218B144BE3586B2DD8897BF72D2EBC7354F55472DE446C32C2DEBD8A878A81

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18E4FE0, Relevance: 3.3, APIs: 2, Instructions: 261threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00000239A18E520D
SleepEx.KERNEL32 ref: 00000239A18E521C

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID: CreateSleepThread
String ID:
API String ID: 4202482776-0
Opcode ID: fd6b8231a591d47cc9de958cd48c527dedbaa27900f4dee5b7ff8166eb9555b3
Instruction ID: 947dadaf4657b0269e20d75399f3cf238c62029e02d39d95fbd30549ad0905d2
Opcode Fuzzy Hash: fd6b8231a591d47cc9de958cd48c527dedbaa27900f4dee5b7ff8166eb9555b3
Instruction Fuzzy Hash: 7081F07460CB488FDBA4EF1CD485B5AB7E5FB99310F10491EE08DC3261DA74E985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18C1DF0, Relevance: 1.6, APIs: 1, Instructions: 150synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE ref: 00000239A18C1F51

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d8b79fe9835cc570af92d4be75b4a1e64a610cf2f74fb6e5eb453af5ae43de34
Instruction ID: 9f23efc0f06021c8d4acc67e28164db23a2f49ee7157788800dd5bfd8c11ae31
Opcode Fuzzy Hash: d8b79fe9835cc570af92d4be75b4a1e64a610cf2f74fb6e5eb453af5ae43de34
Instruction Fuzzy Hash: 954157303187498BE755EB1CD48876EB6D2FBD9345F54062DF04AC3291DBBDD9828B82

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18DECB6, Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00000239A18DECC5

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 45b6296b9285e1750fa6b3c1e0e57a758713e281eed99a9442ee596e31bb89ea
Instruction ID: 26cc0682ee20287fe1f56f3c830aea09783d0aa1d28ccdfb29d2ea311e44436d
Opcode Fuzzy Hash: 45b6296b9285e1750fa6b3c1e0e57a758713e281eed99a9442ee596e31bb89ea
Instruction Fuzzy Hash: D711613276BE1A4BFB5C972DAC2937932C2F3D9720F14016AD446C3295DE6CD9434685

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A1860000, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00000239A1860027

Memory Dump Source

Source File: 00000001.00000002.620458044.00000239A1860000.00000040.00000001.sdmp, Offset: 00000239A1860000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fc225bbe94933eb33cc50918f81a022241756b3523dcc4dcf5fcb212389b569a
Instruction ID: 045e45340b432c2f62be4cee637a8deac8a147d941286637ca59ff92c9bab2fc
Opcode Fuzzy Hash: fc225bbe94933eb33cc50918f81a022241756b3523dcc4dcf5fcb212389b569a
Instruction Fuzzy Hash: 8ED0A730518D099FD6B4E76DC859B2632E4DF89310F15034A902DC31D1C958ED818F97

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00000239A18E5F60, Relevance: 9.4, Strings: 7, Instructions: 654COMMON

Download Yara Rule

Strings

MEDy, xrefs: 00000239A18E6166
hi5k, xrefs: 00000239A18E6190
qrst, xrefs: 00000239A18E6182
FGKL, xrefs: 00000239A18E61BA
RSlU, xrefs: 00000239A18E61AC
Zfbc, xrefs: 00000239A18E619E
89o1, xrefs: 00000239A18E6174

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID: 89o1$FGKL$MEDy$RSlU$Zfbc$hi5k$qrst
API String ID: 0-3865785760
Opcode ID: d9799d8947d3183f8768af01fc144f5dbfebe75a8d74757530457a012aa66fec
Instruction ID: 037f228940482cd1331a5ec4b9185bbf27a702be06310946a59fa7678690b88f
Opcode Fuzzy Hash: d9799d8947d3183f8768af01fc144f5dbfebe75a8d74757530457a012aa66fec
Instruction Fuzzy Hash: ED12E731318A084FE748AB2C945A3BAB7D2EBD6304F54476DE04AC32D7DDACC9478B85

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18CA3B0, Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

[, xrefs: 00000239A18CA490
], xrefs: 00000239A18CA4AB

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID: [$]
API String ID: 0-2073744556
Opcode ID: 1955110624919783420394db67c16bd1a637b090550ec89b2cbde8f06ab2380a
Instruction ID: de6b7cb00776fe211e3af832e13ca586b551b544b5df8618013fb63496186481
Opcode Fuzzy Hash: 1955110624919783420394db67c16bd1a637b090550ec89b2cbde8f06ab2380a
Instruction Fuzzy Hash: 3481D631618B044BE318EA2CD44977AB2D2EBD6314F14472DE44AC36D6FEBCDE834A81

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18C4470, Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

/, xrefs: 00000239A18C44C0

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e23ed682fb321e454736d11048319c6f30151dc2994b31915aa17082f966a480
Instruction ID: fd0ff0cd116fb779f84036deeda67fcdbb340282d21d2b321a43b83a5a159042
Opcode Fuzzy Hash: e23ed682fb321e454736d11048319c6f30151dc2994b31915aa17082f966a480
Instruction Fuzzy Hash: 6C91E671918A084FE7A8DF1CD488B65B3E1FB99710F25039DE44AC71A6DA7CD9C38B81

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18D0A00, Relevance: .7, Instructions: 711COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899f1c8a8252aa30c316bd65f3b16ed344800ea4d56a93b96be22f4250445d96
Instruction ID: 2d71305d31ff464bc58984c6d6882d8b6605c65ef308ccc3995e312c4b36003c
Opcode Fuzzy Hash: 899f1c8a8252aa30c316bd65f3b16ed344800ea4d56a93b96be22f4250445d96
Instruction Fuzzy Hash: 8F22D634718B048FFB996B69E85D7AA72E1EF95301F50821CF44BC71D1EE6CCA828B41

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18DE3F0, Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa08d7bfdd339280cb12c7cf0afc4dd20b20cadfb558385838e55acd49866d2
Instruction ID: 2acae7190564114298a700d18b15ba03ad003f5156805bef7daeb0ccdd17e147
Opcode Fuzzy Hash: 8fa08d7bfdd339280cb12c7cf0afc4dd20b20cadfb558385838e55acd49866d2
Instruction Fuzzy Hash: 8EA15B1051D7D80BE71A863C58493B9BFC1DBAB318F1857DDE4DA932C7C04D8A4B87A6

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18CE320, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fa16f1675e6fb71d1fb2e324278df6e3b48037c73aefb62ece5e0c1db6f903
Instruction ID: d8d2bf1b0ced02d2870049a87286a170d395ca14511931f3630003b958f62257
Opcode Fuzzy Hash: 86fa16f1675e6fb71d1fb2e324278df6e3b48037c73aefb62ece5e0c1db6f903
Instruction Fuzzy Hash: 8FA10330208B088FD794EB1CD489B6AB7E1FB99304F50095DF589D72A1DB79E946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18DFBA0, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f492f586c364231537de47584be52af27ee10db385c19222f5267f097a3db4
Instruction ID: 772a71d73af73d81d797b32a708cd8e87cef2ae1ec3c728b2e6e41ae12842540
Opcode Fuzzy Hash: 85f492f586c364231537de47584be52af27ee10db385c19222f5267f097a3db4
Instruction Fuzzy Hash: 6F71F930614B194FE758FB2CA84D769B2D1EF86740F540369E84AC32D7DEACDD834A85

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18D4D50, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10038b8a9d6095415ec03e5c68e3ab5d77ff27c9083530a7a9bdc2f0c116070
Instruction ID: b180747210f4074c95ca87ed535e8a51201e8a0d28a5b63db335b4c8f82b86d1
Opcode Fuzzy Hash: f10038b8a9d6095415ec03e5c68e3ab5d77ff27c9083530a7a9bdc2f0c116070
Instruction Fuzzy Hash: 7941E931608B181FEB58AB1C944D775B3D1EB8A720F41035DE44AD36D2CAADDE834BC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18C2BC0, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a79b347549c18ff9894edf75d4e252e2e65ef536ec25a12499a49f3d95d690
Instruction ID: fed413756214436a90cc37e1e1a9cb97efbd71d51f31c0095495e33aeba2292e
Opcode Fuzzy Hash: 07a79b347549c18ff9894edf75d4e252e2e65ef536ec25a12499a49f3d95d690
Instruction Fuzzy Hash: 4D31F232608A284BF768AB3CA84D3BA76D6E7D5320F10032DE44AD31C4DA6DDE9247C1

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18DB520, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee554053f296ee9733b4c7652edc36bb1247cc8bfd312afa38afcaa2a528d41
Instruction ID: 59ffd36d1e474af1941bd3302276c78dfcd52bc0802d9cb35e8f9030df4df912
Opcode Fuzzy Hash: 8ee554053f296ee9733b4c7652edc36bb1247cc8bfd312afa38afcaa2a528d41
Instruction Fuzzy Hash: EF31D0715047098BFB645A1D824E768B3F5EB57314FA4031AE586C3291DAEE9EC3CA81

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18C6EF0, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1726cf4867e6ea43003eb798981ed6b8f50ce894572de999c2f633f06d98a958
Instruction ID: 212dd95c55c841a83991af2d931f3f21d554bf33f4cf81ec76fe6808b2a8d990
Opcode Fuzzy Hash: 1726cf4867e6ea43003eb798981ed6b8f50ce894572de999c2f633f06d98a958
Instruction Fuzzy Hash: 26112C2013598646E31E4E0C9898774FBD4E767305FA853FDC4C3CB2A3E49EA6C78956

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18E5EC0, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89676408d1658c1460ced83726e1e495f8212053eb26cac31c6984a98c62e60a
Instruction ID: 14a7b1ea44b51391f31170064dd5e5ea77e70810939cc89bdca2a41b9e869bb3
Opcode Fuzzy Hash: 89676408d1658c1460ced83726e1e495f8212053eb26cac31c6984a98c62e60a
Instruction Fuzzy Hash: 5C110439218E0D0EF668A91E680C772B2D6EF9A664F11131A944AC32C6ED9DDDC38A50

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18D4060, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5232c2ee20f8cc28b7ca0fcdcd0c93f00996fae81e6e31f2386f2d6e0095b15
Instruction ID: 8440e9fba8708673b02c04174081deae27b4972fd7a0d635878e79c0cf82e7f0
Opcode Fuzzy Hash: f5232c2ee20f8cc28b7ca0fcdcd0c93f00996fae81e6e31f2386f2d6e0095b15
Instruction Fuzzy Hash: B711E321751D284FE5C5F32CB8583BDB2E2EBCA710F994255D409D32E6DEAC8E834B81

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18C5BE0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cea43f7feb927367db72bb4dc9601700fb1a994980c359dbeed66be719ad338
Instruction ID: a347ca62fcb9a046459a13bfda9a79571d1b7fadcffc27f73c4440dfa59530c9
Opcode Fuzzy Hash: 3cea43f7feb927367db72bb4dc9601700fb1a994980c359dbeed66be719ad338
Instruction Fuzzy Hash: 5801F72BBBAA5502EB2C046E688127351CADB8735AB1D763D98C3D3083CD9C89430054

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18D9460, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c65da9999f813d349450ebd04834870ce2b01326243675b9e30b666ee68e2db
Instruction ID: be461ecfa53f1a872871e08e201562e2874cc76902db7dc9c9e4753dea1c688f
Opcode Fuzzy Hash: 8c65da9999f813d349450ebd04834870ce2b01326243675b9e30b666ee68e2db
Instruction Fuzzy Hash: C2012D2062AB810AD71E562D40A9338FBC7E767346F6853EDC4C3CA5D3E88955C3C5C6

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18E3990, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147b26918c804926c2b3a35227487ba03c69637cee61b07f708687d51e15521e
Instruction ID: d1fce0e4392ae96607e5a8349b719c191e92259f4199067a7d93205eea4ab3fb
Opcode Fuzzy Hash: 147b26918c804926c2b3a35227487ba03c69637cee61b07f708687d51e15521e
Instruction Fuzzy Hash: 54D017758249084EDB51EB18C048F60F3E4EB57315FA023DA8009CB112EA26E887CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00000239A18DADA0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.620564539.00000239A18C0000.00000040.00000001.sdmp, Offset: 00000239A18C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560e6a23cc83d760b71f7b18a3e747a9364d9c171f49b35192518ae87a33829f
Instruction ID: b8fcde7120d1895dd6a50f3988219af66d19bb984d7a776340855f9b2d17eaca
Opcode Fuzzy Hash: 560e6a23cc83d760b71f7b18a3e747a9364d9c171f49b35192518ae87a33829f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report dngqoAXyDd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Trickbot

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: dngqoAXyDd.exe PID: 4872 Parent PID: 912

General

Chronological Activities

Analysis Process: wermgr.exe PID: 5784 Parent PID: 4872

General

Function 00181E80, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 132
memoryCOMMON

Function 001896DA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130
COMMON

Function 00181900, Relevance: 4.5, APIs: 3, Instructions: 46
COMMON

Function 00188C0F, Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Function 0019D266, Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Function 00199D6C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMON

Function 0018CFF8, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Function 0019A1F6, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Function 0019676A, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 0018C950, Relevance: 1.3, Strings: 1, Instructions: 76
COMMONCrypto

Function 0019B9CE, Relevance: .5, Instructions: 489
COMMONCrypto

Function 0019C9BB, Relevance: .4, Instructions: 355
COMMONCrypto

Function 0019C5D3, Relevance: .3, Instructions: 349
COMMONCrypto

Function 0019BE63, Relevance: .3, Instructions: 326
COMMONCrypto

Function 001A28BD, Relevance: 54.3, APIs: 36, Instructions: 344
COMMON

Function 001927B2, Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 109
libraryloadermemoryCOMMON

Function 0018EF48, Relevance: 24.1, APIs: 16, Instructions: 95
COMMON

Function 001A39C8, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138
COMMON

Function 00190B65, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 106
COMMON

Function 0018B333, Relevance: 18.1, APIs: 12, Instructions: 139
COMMON

Function 0018E1A7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 91
COMMON

Function 0019FCA9, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77
COMMON

Function 001A1642, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55
COMMON

Function 0018EA95, Relevance: 13.7, APIs: 9, Instructions: 181
COMMON

Function 001827A0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77
COMMON

Function 00189311, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMON

Function 0019FD89, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Function 001924C2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Function 00181C00, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33
COMMON

Function 0019CF22, Relevance: 9.1, APIs: 6, Instructions: 92
COMMON

Function 00191BCA, Relevance: 9.0, APIs: 6, Instructions: 47
COMMON

Function 001A753A, Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Function 0019D2E8, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Function 00192389, Relevance: 7.5, APIs: 5, Instructions: 34
COMMON

Function 001878D0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
COMMON

Function 00183420, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
COMMON

Function 00184520, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
COMMON

Function 001836F0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Function 0018DB63, Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Function 001A700C, Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Function 00195463, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Function 0018C5B4, Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Function 001908DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 0019F720, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON